ContraForce uses a two-tier role model: organization-level roles that control platform-wide access, and workspace-level roles that control what a user can do within a specific customer workspace.
Organization-Level Roles
| Role | What They Can Do |
|---|
| Organizational Admin | Full platform control — manage users, configure modules, access all workspaces, manage billing |
| Agent Admin | Manage Security Delivery Agents and Agent Center deployment |
Organization-level roles should only be assigned to your internal team — never to customer users unless they explicitly need cross-workspace access.
Workspace-Level Roles
| Role | Incidents | Gamebooks | Settings | CMS | Users |
|---|
| Admin | ✅ View & manage | ✅ Run | ✅ Configure | ✅ Manage | ✅ Manage |
| Incident Responder | ✅ View & manage | ✅ Run | ❌ | ❌ | ❌ |
| Incident Analyst | ✅ View only | ❌ | ❌ | ❌ | ❌ |
| Data Source Admin | ✅ View only | ❌ | ✅ Configure | ❌ | ❌ |
| Content Admin | ✅ View only | ❌ | ❌ | ✅ Manage | ❌ |
Best Practices
- Assign at least one Admin per workspace during onboarding
- Use groups, not individual users, when assigning workspace roles — this scales much better for multi-tenant environments
- Customer-facing users should typically get Incident Analyst (read-only visibility) or Incident Responder (can take action) roles
- Never assign Organizational Admin to customer users
Role Requirements for Key Actions
| Action | Minimum Role Required |
|---|
| Run a Gamebook | Incident Responder |
| Isolate a device | Incident Responder |
| Deploy CMS rules | Content Admin |
| Configure module settings | Data Source Admin or Admin |
| Add users to a workspace | Admin |
| Deploy Agent Center | Organizational Admin + Workspace Owner |
| Configure SDAs | Organizational Admin + Workspace Owner |
