Roles & Permissions

Role-based access control (RBAC) determines what each user can see and do within Basirah, scoped to their organization.

Built-in roles

Basirah ships with five predefined roles covering the common access patterns for security teams, MSSPs, and compliance functions:

• Owner — Full control including billing and organization management.
• Admin — Manages users, integrations, SLA policies, and settings.
• Integration Manager — Configures scanner and ticketing integrations. Read-only access elsewhere.
• Analyst — Creates and manages work items, updates findings, generates evidence.
• Viewer — Read-only access to findings, work items, dashboards, and evidence.

Roles are assigned per user per organization. A single user account can hold different roles in different organizations.

Tenant isolation

Each organization’s data is fully isolated. API requests are scoped to the authenticated user’s organization — there’s no way to query across organizations through the standard API. Background jobs and inbound webhooks are similarly scoped.

SSO integration

Basirah supports SAML 2.0 and OpenID Connect (OIDC) for single sign-on. Both protocols support just-in-time provisioning: when a user authenticates via SSO for the first time, Basirah creates their account automatically with a default role that admins can configure.

If your identity provider sends group claims, Basirah can map IdP groups to platform roles. Group mappings are evaluated on every login, so role changes in your IdP propagate automatically.

MSSP multi-tenant model

Managed Security Service Providers operate with a parent-child tenant structure. The MSSP organization is the parent, and each managed client is an isolated child tenant. Parent admins can view and manage child tenant configurations, query data across tenants, and generate cross-tenant reports for portfolio-level visibility.

Child tenant users see only their own data — from their perspective, Basirah is a standalone instance.