Inviting your team
Pick the right role, send the invitation, track its state, and manage active and inactive users.
WASViking® ships with four default roles. Each role maps to a curated set of per-module permissions. Invitations are emailed with a secure single-use link. Users cannot be deleted, only deactivated, so the audit trail is preserved.
The whole flow lives at Team Management in the portal.
Step 1 — Understand the role catalog
Open Team Management → Role Access Overview. Four roles ship by default:
| Role | Designed for | Includes | Headline |
|---|---|---|---|
| Admin | Organization owners | Billing, settings, user management | Full access to all modules, users, roles, billing, settings and integrations. |
| Manager | Security leads | Users, scans, schedules, alerts | Manages scans, alerts and users. No billing or organization settings. |
| Analyst | Security analysts | Scan execution and findings review | Runs scans and investigates findings. No admin access. |
| ReadOnly | Stakeholders and auditors | Visibility without changes | View-only access for dashboards, findings, reports and monitoring data. |
The portal capitalizes the fourth role as ReadOnly (single word). Match the spelling when referencing it programmatically.
Detailed role permissions
Click View detailed role permissions to expand the per-module matrix. The summary below mirrors what the portal shows.
Admin
| Module | Permissions |
|---|---|
| Dashboard | View |
| Targets | View, create, edit, delete |
| Scans | View, create, edit, cancel, rerun, export |
| Schedules | View, create, edit, delete, pause, resume |
| Reports | View, export, share |
| Certificates | View and manage |
| Notifications | Full operational control |
| Edge Threat Radar | View and block IP |
| Exposure Intelligence | View and reveal sensitive data |
| Supply-chain IOC | View and apply |
| SSO | View and manage settings |
| Users & Roles | Full access |
| API Tokens | View, create, revoke, rotate |
| Billing | Full access |
| Settings & Integrations | Full access |
| Audit Logs | View |
Manager
| Module | Permissions |
|---|---|
| Dashboard | View |
| Targets | View, create, edit |
| Scans | View, create, cancel, rerun |
| Schedules | View, create, edit, pause, resume |
| Reports | View, export |
| Certificates | View and manage |
| Notifications | View, edit, test, enable, disable |
| Edge Threat Radar | View and block IP |
| Exposure Intelligence | View and reveal sensitive data |
| Supply-chain IOC | View and apply |
| SSO | View only |
| Users | View, invite, revoke, reactivate, change role, delete |
| Roles | View and assign |
| Billing | View only |
| Settings & Integrations | View only |
| Audit Logs | View |
Analyst
| Module | Permissions |
|---|---|
| Dashboard | View |
| Targets | View only |
| Scans | View, create, cancel, rerun |
| Vulnerabilities | View |
| Reports | View only |
| Certificates | View only |
| Notifications | View only |
| Edge Threat Radar | View only |
| Exposure Intelligence | View and reveal sensitive data |
| Supply-chain IOC | No access |
| SSO | View only |
| Users | View only |
| Usage | View |
| Billing | Invoices view only |
| Org Settings | View only |
ReadOnly
| Module | Permissions |
|---|---|
| Dashboard | View |
| Targets | View only |
| Scans | View only |
| Vulnerabilities | View only |
| Reports | View only |
| Certificates | View only |
| Notifications | View only |
| Edge Threat Radar | View only |
| Exposure Intelligence | View only |
| Supply-chain IOC | No access |
| SSO | View only |
| Users | View only |
| Usage | View only |
| Billing | Invoices view only |
| Actions | No create, edit, delete, export or admin actions |
Step 2 — Send an invitation
Click Invite User at the top of the Team Management page.
The modal shows:
| Field | What to put |
|---|---|
| The teammate's business email. | |
| Role | Admin, Manager, Analyst, or ReadOnly. The info block below the dropdown explains the chosen role. |
Below the form:
Only invite users from your organization's email domain unless your policy allows external invites.
WASViking enforces this with a B2B email domain policy on submission (free, public, and disposable email providers are refused).
Click Send Invitation. The invitee receives an email with a secure single-use link that expires automatically.
Step 3 — Track invitations
Open the Invitations tab. The table tracks pending, accepted, expired, or revoked invitations.
| Column | Notes |
|---|---|
| The invited address. | |
| Role | The role pre-selected at invitation time. |
| Status | pending, accepted, expired, or revoked. |
| Expires | When the secure link stops working. |
| Actions | Resend or revoke. |
Resend issues a fresh secure link with a new expiry. Revoke invalidates the link immediately.
Step 4 — Manage active users
Open the Users tab.
Manage active and inactive users. Deactivation blocks access but preserves scans, schedules and logs.
| Column | Notes |
|---|---|
| Name | The user's display name. |
| The user's email. A LOCAL tag indicates a user authenticating with a local password and MFA, as opposed to a federated SSO user. | |
| Role | Editable inline by Admin or Manager. |
| Status | Active or Inactive. |
| Actions | Deactivate (for an active user) or Reactivate (for an inactive one). |
Deactivating a user
Deactivation:
- Blocks access to the portal and the public API.
- Preserves scans, schedules, and audit logs owned by the user.
- Is reversible: click Reactivate to restore access without re-inviting.
Users cannot be deleted by design. The audit trail must remain attributable.
Anti-lockout protection
WASViking refuses operations that would leave the organization with zero active Admins. You cannot:
- Deactivate the last active Admin.
- Demote the last active Admin to a lower role.
To rotate the last Admin: invite a new one first, have them accept, then act on the original Admin.
Federated access (SAML 2.0 SSO)
When SSO is enabled at the organization level, operators sign in through your Identity Provider. MFA is enforced by the IdP. WASViking still enforces RBAC on every action.
New accounts created via SSO land as ReadOnly by default. An existing Admin or Manager promotes them in Team Management. See SAML 2.0 SSO for the full setup.
API keys are a separate surface
Team Management governs operator access via the four-role catalog.
The public REST API has its own fine-grained scope catalog (e.g.,
findings:read, scans:run, sca:submit). See
Scopes catalog for the API surface.