Skip to main content

Roles and Permissions in Cye Exposure Management Platform

Define user access and operational scope through platform roles, engagement memberships, and special permissions.

Updated today

Overview

Every user in the Cye Platform is assigned a set of roles and permissions that determine what they can see, access, and modify. This ensures that every user has exactly the access they need to perform their job, without being exposed to unnecessary or sensitive security data.

Platform vs. Engagement Environments

To navigate the permissions logic, a distinction must be made between two primary environments:

  • The Platform: The global organizational level. Platform roles define organization-wide administrative rights (such as SSO or User Management) and establish baseline visibility across the company.

  • The Engagement: An isolated workspace for a specific security assessment. Visibility in the Cye Platform is siloed by default; access to the platform does not grant automatic entry into an engagement. Membership must be explicitly granted for each individual assessment.

The Five Gates of Access

Permissions function as a series of sequential "gates." An action is only permitted when the requirements are met at every layer. If a single gate is closed, the action is blocked:

  • Platform access - The user's global standing and administrative level.

  • Engagement membership - The user's presence within the specific assessment workspace.

  • Engagement Role: The user's defined capability (Viewer vs. Editor) within that workspace.

  • Special permissions - Additional capabilities granted on top of your engagement role.

  • Finding-level sharing - The individual sharing settings for a specific security finding.

Users must have the correct configuration at every layer to perform specific actions.

The Permission Hierarchy

Each level builds on the one before it, narrowing the user's focus from the entire organization down to a single security finding.

Level

What it Controls

1. Platform Role

Your overall access to the organization and global settings (e.g., Administrator vs. User).

2. Engagement Access

Which specific security assessments (Engagements) you are allowed to see.

3. Engagement Role

What you can do inside an engagement (e.g., Viewer vs. Editor).

4. Special Permissions

High-level technical "keys" for specific tools, like the Mitigation Graph.

5. Finding Share

Access to individual, specific security findings within an engagement.

Platform Roles

Platform roles apply across the entire organization and define global administrative capabilities.

Administrator

  • Full platform access

  • Managing users, integrations, threat sources, and business assets

  • Configure SSO

Power User

  • Create engagements - Automatically becomes the Engagement Administrator of the created engagements

  • Requires engagement-level permissions to create findings or edit the graph

  • Needs Findings & Graph Initiator to work with the mitigation graph

User

  • Provides read-only access to dashboards and exports.

IT Admin (Operational Specialist)

  • A siloed role for infrastructure management. This role is strictly partitioned from security findings and data.
    For more information about IT Admin role, see the additional information at the dedicated article

Engagement Roles

An Engagement is an isolated workspace. Membership in the platform does not grant visibility into an engagement unless a user is explicitly added to the "Members & Groups" tab of that assessment.
Note: IT Admins cannot hold engagement roles.

Administrator

  • Full engagement control, including managing users and editing content.

Editor

  • Edit existing engagement content

  • Cannot manage users

  • Cannot access the Members and Groups tab

Viewer

  • Read-only access to the specific engagement and its related exports.

Special Permissions: Findings & Graph Initiator

This permission extends the capabilities of an Editor or Administrator. Without this permission, Editors can edit existing findings but cannot create new ones or modify the graph.

Authorized Actions with this Permission:

  • Creation and linking of findings.

  • Addition or deletion of graph edges.

  • Modification of the mitigation graph structure.

Finding-Level Permissions

This permission extends the capabilities of an Editor or Administrator. Without this permission, Editors can edit existing findings but cannot create new ones.

Viewing Findings

  • Platform Requirement - Any Role

  • Engagement Requirement - Engagement Membership

  • Sharing Requirement - View permission shared for specific finding

Creating Findings

  • Platform Requirement - Any Role

  • Engagement Requirement - Editor or Administrator

  • Sharing Requirement - Findings & Graph Initiator permission

Sharing Findings


Access to individual findings is controlled independently of the engagement role:

  • Viewer: Capability to view and comment.

  • Editor: Capability to rename, create Jira tickets, and import assets.

  • Administrator: Full control over the individual finding.

Mitigation Graph Permissions

Modifying the mitigation graph requires specific roles to prevent unauthorized changes to the risk model.

Viewing Findings on the Graph

  • Required Role - Engagement Member

  • Required Special Permission - Finding must be shared (at least View)

Creating Findings from the Graph

  • Required Role - Engagement Editor

  • Required Special Permission - Findings & Graph Initiator

Linking findings on the graph (to Threat Sources or other Findings)

  • Required Role - Engagement Member

  • Required Special Permission - Finding must be shared

Creating or Deleting Edges

  • Required Role - Engagement Editor

  • Required Special Permission - Findings & Graph Initiator

Adding Threat Sources or Business Assets

  • Required Role - Engagement Editor

  • Required Special Permission - Not applicable

Editors and Power Users cannot add Threat Sources or Business Assets even with Findings & Graph Initiator.

Infrastructure and Authentication

Only Platform Administrators and IT Admins have the authority to manage the following areas under the Settings menu:

  • Integrations: Add and manage connections to third-party tools (e.g., AWS, Jira).

  • Authentication & SSO: Configuring Single Sign-On and 2FA settings.

  • API Access & Automations: Generate and manage access tokens and workflow triggers.

Wrap up/ Next step

The effective management of a security posture relies on three architectural principles:

  • Independence: Platform roles and Engagement roles operate independently. A high-level Platform role does not override the requirement for Engagement-level membership.

  • Partitioning: The separation of global and local roles allows a stakeholder to be a "User" at the platform level while remaining a "Viewer" within specific engagements to limit data noise.

  • The IT Admin Exception: This role provides a dedicated lane for infrastructure management while remaining strictly partitioned from all security findings. This ensures that the platform "pipes" can be managed without exposure to sensitive vulnerability findings.

Related Articles
Add and manage members in Cye Platform
User Share and Change Permissions
Understanding Engagements in Cye Platform
Creating an Engagement in Cye Platform
Cye Platform – Frequently Asked Questions
Did this answer your question?