User Management

The SCF Controls Platform uses role-based access control to manage what users can do within the application. This guide covers user roles, permissions, and management tasks.

Prerequisites

Before managing users:

Google OAuth authentication must be available (see Authentication)
You must have Admin role to manage users
Users must sign in at least once to appear in the system

Roles and Permissions

The platform supports three roles with different permission levels:

Admin

Full access to all features

Permission	Description
Manage users and roles	Invite users, assign roles, remove access
Invite new users	Add users to the organisation
Remove users	Remove users from the organisation
Create, edit, delete controls	Full control management
Create, edit, delete evidence	Full evidence management
Manage tasks and assignments	Task and assignment management
View all data and reports	Access all dashboards and exports
Configure organisation settings	System configuration

Editor

Can edit content but not manage users

Permission	Description
Create, edit, delete controls	Full control management
Create, edit, delete evidence	Full evidence management
Manage tasks and assignments	Task and assignment management
Add comments and mentions	Participate in discussions
View all data and reports	Access dashboards and exports

Editors are ideal for GRC analysts who need to manage compliance content but should not administer users.

Viewer

Read-only access

Permission	Description
View controls and evidence	Browse all content
View tasks and assignments	See task status
View reports and dashboards	Access reports
Add comments	Participate in discussions

Viewers can see everything but cannot modify content. Suitable for stakeholders who need visibility without editing capabilities.

Managing Users

Accessing User Management

Sign in with an Admin account
Click the Users icon in the sidebar (person icon)
The User Management page displays all organisation members

User List

The user list shows:

Column	Description
User	Avatar, name, and email from Google profile
Role	Current assigned role (dropdown selector)
Joined	Date the user joined the organisation
Actions	Remove button

Inviting Users

Users can join in two ways:

Option 1: Invite by Email

Click the Invite User button
Enter the user’s email address
Select a role for the new user
Click Send Invite
User receives an email invitation to join

Option 2: Self-Registration

Share your platform URL with the new user
User clicks Sign in with Google
User automatically joins with default role (viewer)
Admin can change role as needed

Changing User Roles

Find the user in the list
Click the role dropdown next to their name
Select the new role (Admin, Editor, or Viewer)
The change is saved automatically

The role change takes effect immediately on the user’s next action.

Removing Users

To remove a user from the organisation:

Find the user in the list
Click the Remove button (trash icon)
Confirm the deletion when prompted

Role Selection Guide

Choose roles based on user responsibilities:

User Type	Recommended Role	Rationale
GRC Program Manager	Admin	Needs to manage team and all features
GRC Analyst	Editor	Day-to-day compliance work
IT Security Staff	Editor	Implements and updates controls
Department Manager	Viewer	Reviews compliance status
Auditor (internal)	Viewer	Reviews evidence and reports
Executive Stakeholder	Viewer	Dashboard access only

Role Permissions Reference

The User Management page includes an expandable Role Permissions Reference panel:

Click Role Permissions Reference to expand
View detailed permissions for each role
Use this as a quick reference when assigning roles

Assignments and Ownership

Control Assignments

Admins and Editors can assign controls to users:

Navigate to Control Scoping
Select a control
Click Assign in the detail panel
Select a user from the dropdown
Click Save

Assigned users receive visibility into their responsibilities but assignments don’t restrict editing.

Evidence Assignments

Similar to controls, evidence items can be assigned:

Navigate to Evidence Scoping
Select an evidence item
Set the Owner field
Click Save

Task Assignments

Tasks support explicit assignment:

Create or edit a task
Set Assigned To field
User sees task in My Tasks view

Best Practices

Role Assignment

Start with Viewer — Assign Viewer initially, upgrade as needed
Limit Admins — Keep Admin count minimal (2-3 per organisation)
Match responsibilities — Align roles with job functions
Review periodically — Audit user roles quarterly

User Lifecycle

Onboarding — Provide new users with role-appropriate training
Role changes — Document when and why roles change
Offboarding — Remove users promptly when they leave

Security

Assign appropriate roles — Prepare for when RBAC is enforced
Audit trail — All actions are logged with user attribution
Least privilege — Give users minimum access they’ll need

Troubleshooting

Verify Google OAuth is working correctly
Have user clear browser cache and try again
Check if user is using the correct Google account

User Has Wrong Role

Navigate to User Management
Find the user in the list
Use the role dropdown to change their role
Change takes effect immediately

User Not Appearing in List

Users must sign in at least once to appear in User Management. If a user has signed in but doesn’t appear:

Check browser console for authentication errors
Have the user sign out and sign in again
Ensure the user signed into the correct organisation

Invite Email Not Received

Check spam/junk folder
Verify email address was entered correctly
Try re-sending the invitation
Contact support if issues persist

Multi-User Collaboration

The platform supports multiple users working simultaneously with automatic data synchronisation.

How Synchronisation Works

Three sync mechanisms:

Mechanism	Behaviour
Automatic Polling	Fetches fresh data every 30 seconds
Focus Refetch	Instantly refreshes when switching back to the tab
Manual Refresh	Click the refresh button in the header

Sync Status Indicator

The header shows real-time sync status:

“Synced Xm ago” — Data is current
“Syncing…” — Currently fetching updates

Collaboration Best Practices

For Real-Time Collaboration:

Keep tabs focused — Switch away and back to trigger instant refresh
Use refresh button — Click refresh before making critical changes
Check sync indicator — Ensure data is current before editing
Wait for sync — If “Syncing…” is shown, wait before making edits

For Team Workflows:

Coordinate with team — Use Slack/Teams to communicate who’s editing what
Work in different domains — Multiple users can edit different control domains simultaneously
Refresh before bulk operations — Click refresh, then select all/deselect all

Conflict Resolution

The platform uses last-write-wins strategy:

Simple and works well for most GRC workflows
If two users edit the same control simultaneously, the last save wins
30-second sync interval is fast enough to avoid most conflicts

For a compliance tool, this approach is typically sufficient since:

Controls are usually edited by different teams
Changes are incremental rather than wholesale replacements
Users can coordinate through comments and assignments

Configuration — Platform settings
Authentication — Google OAuth setup
Quick Reference — Feature overview

User Management

User Management

Prerequisites

Roles and Permissions

Admin

Editor

Viewer

Managing Users

Accessing User Management

User List

Inviting Users

Changing User Roles

Removing Users

Role Selection Guide

Role Permissions Reference

Assignments and Ownership

Control Assignments

Evidence Assignments

Task Assignments

Best Practices

Role Assignment

User Lifecycle

Security

Troubleshooting

User Cannot Sign In

User Has Wrong Role

User Not Appearing in List

Invite Email Not Received

Multi-User Collaboration

How Synchronisation Works

Sync Status Indicator

Collaboration Best Practices

Conflict Resolution

Related Guides