Roles & Permissions

Assign workspace roles, enforce least privilege, and follow NidFul governance patterns.

6 min readUpdated Nov 10, 2025Getting StartedNew

Roles & Permissions

NidFul’s layered access model pairs least-privilege controls with clear accountability across every workspace. Use this guide to assign roles to your African program team without blocking collaboration.

Workspace Roles

| Role | Ideal Owner | Core Capabilities | | --- | --- | --- | | Owner | CISO, Head of Security | Manage billing, invite new organizations, approve legal terms, enforce MFA. | | Program Admin | Security Program Lead | Configure policies, publish scopes, manage bounties, edit automation rules. | | Triage Analyst | AppSec Engineer, MSSP Partner | Review reports, change states, request clarifications, trigger integrations. | | Finance Reviewer | Finance or Compliance | View payouts, approve payments, export tax statements. | | Observer | Product Owner, Legal | Read-only access to submissions, analytics, and policy history. |

Each role comes with MFA enforcement and session timeout defaults that align with NidFul's production tenants.

Access Guardrails

Mandatory MFA – Owners and Program Admins cannot log in without hardware-backed MFA. Triage Analysts must register at least one TOTP factor.
Region-aware controls – NidFul checks the login IP against the organization’s allowed regions (e.g., ECOWAS, EAC) before issuing session tokens.
Audit trails – All role changes trigger immutable audit entries plus webhook events (role.updated) so you can sync downstream access reviews.

Map to existing IAM policies

If you already manage access via Azure AD, Okta, or Google Workspace, map NidFul roles to your identity provider groups. This prevents the inconsistencies we’ve observed when customers assign permissions manually across multiple platforms.

Assignment Workflow

Go to Settings → Team & Roles.
Invite teammates with their work email domains; NidFul rejects disposable addresses.
Select the default role, then enable Just-In-Time elevation for emergency escalations.
Enable role expiry for contractors or external triage partners. NidFul will automatically downgrade them to Observer when the assignment lapses.

Periodic Reviews

Run the Quarterly Access Review report from Analytics → Governance; it lists dormant accounts and role drift.
Export the audit log and share it with compliance teams to satisfy NDPR, POPIA, and GDPR obligations.
Compare your roster against the Policy & Communication Templates checklist to ensure the right people are on call.

Next Steps

Validate your legal coverage in Safe Harbor Policy Guidance.
Configure automation for newly assigned roles using Webhooks & Automation.
Continue with Organization Setup & Access Control to connect identity providers and provisioning rules.