Overview
Permissions in Hyver are determined through a layered access model.
Each layer controls a different aspect of visibility or capability:
Platform access
Engagement membership
Role within an engagement
Special permissions
Finding-level sharing
Users must have the correct configuration at every layer to perform specific actions such as creating findings or editing the mitigation graph.
Permission Hierarchy
Level | Controls |
Platform Role | Organization-wide access and administrative capabilities. |
Engagement Access | Determines which specific engagements are visible to the user. |
Engagement Role | Defines the actions a user can take within an assigned engagement. |
Special Permissions | Grants advanced capabilities (e.g., modifying the graph). |
Finding Share Permission | Controls access to individual, specific findings. |
Each level builds on the one before it.
Platform Roles
Apply across the entire organization.
Administrator
Full platform access
Can manage users, integrations, threat sources, and business assets
Can configure SSO
Power User
Can create engagements
Automatically becomes Engagement Administrator of created engagements
Still requires engagement-level permissions to create findings or edit the graph
Needs Findings & Graph Initiator to work with the mitigation graph
User
Read-only access to dashboards and exports
IT Admin (Operational Specialist)
The IT Admin role follows the principle of least privilege. It is designed for IT administrators who need to operationalize the platform (set up integrations, SSO, etc.) without exposure to sensitive security data.
Login Experience: Upon login, IT Admins are redirected directly to the Settings page.
Security Silo: IT Admins are strictly excluded from all security layers:
No Engagement Membership: They cannot be added to engagements or appear in the "Members & Groups" tab.
No Visibility to Finding: Findings are not visible to IT Admins.
No Reporting: They are excluded from all scheduled report recipient lists.
Access Protection: Deep-linking to restricted pages (like Findings or Maturity) is blocked.
IT Admin: Interface & Navigation Access
Because the IT Admin role is siloed for infrastructure tasks, their view of the Hyver interface is carefully partitioned to protect the organization's security posture.
Left and Top Navigation Bars Visibility
Left and Top Navigation Bars Visibility
Items are hidden, not just disabled, to ensure the IT Admin is only exposed to relevant areas.
Visible Items | Hidden (Restricted) Items |
Settings (Primary Workspace) | Maturity, Cost of Breach, & Explore Page |
Support Button | Industry & Expert Graphs |
Knowledge Center (KC) | Dashboards & Reports |
Engagements, Findings, & Assets, Plans | |
CYE AI Chatbot & Notifications Bell |
Inside the Settings Menu: Allowed vs. Restricted Areas
Inside the Settings Menu: Allowed vs. Restricted Areas
For the IT Admin, the Settings tab in the left navigation bar is their primary workspace. However, access within this menu is partitioned to ensure they can manage infrastructure without altering the platform's underlying security logic.
Feature Area | IT Admin Access | Purpose / Restriction |
Integrations & Workflows | Allowed | Set up and management of AWS, Jira, MS Defender, etc. |
Security Tools | Allowed | Configuration of connected platform security tools. |
Workflow Automations | Allowed | Creating and managing automated triggers and actions. |
Authentication & 2FA | Allowed | Managing account security, SSO, and login methods. |
Access Tokens | Allowed | Generating and managing API keys for integrations. |
Company & User Profile | Allowed | Basic organizational details and personal profile data. |
Likelihood Modeling | Restricted | Protects the core risk and probability calculation logic. |
Threat Source & Business Assets | Restricted | Prevents modification of the assessment and data model. |
Audit Logs | Restricted | Silos sensitive activity tracking and system logs. |
User Management | Restricted | Prevents IT Admins from managing or elevating permissions. |
Engagement Roles
These roles apply only within specific engagements.
Note: IT Admins cannot hold engagement roles.
Administrator
Full engagement control
Can manage users and edit content
Editor
Can edit existing engagement content
Cannot manage users
Cannot access the Members and Groups tab
Important:
Editors cannot create findings or modify the mitigation graph unless granted the
Findings & Graph Initiator special permission.
Viewer
Read-only access to the specific engagement and its exports.
Special Permissions
Extend engagement role capabilities.
Findings & Graph Initiator
Allows an Editor (or Administrator) to:
Create findings
Link findings
Add or delete graph edges
Modify mitigation graph structure
Without this permission:
Editors can edit existing findings
But cannot create new findings
And cannot modify the graph
Working with Findings
Viewing Findings
Viewing Findings
To view a finding, you must:
Be a member of the engagement
Have view permission for the finding
Have the finding shared with you
Creating Findings
Creating Findings
Requires:
Editor or Administrator engagement role.
Findings & Graph Initiator permission
Membership in the relevant engagement
Finding Sharing Permissions
Finding Sharing Permissions
Each finding can be shared with:
Permission | Capability |
Viewer | View and comment |
Editor | Rename, create Jira tickets, import assets |
Administrator | Full control over the finding |
Mitigation Graph Permissions
Working with the Mitigation Graph requires a combination of permissions:
Platform role
Engagement role
Special permissions
Finding-level sharing
Viewing Findings on the Graph
Viewing Findings on the Graph
To see a finding on the graph, you must:
Be a member of the engagement
Have the finding shared with you (at least View permission)
Creating Findings from the Graph
Creating Findings from the Graph
Requires:
Editor engagement role
Findings & Graph Initiator permission
Membership in the relevant engagement
Creating or Deleting Edges
Creating or Deleting Edges
Requires:
Editor engagement role
Findings & Graph Initiator permission
Adding Threat Sources or Business Assets
Adding Threat Sources or Business Assets
Restricted to:
Engagement Administrators
Editors and Power Users cannot add these — even with Findings & Graph Initiator.
Important:
A Power User platform role does not grant graph editing capability by itself.
To modify graph structure, the user must still have:
Editor's role in the engagement
Findings & Graph Initiator permission
Platform roles do not override engagement-level permissions.
Managing Integrations and SSO
Unlike other security settings, infrastructure management is shared between two roles:
Only Platform Administrators and IT Admins can:
Add or manage integrations
Configure SSO (e.g., Okta) under Settings → Company Profile.
Manage API Access Tokens and Workflow Automations.
Wrap up/ Next step
To ensure security and operational efficiency, keep these three principles in mind:
Independence of Roles: Platform roles and engagement roles are independent. For example, a Power User (Platform) must still be granted Editor permissions (Engagement) to work within a specific assessment.
Cumulative Access: No single role grants full authority. Every action depends on the combined configuration of your platform role, engagement role, and any special permissions (like the Findings & Graph Initiator).
The IT Admin Exception: The IT Admin is the only role that exists in a complete "Security Silo." It is a dedicated operational lane that can manage the "pipes" of the platform (Integrations/SSO) while remaining strictly partitioned from the security analysis and data exposure.