NidFul Docs

Organization Setup & Access Control

Invite teammates, configure policy owners, and enable single sign-on for your NidFul workspace.

8 min readUpdated Oct 4, 2025For Organizations

Organization Setup & Access Control

Launching a NidFul workspace is straightforward, but treating it like any other SaaS signup leaves blind spots. The guidance below reflects the hardened onboarding runbooks we use with African banks, telcos, and public agencies that need auditable disclosure channels from day one.

Pre-launch Requirements

| Item | Why it matters | Owner | | --- | --- | --- | | Executive sponsor | Unlocks budget, communicates intent to the wider organisation. | CISO / CTO | | Verified admin identity | Ensures the first workspace admin is tied to a named, MFA-protected account. | Security | | Legal sign-off | Confirms policy wording aligns with NDPR, POPIA, GDPR, and sector rules. | Legal & Compliance | | Incident comms playbook | Prepares the PR + CSIRT messaging before the first disclosure arrives. | Communications |

Keep the kickoff tight

Two or three core admins are enough for launch. Add more seats only after your access model is locked down.

Create Your Workspace

  1. Sign in with the verified admin account created during onboarding.
  2. Navigate to Admin → Workspace Settings and fill in:
    • Legal name (match corporate registry filings).
    • Headquarters address and phone number.
    • Primary 24/7 contact used for urgent researcher escalation.
  3. Upload branding assets so your disclosure page mirrors your public brand guidelines.
  4. Set your default locale and timezone so SLAs and notifications align with your operating hours.

Security baselines to toggle immediately

  • Enforce multi-factor authentication for every role (hardware keys > OTP > SMS).
  • Reduce session duration to eight hours or less; force re-authentication after privilege escalation.
  • Enable IP allowlists if your team works from defined offices or a bastion VPN.
  • Turn on device posture checks if you integrate with Okta, Azure AD, or Google Workspace.

Invite Your Team

Role matrix

| Role | Key permissions | Typical seat count | Notes | | --- | --- | --- | --- | | Program Owner | Workspace admin, policy editing, SSO config, integration management | 1–2 | Keep restricted to senior security leadership. | | Triage Analyst | View/triage submissions, assign severity, manage communication threads | 2–6 | Map to CSIRT or AppSec teams. | | Finance Lead | View bounty budgets, approve payouts, export financial reports | 1–3 | Often part of Finance / Treasury. | | Observer | Read-only analytics and submission dashboards | Unlimited | Great for executives and regulators. |

When possible, connect NidFul to your corporate SSO (SAML/OIDC). Provisioning through identity providers enables automatic de-provisioning when staff leave and keeps your auditors satisfied.

Stage invites

Invite Program Owners first so they can validate policies, then add Triage Analysts once workflows are rehearsed. Finance and Observer seats can follow after launch rehearsal.

Configure Notifications & Escalations

| Channel | Suggested usage | Configuration steps | | --- | --- | --- | | Slack / Microsoft Teams | Real-time triage alerts, severity escalations, researcher replies | Connect via the Notifications panel → select target workspace/channel. | | Email distribution lists | Daily rollups, leadership updates | Point to shared security inboxes with ticketing integration (e.g., Zendesk, Freshdesk). | | PagerDuty / Opsgenie | Wake up the on-call engineer for P1 disclosures | Map critical severity webhooks to your incident response service. | | SIEM (Splunk, Elastic, Azure Sentinel) | Long-term audit trails and correlation with other alerts | Enable log streaming from Integrations → SIEM. |

Establish an escalation matrix covering office hours, weekends, and public holidays across the regions you operate in. Log ownership changes inside NidFul so researchers always reach the right contact.

Connect Critical Integrations

  • Issue trackers: Sync to Jira, Linear, or Azure DevOps with status mirroring and SLA tracking.
  • Source control: Link GitHub or GitLab to reference commits directly in the remediation thread.
  • Runbooks: Attach Confluence/Notion playbooks per severity level so analysts never start from scratch.
  • Budget tools: Connect Netsuite, SAP, or manual export uploads if your Finance team needs journal-ready payout data.

Test each integration with a sandbox submission. A dry run now prevents lost tickets when your first critical report lands.

Prepare Your Policy Draft

Before inviting researchers, produce a policy baseline that answers three questions: What can I test? How will you protect me? How fast will you respond?

  • List in-scope assets (domains, APIs, mobile apps, internal portals) and clearly tag anything out-of-scope.
  • Reference prohibited techniques: stress testing, physical intrusion, or social engineering.
  • Include Safe Harbor language covering NDPR/POPIA obligations, CFAA-equivalent protections, and data handling promises.
  • Publish communication SLAs—e.g., acknowledge within one business day, triage within five, pay bounties within ten.
  • Map disclosure channels (portal, encrypted email) and set expectations for credentials or demo accounts.

Align with regulators early

Regulated industries (finance, telecom, critical infrastructure) should pre-share their draft policy with their supervisory authority. This prevents escalations when the first reports arrive.

Launch Rehearsal Checklist

  • [ ] All invited team members accepted seats and completed MFA setup.
  • [ ] SSO is tested with at least two identity provider groups.
  • [ ] Integrations fired successfully using sandbox submissions.
  • [ ] Policy draft approved by Legal, Compliance, PR, and the executive sponsor.
  • [ ] Escalation matrix documented, including backups for after-hours coverage.
  • [ ] Budget owners confirmed bounty tables and payment rails.

Ready to fine-tune incentives and communications? Continue with Designing Effective Programs.