More user permissions on Secfix
in progress
A
Alper
As Secfix grows, I see the need to allow companies to better segment their user permissions (not only between admin or employee).
Created by Lucas Backes
Ghada Shebl
in progress
🚀 We have an update for you!
We're excited to share that we've started working on two new roles for Secfix: Editor and Collaborator.
Editor: Can view and edit all content except sensitive pages (like Employees, Access, and Computers).
Collaborator: Can be assigned as owners of items like policies, risk scenarios, vendors, inventory, manual evidence, and checks. They can view and edit only the items assigned to them.
We're currently building an MVP version, so this is just the beginning. More updates to come 😊
Ghada Shebl
under review
Ghada Shebl
Merged in a post:
More granular user roles (e.g., Evidence Contributor, Risk Owner)
G
Gorka A.
It would be great to see more flexibility in how user roles are managed in the Secfix platform. Right now, there are only two options — Admin and Employee — which creates friction when trying to delegate responsibilities across the ISMS without giving full access.
For example, I want to assign HR-related evidence tasks to our HR lead, but they can't upload or manage evidence unless we promote them to Admin. This doesn’t scale well and poses unnecessary access risks. A few role types we’d love to see:
- Evidence Contributor: Can upload and manage assigned evidences
- Risk Owner: Can view and manage risks they are assigned to
- Auditor (View-only): Read-only access for external or internal stakeholders
- Vendor / Contract Owner
- Human Resources Compliance
- Inventory Management
More granular roles would help us distribute ownership more efficiently and keep responsibility aligned with actual roles within our organization — without compromising security or overwhelming users with unnecessary access.
J
Jan W.
This is a great idea and in addition with role based access where you can assign tasks, risks and so on to a role instead of users, that will scale well and reduces operational overhead if employees or responsibilities changing.
Ghada Shebl
Merged in a post:
Role based owner ships
J
Jan W.
It would be nice if i can assign a role (e.g. ISMS Management Leader, CTO, HR Manager) instead of persons. If someone leave the company, we need to assign new owner ships and that is operational over head. If i can assign a new person to a role, it is just one step.
J
Jakub Wanat
Marc Mo. would like to define and limit what auditors can see within their Secfix instance (e.g., certain risks, modules like employees or access, or outdated inventory items like old employee laptops). Current access model only allows full access or no access, with no granularity to hide or expose specific sections. A more flexible access control (e.g., by module or asset type) would help limit exposure of work-in-progress or irrelevant data during audits.
Sophia Fries
Another client requested this feature, it would be great if was possible to select different permissions for the Admin role, so not all admins can see all features on Secfix. Example, Head of IT team will need to complete the IT risk assessment but they should not have access to edit Vendors or Policies on the platform.
Ghada Shebl
Alper Thank you for your feedback! To prioritize, which roles or permissions do you believe are crucial to include, aside from admin and employee?
B
Bettina N.
Ghada Shebl In our Use Case, we would need the ISMS Council / Team with a special role, they are e.g. Risk Owners and should be able to see the risks and also approve them and work on tasks assigned to risks, but they don't work on Policies, Manual Evidences, etc. Maybe the role could also be more generic for the usage, e.g. "Risk Managers".
F
Florian H.
Ghada Shebl from our perspective:
- admin
- management: access to some features like Risk register but not full admin
- normal employee
- external employee