Role-based access control for team and enterprise deployments — manage users, projects, permissions, and client portal access.
Requires: Team or Enterprise license + PostgreSQL database configured in team mode. RBAC is not available in single-user SQLite mode.
Role Definitions
super_admin
Permissions : Full access to everything
✓ User management (create, edit, delete, assign roles)
✓ License management
✓ All projects — read + write + delete
✓ All scans — create, run, stop, delete
✓ All reports — generate, download, delete
✓ System settings — database, AI keys, integrations
✓ Audit log — full read access
Typical users: CISO, Security Team Lead, Platform Admin
pentest_lead
Permissions:
✓ Create and manage projects (assigned to them)
✓ Assign testers to projects
✓ View all scans in their org
✓ Run scans on assigned projects
✓ Generate and download reports
✓ Manage findings (create, edit, delete, assign status)
✗ User management
✗ License management
✗ System settings
Typical users: Senior Pentesters, Engagement Managers
tester
Permissions:
✓ Run scans on assigned projects only
✓ Create and edit findings (their own projects)
✓ Upload evidence
✓ View reports for assigned projects
✗ Generate final reports (requires pentest_lead approval)
✗ Delete findings or scans
✗ View other testers' projects
Typical users: Junior/Mid-level Pentesters
reviewer
Permissions:
✓ Read-only access to assigned projects
✓ Add comments to findings
✓ Approve or reject findings (QA workflow)
✓ View and download reports
✗ Run scans
✗ Create or edit findings
✗ Delete anything
Typical users: QA Reviewers, Compliance Officers, Technical Advisors
client
Permissions:
✓ View reports for their project ONLY (read-only portal)
✓ Download reports for their project
✓ View finding summaries (no raw tool output or PoC details by default)
✗ Everything else — complete isolation from other projects
Typical users: Client security contacts, client management
Note: PoC detail visibility is configurable per project —
some clients want full technical details, others only summaries
Prerequisites
Team or Enterprise license activated
PostgreSQL 16+ running and configured
super_admin account created during initial setup
1
Access User Management
Log in as super_admin. Navigate to Settings → Users & Roles.
2
Create Users
Click + Add User. Fill in:
Email : user@company.com
Full Name : Jane Smith
Role : pentest_lead / tester / reviewer / client
Department : Security / Engineering / Client
MFA : Require? Yes (recommended for all roles)
Send Invite : Yes → user receives setup email
3
Configure SSO (Enterprise Only)
Go to Settings → SSO Configuration. Supported providers:
SAML 2.0 : Upload IdP metadata XML or enter metadata URL
Okta : Enter Okta domain + client ID
Azure AD : Enter tenant ID + client ID + client secret
Google WS : Enter client ID + service account credentials
Attribute Mapping:
email → user.email (required)
role → user.role (optional — or assign manually after SSO)
name → user.full_name
4
Configure MFA
Go to Settings → Security → MFA Policy. Options:
MFA Required For : All users / Admin only / Optional
MFA Methods : TOTP (Google Auth, Authy) / Hardware key (FIDO2)
Grace Period : 24 hours after first login before MFA required
Recovery Codes : Auto-generated, user must save on setup
⏱️ Basic user setup: 5 minutes per user. SSO configuration: 30–60 minutes.
Project-Based Access Control
1
Create a Project
Navigate to Projects → + New Project. Fill in project details:
Project Name : ClientCorp Web App Pentest Q1 2026
Client : ClientCorp Inc (creates client portal access)
Engagement Type: Full Pentest / Vuln Assessment / Red Team
Start Date : 2026-01-15
End Date : 2026-01-30
NDA On File : Yes
Classification : CONFIDENTIAL
2
Assign Team Members
In the project, click Team → Add Member. Assign roles per-project:
Jane Smith → pentest_lead (manages this engagement)
Bob Johnson → tester (runs scans)
Alice Chen → tester (runs scans)
Mike Davis → reviewer (QA before report delivery)
john@client → client (view-only portal after report delivery)
3
Configure Client Portal Access
Client users only see their project's data. Configure what they can see:
Show to client:
✓ Executive Report (PDF download)
✓ Finding summaries (title, severity, status)
✓ Remediation tracker (with status updates)
✓ Compliance dashboard
Hide from client:
○ Raw PoC steps (toggle per project)
○ Tool output / evidence files
○ Internal tester notes
○ Other client projects (always hidden)
Common Issues
Verify the tester is only assigned to the intended projects. Go to Settings → Users → [user] → Projects — this shows all project assignments. Remove any unintended project assignments. Check that no catch-all project assignments exist at the organization level.
The user's email from the SSO provider must match their PhantomYerra account email exactly. Check case sensitivity. If using just-in-time provisioning (auto-create on first SSO login), ensure it's enabled in Settings → SSO → Just-in-Time Provisioning. Newly provisioned users are assigned the "tester" role by default — promote as needed.
This should never happen — client isolation is enforced at the database query level. If you observe this, immediately report it as a security issue. Workaround: temporarily revoke client portal access for the affected client until the issue is investigated. Check the audit log for any anomalous data access patterns.