ContraForce uses a two-tier role system: Organization Roles control platform-wide access, while Workspace Roles control what users can do within specific customer workspaces.
Role System Overview
ContraForce roles operate at two levels:Organization Roles
Control who can access the platform and manage organization-wide settings. Assigned in Settings → User Management.
Workspace Roles
Control what actions users can perform within a specific customer workspace. Assigned per-workspace in Workspace Settings.
How Roles Work Together
A user needs both an organization role AND a workspace role to work effectively:Organization Roles
Organization roles are assigned at the partner/organization level and determine platform-wide capabilities.Organization Roles Summary
| Role | Description | Typical Users |
|---|---|---|
| Organization Admin | Full platform control including billing, settings, and user management | Business owners, IT directors, platform administrators |
| Organization Member | Standard platform access, can be assigned to workspaces | SOC analysts, engineers, account managers |
Organization Admin
Full administrative control over the ContraForce platform.Permissions
Permissions
| Capability | Access |
|---|---|
| View organization dashboard | ✓ |
| Manage organization settings | ✓ |
| Create and delete workspaces | ✓ |
| Add and remove organization users | ✓ |
| Create and manage organization groups | ✓ |
| Assign users to workspaces | ✓ |
| View billing and usage | ✓ |
| Manage API keys | ✓ |
| Configure SSO/authentication | ✓ |
| Access all workspaces (with workspace role) | ✓ |
Use Cases
Use Cases
- Platform administrators responsible for ContraForce setup
- Business owners who need full visibility
- IT directors managing the security operations team
- Personnel responsible for billing and licensing
Assignment Guidelines
Assignment Guidelines
- Limit to 2-3 trusted individuals
- Ensure at least two Organization Admins for continuity
- Document who has this role and why
- Review quarterly for appropriateness
Organization Member
Standard platform access for team members who work within workspaces.Permissions
Permissions
| Capability | Access |
|---|---|
| View organization dashboard | ✓ |
| Manage organization settings | — |
| Create and delete workspaces | — |
| Add and remove organization users | — |
| Create and manage organization groups | — |
| Assign users to workspaces | — |
| View billing and usage | — |
| Manage API keys | — |
| Configure SSO/authentication | — |
| Access assigned workspaces (with workspace role) | ✓ |
Use Cases
Use Cases
- SOC analysts handling daily incident triage
- Security engineers managing integrations
- Account managers reviewing customer status
- Any team member who doesn’t need admin capabilities
Assignment Guidelines
Assignment Guidelines
- Default role for most team members
- Combine with appropriate workspace roles
- Add to organization groups for easier workspace assignment
Workspace Roles
Workspace roles control what a user can do within a specific customer workspace. Users can have different roles in different workspaces.Workspace Roles Summary
| Role | View Incidents | Respond to Incidents | Manage Gamebooks | Configure Modules | Manage Users |
|---|---|---|---|---|---|
| Admin | ✓ | ✓ | ✓ | ✓ | ✓ |
| Incident Responder | ✓ | ✓ | ✓ | — | — |
| Incident Analyst | ✓ | — | — | — | — |
| Data Source Admin | ✓ | — | — | ✓ | — |
| Content Admin | ✓ | — | — | CMS Only | — |
Admin
Full control over a workspace including user management and configuration.Complete Permissions
Complete Permissions
Incident Management
Response Actions
Configuration
Administration
| Capability | Access |
|---|---|
| View incidents | ✓ |
| View incident details and entities | ✓ |
| Update incident status | ✓ |
| Update incident severity | ✓ |
| Assign incidents | ✓ |
| Add comments | ✓ |
| Close incidents | ✓ |
| Delete incidents | ✓ |
| Capability | Access |
|---|---|
| Run Gamebooks | ✓ |
| Create custom Gamebooks | ✓ |
| Execute response actions | ✓ |
| Isolate endpoints | ✓ |
| Disable user accounts | ✓ |
| Block IPs/URLs | ✓ |
| Capability | Access |
|---|---|
| Configure modules | ✓ |
| Manage data connectors | ✓ |
| Configure notifications | ✓ |
| Manage CMS rules | ✓ |
| Deploy detection rules | ✓ |
| Capability | Access |
|---|---|
| Add users to workspace | ✓ |
| Remove users from workspace | ✓ |
| Assign workspace roles | ✓ |
| Add groups to workspace | ✓ |
| View workspace settings | ✓ |
| Modify workspace settings | ✓ |
Use Cases
Use Cases
- SOC managers overseeing a specific customer
- Lead analysts with full responsibility for a workspace
- Customer success managers who need to configure workspaces
- Technical account managers during onboarding
Assignment Guidelines
Assignment Guidelines
- Assign to SOC managers and team leads
- Limit to personnel who need user management capabilities
- Consider using Incident Responder instead if user management isn’t needed
- Appropriate for your most senior analysts on premium customers
Incident Responder
Can investigate incidents and execute response actions, but cannot configure the workspace.Complete Permissions
Complete Permissions
Incident Management
Response Actions
Configuration
Administration
| Capability | Access |
|---|---|
| View incidents | ✓ |
| View incident details and entities | ✓ |
| Update incident status | ✓ |
| Update incident severity | ✓ |
| Assign incidents | ✓ |
| Add comments | ✓ |
| Close incidents | ✓ |
| Delete incidents | — |
| Capability | Access |
|---|---|
| Run Gamebooks | ✓ |
| Create custom Gamebooks | ✓ |
| Execute response actions | ✓ |
| Isolate endpoints | ✓ |
| Disable user accounts | ✓ |
| Block IPs/URLs | ✓ |
| Capability | Access |
|---|---|
| Configure modules | — |
| Manage data connectors | — |
| Configure notifications | — |
| Manage CMS rules | — |
| Deploy detection rules | — |
| Capability | Access |
|---|---|
| Add users to workspace | — |
| Remove users from workspace | — |
| Assign workspace roles | — |
| Add groups to workspace | — |
| View workspace settings | Limited |
| Modify workspace settings | — |
Use Cases
Use Cases
- Tier 2 SOC analysts who handle escalations
- Senior analysts who need to take response actions
- Incident handlers during active investigations
- On-call personnel who may need to respond after hours
Assignment Guidelines
Assignment Guidelines
- Default role for experienced SOC analysts
- Appropriate for personnel who need response capabilities
- Use for Tier 2 and above analysts
- Consider for on-call rotation members
Incident Analyst
Read-only access to incidents for monitoring and analysis without response capabilities.Complete Permissions
Complete Permissions
Incident Management
Response Actions
Configuration
Administration
| Capability | Access |
|---|---|
| View incidents | ✓ |
| View incident details and entities | ✓ |
| Update incident status | — |
| Update incident severity | — |
| Assign incidents | — |
| Add comments | ✓ |
| Close incidents | — |
| Delete incidents | — |
| Capability | Access |
|---|---|
| Run Gamebooks | — |
| Create custom Gamebooks | — |
| Execute response actions | — |
| Isolate endpoints | — |
| Disable user accounts | — |
| Block IPs/URLs | — |
| Capability | Access |
|---|---|
| Configure modules | — |
| Manage data connectors | — |
| Configure notifications | — |
| Manage CMS rules | — |
| Deploy detection rules | — |
| Capability | Access |
|---|---|
| Add users to workspace | — |
| Remove users from workspace | — |
| Assign workspace roles | — |
| Add groups to workspace | — |
| View workspace settings | — |
| Modify workspace settings | — |
Use Cases
Use Cases
- Tier 1 SOC analysts who triage and escalate
- Customer stakeholders who want visibility into their incidents
- Compliance officers reviewing security events
- Account managers monitoring customer status
- Junior analysts in training
Assignment Guidelines
Assignment Guidelines
- Use for Tier 1 analysts who escalate rather than respond
- Appropriate for customer users who need read-only access
- Good for personnel in training before promoting to Responder
- Use for account managers who need visibility without action capability
Data Source Admin
Can configure modules and data connectors but cannot respond to incidents.Complete Permissions
Complete Permissions
Incident Management
Response Actions
Configuration
Administration
| Capability | Access |
|---|---|
| View incidents | ✓ |
| View incident details and entities | ✓ |
| Update incident status | — |
| Update incident severity | — |
| Assign incidents | — |
| Add comments | ✓ |
| Close incidents | — |
| Delete incidents | — |
| Capability | Access |
|---|---|
| Run Gamebooks | — |
| Create custom Gamebooks | — |
| Execute response actions | — |
| Isolate endpoints | — |
| Disable user accounts | — |
| Block IPs/URLs | — |
| Capability | Access |
|---|---|
| Configure modules | ✓ |
| Manage data connectors | ✓ |
| Configure notifications | ✓ |
| Manage CMS rules | — |
| Deploy detection rules | — |
| Capability | Access |
|---|---|
| Add users to workspace | — |
| Remove users from workspace | — |
| Assign workspace roles | — |
| Add groups to workspace | — |
| View workspace settings | ✓ |
| Modify workspace settings | Limited |
Use Cases
Use Cases
- Integration engineers setting up data connectors
- Technical onboarding specialists
- Engineers troubleshooting data flow issues
- Personnel responsible for module configuration
Assignment Guidelines
Assignment Guidelines
- Use for technical staff who configure but don’t respond
- Appropriate for onboarding and integration work
- Good for separation of duties (config vs. response)
- Consider for customer IT admins managing their own connectors
Content Admin
Can manage CMS detection rules but cannot configure other modules or respond to incidents.Complete Permissions
Complete Permissions
Incident Management
Response Actions
Configuration
Administration
| Capability | Access |
|---|---|
| View incidents | ✓ |
| View incident details and entities | ✓ |
| Update incident status | — |
| Update incident severity | — |
| Assign incidents | — |
| Add comments | ✓ |
| Close incidents | — |
| Delete incidents | — |
| Capability | Access |
|---|---|
| Run Gamebooks | — |
| Create custom Gamebooks | — |
| Execute response actions | — |
| Isolate endpoints | — |
| Disable user accounts | — |
| Block IPs/URLs | — |
| Capability | Access |
|---|---|
| Configure modules | — |
| Manage data connectors | — |
| Configure notifications | — |
| Manage CMS rules | ✓ |
| Deploy detection rules | ✓ |
| Enable/disable rules | ✓ |
| Configure auto-updates | ✓ |
| Capability | Access |
|---|---|
| Add users to workspace | — |
| Remove users from workspace | — |
| Assign workspace roles | — |
| Add groups to workspace | — |
| View workspace settings | Limited |
| Modify workspace settings | — |
Use Cases
Use Cases
- Detection engineers managing rule deployments
- Security engineers tuning detection coverage
- Personnel responsible for Sentinel rule management
- Content specialists focused on detection quality
Assignment Guidelines
Assignment Guidelines
- Use for personnel focused specifically on detection rules
- Good for separation of duties (detection vs. response)
- Appropriate for detection engineering teams
- Consider pairing with Incident Analyst for visibility
Role Comparison Matrix
By Functional Area
- Incident Operations
- Response Actions
- Configuration
- Administration
| Capability | Admin | Responder | Analyst | Data Source | Content |
|---|---|---|---|---|---|
| View incidents | ✓ | ✓ | ✓ | ✓ | ✓ |
| View details/entities | ✓ | ✓ | ✓ | ✓ | ✓ |
| Update status | ✓ | ✓ | — | — | — |
| Update severity | ✓ | ✓ | — | — | — |
| Assign incidents | ✓ | ✓ | — | — | — |
| Add comments | ✓ | ✓ | ✓ | ✓ | ✓ |
| Close incidents | ✓ | ✓ | — | — | — |
| Delete incidents | ✓ | — | — | — | — |
Common Role Assignments
By Team Structure
| Team Member | Org Role | Typical Workspace Role |
|---|---|---|
| SOC Manager | Organization Admin | Admin |
| Tier 2 Analyst | Organization Member | Incident Responder |
| Tier 1 Analyst | Organization Member | Incident Analyst |
| Detection Engineer | Organization Member | Content Admin |
| Integration Engineer | Organization Member | Data Source Admin |
| Account Manager | Organization Member | Incident Analyst |
| Customer CISO | — (workspace only) | Incident Analyst |
| Customer IT Admin | — (workspace only) | Data Source Admin |
By Customer SLA
| SLA Tier | Recommended Team Roles |
|---|---|
| Premium | Admin (manager) + Incident Responder (analysts) |
| Standard | Incident Responder (lead) + Incident Analyst (analysts) |
| Basic | Incident Analyst (monitoring only) |
Best Practices
Apply principle of least privilege
Apply principle of least privilege
Assign the minimum role needed for each user’s responsibilities. Start with Incident Analyst and promote to Responder only when response capabilities are needed.
Use groups for consistent assignment
Use groups for consistent assignment
Create organization groups like “SOC Tier 1” and “SOC Tier 2” with predetermined workspace roles. This ensures consistency across all customer workspaces.
Separate configuration from response
Separate configuration from response
Consider separating Data Source Admin and Content Admin roles from incident response roles. This provides better audit trails and separation of duties.
Limit Admin role assignments
Limit Admin role assignments
Reserve the Admin role for personnel who genuinely need user management capabilities. Most analysts should be Incident Responders or Incident Analysts.
Document role assignments
Document role assignments
Maintain a record of who has what role and why. Review quarterly to ensure assignments are still appropriate.
Use different roles for different workspaces
Use different roles for different workspaces
A user can have different roles in different workspaces. A senior analyst might be Admin for a premium customer but Incident Responder for standard customers.
Frequently Asked Questions
Can a user have multiple workspace roles?
Can a user have multiple workspace roles?
No, each user has one role per workspace. However, they can have different roles in different workspaces. If a user needs capabilities from multiple roles, assign the higher-privilege role.
What's the difference between Admin and Incident Responder?
What's the difference between Admin and Incident Responder?
Admin can manage users and modify workspace settings. Incident Responder has the same operational capabilities (investigating, responding) but cannot add/remove users or change configuration.
Should customer users be Organization Members?
Should customer users be Organization Members?
Generally no. Customer users should only be added at the workspace level (not organization level) to ensure they can only see their own data.
Can I create custom roles?
Can I create custom roles?
Custom roles are not currently supported. Use the predefined roles that best match your needs. Contact support if you have specific requirements not met by existing roles.
How do I promote a user from Analyst to Responder?
How do I promote a user from Analyst to Responder?
Go to the workspace settings, find the user in Users & Groups, edit their assignment, and change their role from Incident Analyst to Incident Responder.
What role should customer stakeholders have?
What role should customer stakeholders have?
Incident Analyst is typically appropriate for customer stakeholders who need visibility into their security posture without the ability to take response actions.
Related Guides
User & Group Management
Setting up users and groups for partners
Workspace Manager
Managing customer workspaces
Gamebooks
Automated response actions (requires Responder role)
Content Management System
Detection rule management (requires Content Admin role)
Questions about roles and permissions? Contact us at [email protected].