Recommended Default Groups
Setting up default groups during initial configuration saves time and ensures consistent access patterns. Suggested Partner Groups| Group Name | Description | Suggested Workspace Role |
|---|---|---|
| SOC Tier 1 | Front-line analysts handling initial triage | Incident Analyst |
| SOC Tier 2 | Senior analysts with response capabilities | Incident Responder |
| SOC Managers | Team leads overseeing operations | Admin |
| Integration Engineers | Technical staff managing connectors | Data Source Admin |
| Account Managers | Customer relationship managers | Incident Analyst (read-only) |
ContraForce integrates with Microsoft Entra ID (formerly Azure AD) to pull user identities. Users must exist in Entra ID before they can be added to ContraForce.
User Management Overview
Organizational Roles
Control who can manage users, groups, and workspace settings across your organization
Workspace Roles
Define what users can do within specific customer workspaces
User Roles at a Glance
ContraForce uses a two-tier role system: Organizational Roles control administrative access, while Workspace Roles control operational access.Workspace Roles Quick Reference
| Role | View Incidents | Run Gamebooks | Manage Endpoints | Manage Data Connectors | Manage Users |
|---|---|---|---|---|---|
| Admin | ✓ | ✓ | ✓ | ✓ | ✓ |
| Incident Responder | ✓ | ✓ | ✓ | — | — |
| Incident Analyst | ✓ | — | — | — | — |
| Data Source Admin | ✓ | — | — | ✓ | — |
Complete Role Reference
View detailed permissions for all organizational and workspace roles
When to Add Users
Adding users is not part of module onboarding. First, sign in at portal.contraforce.com, grant the core ContraForce app consents, and deploy your modules. Once your organization is set up, add and manage users at any time from Settings.Adding and Managing Users
You add and manage users through the Settings page. User and group management is handled entirely within the ContraForce portal — no separate enterprise application consent is required.Step 1: Access User Management
Step 2: Add New Users
The Add User button only appears if your account has User Admin or Org Admin permissions.
Understanding Role Types
Organizational Roles
Organizational roles control administrative functions across your entire ContraForce instance:| Role | Add/Manage Users | Add/Manage Groups | Add Workspaces | View All Workspaces |
|---|---|---|---|---|
| Org Admin | ✓ | ✓ | ✓ | ✓ |
| User Admin | ✓ | ✓ | — | — |
| Workspace Admin | — | — | ✓ | ✓ |
| Org Member | — | — | — | — |
Workspace Roles
Workspace roles control what users can do within specific customer workspaces:- Admin
- Incident Responder
- Incident Analyst
- Data Source Admin
Full access to all workspace features
- View and manage all incidents
- Run any Gamebook action
- Manage endpoints and data connectors
- Configure workspace settings
- Manage workspace users
User Groups
Simplify access management by organizing users into groups.Benefits of Groups
Bulk Assignment
Assign workspace access to multiple users at once
Easier Management
Update group membership instead of individual users
Consistent Access
Ensure team members have the same permissions
Creating Groups
Groups are managed on the Group Management tab under Settings.
Assigning Users to Workspaces
Users need workspace assignments to access customer data.Individual Assignment
- Open the workspace settings
- Navigate to Users or Access
- Click Add User
- Select the user and assign a workspace role
- Save changes
Group Assignment
- Open the workspace settings
- Navigate to Groups or Access
- Click Add Group
- Select the group and assign a workspace role
- All group members inherit access
Managing Existing Users
Viewing User Details
Click any user in the User Management list to view:- Assigned organizational role
- Workspace assignments and roles
- Group memberships
- Last login time
Editing User Roles
Removing Users
Best Practices
Follow the principle of least privilege
Follow the principle of least privilege
Assign the minimum role necessary for each user’s job function. Start with Incident Analyst and escalate to Responder or Admin only when needed.
Use groups for team-based access
Use groups for team-based access
Create groups that mirror your team structure (e.g., “Tier 1 Analysts”, “Senior Responders”). This simplifies access management as team members change.
Audit user access regularly
Audit user access regularly
Review user assignments quarterly to ensure former team members have been removed and current roles are still appropriate.
Document role assignments
Document role assignments
Maintain records of who has access to which workspaces and why. This helps with compliance audits and access reviews.
Separate admin duties
Separate admin duties
Don’t give everyone Admin access. Reserve Admin roles for users who genuinely need to manage configurations and other users.
Troubleshooting
Common Issues
| Issue | Possible Cause | Solution |
|---|---|---|
| Can’t see Add User button | Missing User Admin or Org Admin role | Contact your administrator for elevated permissions |
| User not found in dropdown | User doesn’t exist in Entra ID | Verify user exists in Microsoft Entra ID |
| Consent flow fails | Insufficient admin privileges | Admin consent for ContraForce enterprise applications requires a Global Administrator account |
| User can’t access workspace | No workspace assignment | Assign user directly or via group to the workspace |
| User has wrong permissions | Incorrect role assignment | Edit user and assign correct workspace role |
Related Guides
User Roles Reference
Complete permissions for all roles
Workspace Center
Manage workspace settings
Enterprise Applications
Service principals and consent
Multi-Tenant Features
Managing multiple customers
Questions about user management? Contact us at support@contraforce.com.