For now, it is not possible to create custom role assignments so you need to use built-in user groups. They are linking a domain with a role which contains precise permissions, that will be given to users in this group.

Roles

Let's give some details on the 5 built-in roles:

Global user groups

Once your instance is created, four user groups are already present:

• Global - Administrator

• Global - Analyst

• Global - Reader

• Global - Approver

They give corresponding permissions on Global scope so on every object of your instance.

Domain user groups

They are created for each domain you add. For example, if you create a domain R&D, there will be:

• R&D - Domain Manager

• R&D - Analyst

• R&D - Reader

• R&D - Approver

They give corresponding permissions on the domain scope so on every object inside R&D.

A folder organization

For Access Control purpose, CISO Assistant data is organized in a tree of folders. Starting from a root folder called Global, it divide into sub-folders called domains. The organization of the tree is not hard-coded, it is entirely determined by configuration. Any object in CISO Assistant is attached to a folder (including folders), either directly or indirectly through a parent object that is attached to a folder.

So, what is a domain?

A domain permits to organize your work depending on your use of CISO Assistant. For example, inside a company, you can create a domain for each department for which you need to carry out a variety of perimeters, or if you have different customers, you may as well have a domain for each one in order to delimit your work area.

Utility

A domain is the first thing you create on CISO Assistant. It will bring together all objects you need to complete your different perimeters. Every role/permission a user has on a domain are applicable to all objects/actions across the domain. It's all about organization, the only technical aspect is access control, and this is achieved by adding the user to the relevant user group.

Role assignment

In the first/open source version of CISO Assistant, custom role assignment is not available. So, when you create a domain, user groups concerning this domain are automatically created for each built-in role. All you need to do, is to assign your users to their user groups. To learn more about this, jump to .

Perimeters

Perimeters are fundamental context objects defined by the entity using CISO Assistant. They are grouped in domains. They will contain all your risk and compliance assessments. Apart from being able to group your various evaluations across the different domains.

There are two specific fields, internal reference and status. Here are the various status options:

• -- (None)

• Design

• Development

• Production

The purpose of a perimeter is at first, it's organizational aspect to solve a problem. But it also makes it possible to improve analytics by breaking them down according to the different assessments, whether for risk or compliance, so as to make your project management more precise and reduce noise.

User Groups

User groups go hand in hand with domains. they associate permissions with users and define their scope, by being attached to a domain. They follow a simple and consistent RBAC model from a role containing permissions and a domain determining the perimeter. Go to the page for more details.

Under Organization, click on Users and then Add user:

Set up the email of the new user:

Once created, a new user doesn't have any permissions by default. Click edit and update the user groups:

If you are working on a single domain, or working on solo, you might just set `Global - Administrator`

When the user are added, and if the mailer is set, he/she will receive an email to set up the password. If not, you can set a temporary password as illustrated above.

Teams in CISO Assistant are used to group users who work together on the same security activities, such as risk assessments, compliance programs, or audits.

Each team has a Team Leader, optional Deputies, and Members, making it easy to reflect real-world responsibilities and delegation. A team can also have a dedicated team email address for shared communications. Teams centralize ownership, collaboration, and notifications by allowing CISO Assistant to automatically reach the right people based on their role within the team.

Tasks, assessments, assets, applied controls, etc., can be assigned to teams, in the same way as to users.

Custom roles for CISO Assistant

Learn how to create and customize roles such as DPO and OPS within your organization

Sign in as an Admin on your CISO Assistant instance and follow the steps below.

1. Introduction

This guide walks you through setting permissions and assigning user groups to streamline your CISO Assistant's role management.

2. Click "Organization"

Navigate to the Organization section to begin managing your team's roles.

3. Click "Roles"

Access the Roles tab to view and modify existing roles.

4. Click here

Initiate creating a new role by selecting the option to add one.

5. Fill "DPO"

Enter the name for the new role, such as 'DPO', to define its identity.

6. Click "Save"

Save the newly created role to confirm its addition to your organization.

7. Click here

Open the permissions settings for the new role to customize access.

8. Click here

Expand the permissions list to view all available options.

9. Click "Select all"

Select all permissions to grant comprehensive access to the role.

10. Click "Save"

Save the permission settings to apply them to the role.

11. Click here

Start creating another role by selecting the add role option again.

12. Fill "OPS"

Name this role, for example 'OPS', to specify its function.

13. Click "Save"

Save the role to add it to your organization's role list.

14. Click here

Access the permissions for the newly created role to tailor its access.

15. Click here

Open the detailed permissions menu to adjust specific controls.

16. Click here

Select the option to edit applied controls for fine-tuning.

17. Click "Edit applied control"

Modify the applied control by entering a specific control number, such as '205'.

18. You can select an individual permission

Confirm the changes made to the applied control settings.

19. Click here

View the applied control details to verify the configuration.

20. Click here

Update the applied control with another control number, like '207', if needed.

21. Click here

Return to the permissions overview to continue adjustments.

22. Or you can click "Select all"

Select all permissions to ensure full access for the role.

23. Click "Save"

Save all permission changes to finalize the role's capabilities.

24. Click "User groups" to see your newly added roles

Switch to the User Groups section to manage group memberships.

26. Click "Users"

Navigate to the Users tab to assign roles to individuals.

27. Click here

Select a user to modify their group memberships and roles.

28. Click here

Open the user's group assignment settings to begin editing.

29. Fill "OPS"

Enter the role name, such as 'OPS', to assign it to the user.

30. Click "ACME - OPS"

Choose the corresponding user group, like 'ACME - OPS', for the role.

31. Fill "DPO"

Input another role name, for example 'DPO', for additional assignments.

32. Click "Global - DPO"

Select the matching user group, such as 'Global - DPO', for this role.

33. Pick your user groups

Review all assigned user groups and roles to ensure accuracy.

34. Click "Save"

Save the user group and role assignments to complete the process.

This guide detailed how to create and configure custom roles like DPO and OPS, assign comprehensive permissions, and manage user group memberships effectively. It ensures your organization’s roles are tailored and users are properly assigned for optimal access control.

Access security is a foundational aspect of any risk or compliance management platform. In this article, we’ll explore how authentication, authorization, and accounting — the three pillars of the AAA model — are structured and applied within CISO Assistant.

1. Authentication: SAML vs OIDC

CISO Assistant integrates with leading identity providers (IdPs) via SAML and OIDC, enabling secure and seamless single sign-on (SSO).

🔸 SAML

• legacy protocol based on XML

• common in large enterprises, especially for AD

• browser-based redirection with signed assertions

🔸 OIDC (OpenID Connect)

• modern standard built on OAuth2

• uses JWT tokens for identity transport

• also browser-based, but more lightweight and versatile

Recommendation: If your IdP supports both, prefer OIDC — it's more modern, flexible, and aligned with today’s security practices.

2. MFA

Multi-Factor Authentication (MFA) is critical for access protection. CISO Assistant supports MFA in two distinct modes, depending on how users authenticate:

🔸SSO-Based Authentication (SAML / federated OIDC)

• MFA is handled entirely by the identity provider (IdP)

• the IdP enforces the policy (push notifications, TOTP, biometrics, etc.)

🔸Local Authentication

• for local accounts, CISO Assistant includes native MFA

• based on TOTP (e.g., Google/Microsoft Authenticators)

3. Authorization: Structured and Hierarchical RBAC

CISO Assistant implements a robust Role-Based Access Control (RBAC) model that balances flexibility, clarity, and operational simplicity.

🔸 Fine-Grained Permissions

Each object type has granular CRUD permissions (create, read, update, delete). This model applies across all business entities: users, backups, risks, policies, incidents, data processing, and more. There are more than 200 permissions in CISO Assistant.

🔸 Predefined Roles

Permissions are grouped into a small set of standard roles:

• Administrator – full access to all objects and settings

• Analyst – full access to most objects, but cannot modify access control

• Viewer – read-only access

🔸 Hierarchical Domains

Roles are assigned within a domain — a flexible concept representing any relevant business context.

For example, a domain can represent:

• a legal entity

• a country or region

• a subsidiary

Domains are hierarchical: a role assigned to a parent domain (e.g., "Group") automatically applies to all its subdomains (e.g., subsidiaries, teams).

🔸 Role Assignments

Access control is defined via explicit assignments:

A role ➡️ on a domain ➡️ for a group of users

🔸 User Groups

Users do not have direct roles. They inherit permissions through membership in one or more groups.

Groups act as the central pivot for managing access:

• receive role assignments

• grant users permissions via group membership

• defined locally

• optionally synced with an IdP (via external plugin)

🚀 This simple yet powerful model accommodates the vast majority of real-world access scenarios. And when needed, the system is fully extensible: it supports custom roles, custom role assignments, and custom user groups to fit even the most specific organizational needs.

4. Machine Identity: Personal Access Tokens with Expiration & Control

CISO Assistant doesn’t just secure human access — it also supports secure, auditable access for automated systems and integrations through Personal Access Tokens (PATs).

🔸Definition

A Personal Access Token is a time-limited secret that allows a script, CI/CD pipeline, or service to authenticate with the platform's API on behalf of a user or machine identity — without requiring an interactive login.

🔸Key features

• time-bounded: expiration is mandatory

• RBAC-compliant: inherits the creator’s permissions

• revocable: can be revoked by user or admin

🔸Governance controls

• admins can restrict who may generate PATs

• all tokens are auditable and managed via UI or API

This ensures tight control over non-human access, balancing automation flexibility with strict security hygiene.

5. Accounting: Full Audit and Traceability

CISO Assistant includes native tracking of all key actions:

• logins, restorations, configuration changes, approvals…

• a searchable audit log accessible via the UI or API

This enables complete accountability over critical operations.

🧠 In Summary

CISO Assistant's AAA model is built on:

• Open standards (SAML, OIDC, TOTP, RBAC)

• A structured yet manageable authorization system

• secure automation through scoped, revocable Personal Access Tokens (PATs)

It supports complex organizations while remaining readable, scalable, and compliant with modern security expectations.

Note on inheritance

Multiple objects of CISO Assistant support a built-in flag called is_published that controls wether an object is visible by affiliated domais ins. This flag is set by default tochildren'sd quite useful to be able to benefit children domains from some controls or evidence covered on their parent domains.

It's expected by Q2/26 to be able to control the behaviour of inheritance in a more fine-grained manner, such as preventing it or managing it between domains with no direct affiliation.