Tutorial: Managing Team Permissions
Learn by doing: Set up permissions for a 5-person audit team with different roles.
Time: 20 minutes Prerequisites: Admin account Outcome: Fully configured team with appropriate access levels
Scenario
You're setting up AuditSwarm for your compliance team:
Team Members:
- Sarah Chen - Lead Auditor (full access to all audits)
- Mike Torres - Junior Auditor (view most, edit assigned audits)
- Priya Patel - Risk Manager (focus on risks and controls)
- David Kim - External Consultant (view-only on specific audit)
- Emma Liu - Intern (read-only access for learning)
Goal: Configure permissions so each person has exactly what they need.
Step 1: Create User Accounts
First, ensure all team members have accounts.
- Navigate to Admin → Permissions
- Click Add User button (top right)
- For each team member, enter:
- Email address
- Name
- Check Send invitation email (if available)
- Click Create User
Result: All 5 users now appear in the user list.
Step 2: Configure Lead Auditor (Sarah)
Sarah needs full access to manage all audits.
Grant Page Access
- Select Sarah Chen from user list
- In Page Access section, toggle ON:
- ✅ Dashboards
- ✅ Audits
- ✅ Issues
- ✅ Risks
- ✅ Controls
- ✅ Templates
- ✅ Time
- ❌ Admin (not needed)
Grant Entity Permissions
For Sarah, we'll use a different approach - grant Edit access to specific audits she's leading:
- Scroll to Entity Permissions section
- Search for "Q4 SOC2 Audit"
- Click Edit button
- Search for "Internal IT Audit"
- Click Edit button
Alternative approach: Make Sarah an admin user
- Click user avatar → Edit
- Check Is Admin
- Admins automatically have full access (bypasses all permission checks)
For this tutorial, we'll keep Sarah as a regular user with explicit permissions.
Step 3: Configure Junior Auditor (Mike)
Mike can view all audits but only edit the ones assigned to him.
Grant Page Access
- Select Mike Torres
- Toggle ON:
- ✅ Dashboards
- ✅ Audits
- ✅ Issues
- ✅ Time
- ❌ Risks (not needed yet)
- ❌ Controls (not needed yet)
- ❌ Templates (Sarah manages these)
- ❌ Admin
Grant Entity Permissions
Mike gets View on most audits, Edit on assigned ones:
- In Entity Permissions, search for "Password Policy Review"
- Click Edit (his assigned audit)
- Search for "Q4 SOC2 Audit"
- Click View (he's assisting Sarah)
- Search for "Network Security Audit"
- Click View (for reference)
Result: Mike can see the big picture but can only modify his assigned work.
Step 4: Configure Risk Manager (Priya)
Priya focuses on risks and controls, not audits.
Grant Page Access
- Select Priya Patel
- Toggle ON:
- ✅ Dashboards (needs to see risk metrics)
- ✅ Risks
- ✅ Controls
- ✅ Audits (to see context)
- ❌ Issues
- ❌ Templates
- ❌ Time
- ❌ Admin
Grant Entity Permissions
For Risks:
- Filter by Type: Risks
- Find "Data Breach Risk"
- Click Edit
- Find "Ransomware Attack Risk"
- Click Edit
For Controls:
- Filter by Type: Controls
- Find "Multi-Factor Authentication"
- Click Edit
- Find "Data Encryption at Rest"
- Click Edit
For Audits (read-only context):
- Filter by Type: Audits
- Find "Q4 SOC2 Audit"
- Click View (to see how risks relate to audit)
Result: Priya can manage all risks/controls but only observe audits.
Step 5: Configure External Consultant (David)
David is temporary and should only see one specific audit.
Grant Page Access
- Select David Kim
- Toggle ON:
- ✅ Audits (only page he needs)
- ❌ Everything else
Grant Entity Permissions
David gets View access to ONE audit only:
- In Entity Permissions, search for "Q4 SOC2 Audit"
- Click View
Important: Do NOT grant access to other audits.
Verify Restricted Access
To confirm David's access is restricted:
- Log in as David (or use incognito browser)
- Navigate to Audits page
- Verify only "Q4 SOC2 Audit" is visible
- Try to edit → Should show "Read-only" or be disabled
Result: David can only see and read the one audit he's consulting on.
Step 6: Configure Intern (Emma)
Emma needs broad read-only access for learning.
Grant Page Access
- Select Emma Liu
- Toggle ON:
- ✅ Dashboards
- ✅ Audits
- ✅ Issues
- ✅ Risks
- ✅ Controls
- ❌ Templates
- ❌ Time
- ❌ Admin
Grant Entity Permissions
We'll rely on public entity visibility instead of explicit permissions:
Option 1: No explicit permissions (recommended)
- Don't set any entity permissions
- Emma will see all public entities (view-only)
- She won't see private entities (sensitive audits)
Option 2: Explicit View permissions (more control)
- Grant View on specific audits/risks for learning
- Example: "Sample Audit Template", "Common Security Risks"
For this tutorial, use Option 1 (simpler).
Result: Emma can explore and learn without risk of breaking anything.
Step 7: Test Permissions
Now verify everything works correctly.
Test Sarah (Lead Auditor)
- Log in as Sarah
- Navigate to Audits
- Should see: All audits she has Edit access to
- Open "Q4 SOC2 Audit"
- Should see: Edit buttons, can change status
✅ Expected: Full control over assigned audits
Test Mike (Junior Auditor)
- Log in as Mike
- Navigate to Audits
- Should see: Multiple audits (some editable, some view-only)
- Open "Password Policy Review" (his assigned audit)
- Should see: Edit buttons enabled
- Open "Q4 SOC2 Audit" (Sarah's audit)
- Should see: View-only mode, no edit buttons
✅ Expected: Can edit assigned work, view others
Test Priya (Risk Manager)
- Log in as Priya
- Navigate to Risks
- Should see: All risks she has Edit access to
- Open "Data Breach Risk"
- Should see: Edit buttons enabled
- Navigate to Audits
- Open "Q4 SOC2 Audit"
- Should see: View-only mode (for context)
✅ Expected: Full control over risks/controls, read-only on audits
Test David (External Consultant)
- Log in as David
- Navigate to Audits
- Should see: Only "Q4 SOC2 Audit"
- Try to navigate to Risks page
- Should see: "Access Denied" or page not in menu
✅ Expected: Only sees the one audit, nothing else
Test Emma (Intern)
- Log in as Emma
- Navigate to Audits
- Should see: All public audits (read-only)
- Try to edit any audit
- Should see: "Read-only" or buttons disabled
- Navigate to Risks, Controls
- Should see: Public entities only (view-only)
✅ Expected: Can explore everything public, cannot modify
Step 8: Document Permissions
Create a permission matrix for your team:
| User | Dashboards | Audits | Issues | Risks | Controls | Templates | Time | Admin |
|---|---|---|---|---|---|---|---|---|
| Sarah Chen | ✅ View | ✅ Edit (assigned) | ✅ Edit | ✅ View | ✅ View | ✅ View | ✅ | ❌ |
| Mike Torres | ✅ View | ✅ Edit (assigned), View (others) | ✅ View | ❌ | ❌ | ❌ | ✅ | ❌ |
| Priya Patel | ✅ View | ✅ View | ❌ | ✅ Edit | ✅ Edit | ❌ | ❌ | ❌ |
| David Kim | ❌ | ✅ View (Q4 SOC2 only) | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Emma Liu | ✅ View | ✅ View (public) | ✅ View (public) | ✅ View (public) | ✅ View (public) | ❌ | ❌ | ❌ |
Save this document for onboarding future team members.
Step 9: Set Up Workflows
Now configure workflow-level permissions (more granular than entity).
Scenario: Q4 SOC2 Audit has 3 workflows
Workflows:
- Planning - Sarah manages
- Fieldwork - Mike executes
- Reporting - Sarah writes, Priya reviews
Configure Workflow Permissions
- Navigate to Entity Permissions
- Find "Q4 SOC2 Audit"
- Click chevron to expand workflows
- For "Planning Workflow":
- Sarah: Edit
- Mike: View
- For "Fieldwork Workflow":
- Sarah: Edit (oversight)
- Mike: Edit (primary)
- For "Reporting Workflow":
- Sarah: Edit
- Priya: View (review)
- Mike: View (learns process)
Result: Workflows can be delegated independently of parent audit.
Common Adjustments
Promote Mike to Lead Auditor
When Mike gets promoted:
- Change his existing View permissions → Edit
- Grant access to Templates page
- Grant access to Admin page (if needed)
Quick way:
- Use bulk search: Search "Mike Torres"
- Filter by "View" permission
- Batch update to "Edit" (if feature available)
Offboard David (Consultant Engagement Ends)
- Select David Kim
- Revoke page access: Toggle OFF all pages
- Revoke entity permissions: Click None on "Q4 SOC2 Audit"
- Optional: Soft delete user account
Result: David can no longer log in or access any data.
Add New Intern (Similar to Emma)
- Create user account
- Copy Emma's page access settings:
- Dashboards, Audits, Issues, Risks, Controls (all ON)
- Don't set entity permissions (inherit from visibility)
Time saved: 2 minutes vs configuring from scratch
Troubleshooting
"User can't see any audits"
Possible causes:
- Page access toggle OFF for Audits
- All audits are private and no explicit permissions granted
- User is on wrong URL
Solution: Check page access first, then entity permissions
"User can see audit but says it's empty"
Possible cause: User has page access but no permission on that specific audit
Solution: Grant View or Edit permission on the audit
"Permission changes not taking effect"
Possible cause: Browser cache or session not refreshed
Solution: Have user log out and log back in
Best Practices Learned
✅ Do:
- Start with minimal access, expand as needed
- Use View by default, Edit only when required
- Document why each person has specific permissions
- Test permissions before announcing to team
- Review permissions quarterly
❌ Don't:
- Grant Admin access unless absolutely necessary
- Give Edit on all entities "just in case"
- Forget to remove permissions when roles change
- Skip testing (catches misconfigurations early)
Next Steps
Now that you've set up your team:
- Create templates: Use Sarah's account to build audit templates
- Configure dashboards: Set up role-specific dashboards
- Set up AI agents: Connect ChatGPT/Claude for each team member
- Schedule review: Add calendar reminder to review permissions quarterly
What You Learned
✅ How to grant page-level access ✅ How to set entity-level permissions ✅ How to configure workflow permissions ✅ How to test and verify access ✅ How to document permission structure ✅ How to adjust permissions as roles change