Recommended Default Groups
Setting up default groups during initial configuration saves time and ensures consistent access patterns. Suggested Partner Groups| Group Name | Description | Suggested Workspace Role |
|---|---|---|
| SOC Tier 1 | Front-line analysts handling initial triage | Incident Analyst |
| SOC Tier 2 | Senior analysts with response capabilities | Incident Responder |
| SOC Managers | Team leads overseeing operations | Admin |
| Integration Engineers | Technical staff managing connectors | Data Source Admin |
| Account Managers | Customer relationship managers | Incident Analyst (read-only) |
For Azure Administrators
For MSP/MSSP teams already fluent in Azure and Entra administration, ContraForce’s user and group management model will feel intuitive once you establish these mental mappings:The key transferable skill is thinking hierarchically about access scope—a discipline your team has already developed managing Azure governance at scale.
- Organization = Root Management Group: The top-level scope where you establish identities that can flow down
- Workspace = Subscription / Administrative Unit: The isolation boundary where customer-specific access lives
- Organization Groups = Inherited RBAC: Create once, assign many times, automatic access when group membership changes
- Workspace Users = AU-scoped delegation: Strictly bounded to one customer’s data
- Two locations = Two scopes: Just like Azure has IAM blades at different levels, ContraForce has Organization Settings and Workspace Settings
This guide is specifically designed for MSP/MSSP partners managing multiple customer workspaces. If you’re a single-tenant customer, see the standard User Management guide.
Understanding the Two-Tier Model
ContraForce uses a two-tier user management model that separates partner-level access from customer-level access. This is the most important concept to understand before configuring users and groups.Parent (Partner) Level
Your organization’s workspace where you manage your team and oversee all customer workspaces
Child (Customer) Level
Individual customer workspaces where you manage customer-specific users and access
How the Tiers Work Together
The Two Places for User & Group Management
One of the most common points of confusion is that there are two different locations to manage users and groups, each serving a different purpose.Location 1: Organization Settings (Partner Level)
Path: Settings → User Management This is where you manage users and groups for your partner organization:| What You Manage | Scope |
|---|---|
| Partner team members | Access to all workspaces |
| Partner user groups | Cross-workspace permissions |
| Organizational roles | Partner-level capabilities |
Location 2: Workspace Settings (Customer Level)
Path: Workspaces → [Select Customer] → Equalizer → Users & Groups This is where you manage users and groups for a specific customer workspace:| What You Manage | Scope |
|---|---|
| Customer users | This workspace only |
| Customer groups | This workspace only |
| Workspace-specific roles | This workspace only |
Quick Reference: Where to Go
| I Want To… | Go To |
|---|---|
| Add a partner analyst who needs access to multiple customers | Organization Settings |
| Create a group for your SOC team to access all workspaces | Organization Settings |
| Add a customer’s IT admin to view their own workspace | Workspace Settings |
| Create a customer-specific group | Workspace Settings |
| Manage your own organization’s users | Organization Settings |
| Grant a customer limited access to their incidents | Workspace Settings |
Parent vs Child: When to Use Each
Use Parent (Organization) Level When:
Adding your own team members (SOC analysts, engineers)
Adding your own team members (SOC analysts, engineers)
Your internal team needs access to multiple or all customer workspaces. Adding them at the organization level lets you assign them to any workspace without recreating their account.Example: Adding a new SOC analyst who will handle incidents for 10 customers.
Creating groups for your internal teams
Creating groups for your internal teams
Create groups like “Tier 1 Analysts,” “Tier 2 Engineers,” or “Account Managers” at the organization level, then assign these groups to relevant workspaces.Example: Create a “SOC Team” group, add your analysts, then assign this group to all customer workspaces.
Setting up cross-workspace permissions
Setting up cross-workspace permissions
When you need consistent permissions across multiple customers, define them at the organization level.Example: All Tier 1 analysts should have “Incident Responder” role across all customer workspaces.
Use Child (Workspace) Level When:
Adding customer users who only access their own data
Adding customer users who only access their own data
Customers who need to view their own incidents, reports, or dashboards should be added at the workspace level.Example: Adding a customer’s CISO who wants to review their security incidents.
Creating customer-specific groups
Creating customer-specific groups
Groups that only make sense for a specific customer should be created at the workspace level.Example: A customer’s “Security Committee” group that reviews monthly reports.
Granting limited access to customer stakeholders
Granting limited access to customer stakeholders
When customers need read-only or limited access to their workspace.Example: A customer’s compliance officer who needs incident audit access.
Step-by-Step: Setting Up Partner Users
Adding a Partner Team Member
1
Navigate to Organization Settings
Go to Settings → User Management
2
Click Add User
Click the Add User button
3
Enter User Details
Enter the user’s email address (must match their Microsoft Entra ID account)
4
Assign Organizational Role
Select the appropriate organization-level role:
- Organization Admin — Full platform access
- Organization Member — Standard access
5
Save User
Click Save to create the user
6
Assign to Workspaces
Assign the user to specific customer workspaces (see next section)
Assigning Users to Customer Workspaces
After creating a user at the organization level, grant them access to customer workspaces:1
Go to Workspaces
Navigate to the Workspaces page
2
Select Customer Workspace
Click on the customer workspace you want to configure
3
Open Workspace Settings
Click the gear icon to open workspace settings
4
Go to Users & Groups
Select the Users & Groups tab
5
Add User or Group
Add the organization user or group to this workspace
6
Assign Workspace Role
Select the role for this specific workspace:
- Admin — Full workspace control
- Incident Responder — Investigate and respond
- Incident Analyst — View and analyze
- Data Source Admin — Manage integrations
Step-by-Step: Setting Up Groups
Groups simplify permission management by letting you assign roles to multiple users at once.Creating an Organization Group
1
Navigate to Organization Settings
Go to Settings → User Management → Groups tab
2
Click Create Group
Click Create Group
3
Name the Group
Enter a descriptive name (e.g., “SOC Tier 1 Analysts”)
4
Add Members
Select users to add to this group
5
Save Group
Click Save to create the group
Assigning a Group to Workspaces
1
Go to Workspace Settings
Navigate to the customer workspace → gear icon → Users & Groups
2
Click Add Group
Click Add Group
3
Select Organization Group
Choose the group from your organization
4
Assign Role
Select the workspace role for all group members
5
Save
Click Save to apply
Recommended Default Groups
Setting up default groups during initial configuration saves time and ensures consistent access patterns.Suggested Partner Groups
| Group Name | Description | Suggested Workspace Role |
|---|---|---|
| SOC Tier 1 | Front-line analysts handling initial triage | Incident Analyst |
| SOC Tier 2 | Senior analysts with response capabilities | Incident Responder |
| SOC Managers | Team leads overseeing operations | Admin |
| Integration Engineers | Technical staff managing connectors | Data Source Admin |
| Account Managers | Customer relationship managers | Incident Analyst (read-only) |
Setting Up Default Groups
1
Create Groups First
Before onboarding customers, create your standard groups at the organization level
2
Add Team Members
Add your team members to the appropriate groups
3
Document Group Purposes
Document what each group is for and what role it should receive
4
Apply to New Workspaces
When onboarding new customers, assign these groups with consistent roles
Pro Tip: Create a simple spreadsheet mapping your groups to workspace roles. This becomes your “template” for onboarding new customers and ensures consistency.
Common Permission Scenarios
Scenario 1: New SOC Analyst Joining Your Team
Goal: Add a new analyst who needs to handle incidents for all customers.1
Create User at Organization Level
Settings → User Management → Add User → Enter email → Save
2
Add to SOC Group
Add user to your “SOC Tier 1” or appropriate group
3
Verify Workspace Access
The user automatically inherits access to all workspaces the group is assigned to
Scenario 2: Customer Wants to View Their Incidents
Goal: Give a customer’s security team read-only access to their workspace.1
Go to Customer Workspace
Workspaces → Select Customer → Gear Icon
2
Add Customer User
Users & Groups → Add User → Enter customer email
3
Assign Analyst Role
Select “Incident Analyst” role for read-only access
Scenario 3: Partner User Can’t Access a Workspace
Goal: Troubleshoot why a partner user can’t see a specific customer workspace.1
Check Organization Membership
Verify the user exists in Settings → User Management
2
Check Group Membership
Verify the user is in a group that has workspace access
3
Check Workspace Assignment
Go to the workspace settings and verify the user or their group is listed
4
Check Role Assignment
Ensure a workspace role is assigned (not just added to the workspace)
Scenario 4: User Has Wrong Permissions
Goal: User can view incidents but can’t respond to them. Cause: User has “Incident Analyst” role instead of “Incident Responder.”1
Go to Workspace Settings
Navigate to the affected workspace
2
Find the User or Group
Locate in Users & Groups
3
Update Role
Change role from Incident Analyst to Incident Responder
4
Save Changes
Click Save to apply
Workspace Roles Reference
| Role | View Incidents | Respond to Incidents | Manage Gamebooks | Configure Modules | Manage Users |
|---|---|---|---|---|---|
| Admin | ✓ | ✓ | ✓ | ✓ | ✓ |
| Incident Responder | ✓ | ✓ | ✓ | — | — |
| Incident Analyst | ✓ | — | — | — | — |
| Data Source Admin | ✓ | — | — | ✓ | — |
| Content Admin | ✓ | — | — | CMS Only | — |
Full Roles Reference
View complete permissions for all roles
Troubleshooting
Common Issues
| Issue | Cause | Solution |
|---|---|---|
| User can’t see any workspaces | Not assigned to any workspace | Add user/group to workspaces in workspace settings |
| User can see workspace but can’t do anything | No role assigned | Assign a workspace role to the user or their group |
| User can’t add modules | Insufficient role | User needs Admin or Data Source Admin role |
| Can’t add users to workspace | Not a workspace Admin | Need Admin role on that workspace |
| Group changes not reflected | Caching | Refresh browser; changes may take a few minutes |
| Customer user sees other customers’ data | Added at wrong level | Remove from org level, add only at workspace level |
Permission Troubleshooting Flow
Best Practices
Create groups before onboarding customers
Create groups before onboarding customers
Set up your standard groups (SOC Tier 1, Tier 2, Managers, etc.) before onboarding any customers. This creates a consistent template to follow.
Use groups instead of individual user assignments
Use groups instead of individual user assignments
Assigning groups to workspaces instead of individual users makes it much easier to onboard new team members—just add them to the appropriate group.
Document your group-to-role mappings
Document your group-to-role mappings
Create a simple reference document showing which groups get which roles. This ensures consistency across all customer onboardings.
Keep customer users at the workspace level only
Keep customer users at the workspace level only
Never add customer users at the organization level unless they need cross-workspace access. This prevents accidental data exposure.
Use consistent naming conventions
Use consistent naming conventions
Name groups clearly (e.g., “SOC-Tier1-Analysts” not “Group1”) so anyone can understand their purpose.
Audit permissions periodically
Audit permissions periodically
Review user and group assignments quarterly to remove departed employees and ensure permissions are still appropriate.
Test with a non-admin account
Test with a non-admin account
After setting up permissions, test access with a non-admin account to verify users see what they should see.
Onboarding Checklist
Use this checklist when onboarding a new customer workspace:Pre-Onboarding (One-Time Setup)
- Create standard organization groups (SOC Tier 1, Tier 2, etc.)
- Add your team members to appropriate groups
- Document group-to-role mappings
Per-Customer Onboarding
- Create/configure customer workspace
- Assign organization groups to workspace with appropriate roles
- Verify partner team can access the workspace
- Add customer users at workspace level (if needed)
- Create customer-specific groups (if needed)
- Test access with a non-admin account
- Document any customer-specific permission requirements
Frequently Asked Questions
Why are there two places to manage users?
Why are there two places to manage users?
The two locations serve different purposes: Organization Settings manages your partner team (who may need access to multiple customers), while Workspace Settings manages access to a specific customer (including customer users who should only see their own data).
Can a customer user see other customers' data?
Can a customer user see other customers' data?
Not if set up correctly. Customer users should only be added at the workspace level, not at the organization level. This ensures they can only see their own workspace.
What's the fastest way to give a new analyst access to all customers?
What's the fastest way to give a new analyst access to all customers?
Add them to an organization group that’s already assigned to all customer workspaces. They’ll inherit access automatically.
Can I have different roles for the same user in different workspaces?
Can I have different roles for the same user in different workspaces?
Yes. A user might be an Admin in one workspace and an Incident Responder in another. Roles are assigned per-workspace.
What happens if I remove a user from a group?
What happens if I remove a user from a group?
They lose access to all workspaces that group was assigned to (unless they have individual access or belong to another group with access).
Can customers manage their own users?
Can customers manage their own users?
Yes, if you give them the Admin role on their workspace. They can then add/remove users within their workspace only.
Related Guides
Roles & Permissions
Complete permissions for each role
Workspace Manager
Managing customer workspaces
Onboarding Overview
Full onboarding process
Multi-Tenant Features
Cross-workspace management
Questions about user and group management? Contact us at [email protected] or request hands-on onboarding support for your first few customer deployments.