How to Manage User Permissions
Goal: Grant or revoke user access to pages and specific entities in AuditSwarm.
Prerequisites:
- Admin account required
- Access to
/admin/permissionspage
Time: 5-10 minutes per user
Overview
AuditSwarm uses a two-tier permission system:
- Page Access - Controls which sections users can access (binary: yes/no)
- Entity Permissions - Controls what users can do with specific items (view/edit/none)
Managing Page Access
Grant Page Access
- Navigate to Admin → Permissions
- Select a user from the left panel
- Scroll to the Page Access section
- Toggle the switch ON for each page the user needs:
- 📊 Dashboards - View analytics and reports
- 📋 Audits - Manage and view audits
- ⚠️ Issues - Track and resolve issues
- 🎯 Risks - Identify and mitigate risks
- 🛡️ Controls - Manage security controls
- 📝 Templates - Create and use templates
- ⏱️ Time - Track time and log hours
- ⚙️ Admin - System administration (use cautiously!)
Result: User can now see the page in their navigation menu.
Revoke Page Access
- Navigate to Admin → Permissions
- Select the user
- Toggle the switch OFF for the page
Result: User can no longer access that page.
Managing Entity Permissions
Entity permissions control what users can do with specific audits, issues, risks, controls, and workflows.
Permission Levels
| Level | What It Means | User Can... |
|---|---|---|
| (No selection) | No explicit permission | Depends on entity visibility (public/private) |
| View | Read-only access | See details, comments, and attachments |
| Edit | Full access | View AND modify, delete, change status |
| None | Explicitly blocked | Cannot access even if entity is public |
Grant Entity Permission
- Navigate to Admin → Permissions
- Select a user from the left panel
- Scroll to the Entity Permissions section
- Use the search bar or filter to find the entity
- Click the appropriate button:
- View - For read-only access
- Edit - For full access
Result: User can now access that specific entity.
Revoke Entity Permission
- Find the entity in the Entity Permissions section
- Click None to explicitly block access
Result: User can no longer access that entity, even if it's public.
Searching and Filtering
Search for Entities
Use the search bar to find entities by:
- Name or title
- Entity type (audit, issue, risk, etc.)
- Status (active, completed, draft, etc.)
Example: Type "SOC2" to find all entities related to SOC2 compliance.
Filter by Type
Use the dropdown to show only specific entity types:
- All Types
- Audits
- Issues
- Risks
- Controls
- Workflows
Working with Workflows
Parent-Child Relationships
Workflows can be nested under parent entities (audits, issues, risks, controls).
To expand/collapse:
- Click the chevron icon (▶/▼) next to entities with workflows
- Set permissions independently for parent and child workflows
Example:
📋 NIST Cybersecurity Assessment (audit)
├── 🔄 Planning Workflow
├── 🔄 Fieldwork Workflow
└── 🔄 Reporting Workflow
You can grant:
- Edit access to the parent audit
- View access to Planning workflow
- Edit access to Fieldwork workflow
- No access to Reporting workflow
Special Cases
Admin Users
- Full access to everything - Cannot be restricted
- Admin badge (🛡️) shown on user card
- All permission controls are disabled for admins
- To restrict an admin, remove their admin status first
Public Entities
If an entity has visibility: public:
- Users without explicit permissions can still view it (if they have page access)
- Use None permission to explicitly block access
Private Entities
If an entity has visibility: private:
- Only users with explicit permissions can access it
- Requires both page access AND entity permission
Common Workflows
New Employee Setup
- Select the new user
- Grant page access:
- ✅ Dashboards
- ✅ Audits
- ✅ Issues (if they handle compliance issues)
- Grant View access to relevant audits/risks
- Grant Edit access to workflows they'll work on
External Auditor Setup
- Grant page access:
- ✅ Dashboards (limited view)
- ✅ Audits (read-only)
- Grant View access to specific audits only
- Do NOT grant Edit access or Admin access
Promote to Lead Auditor
- Keep existing page access
- Change entity permissions from View → Edit for assigned audits
- Grant Edit access to workflows they'll manage
Troubleshooting
User Can't See a Page
Problem: User says "I can't see the Audits page"
Solution:
- Check if user has Page Access toggle ON for Audits
- If admin user, ensure they're not locked out system-wide
User Can't Edit an Entity
Problem: User can view but not edit an audit
Solution:
- Check entity permission level - should be Edit, not View
- Verify entity isn't locked or archived
Permission Not Taking Effect
Problem: Changes don't apply immediately
Solution:
- Have user log out and log back in
- Check if entity is private (requires explicit permission)
- Verify user isn't an admin (admins bypass permissions)
Best Practices
✅ Do:
- Grant minimum necessary access (principle of least privilege)
- Use View by default, Edit only when needed
- Document why specific permissions were granted
- Review permissions quarterly
❌ Don't:
- Grant Admin access unless absolutely necessary
- Give Edit access to all entities (security risk)
- Forget to remove permissions when roles change
- Share admin credentials