Overview
There are two types of users who will access the SafeBase Trust Center: Organization Members and Account Members.
The kind of access will differ based on the user's relationship with the organization that owns the Trust Center.
Organization Members - Employees who are invited to the backend as members of the organization, which owns and runs the Trust Center
Account Members - External parties who are required to request access to the content contained within the Trust Center
Organization Members
Users within an organization will need to view, edit, and administer specific settings within the Trust Center. These internal users and their roles are managed within the Settings -> User Management area.
Note: This level of access is not meant for external parties, with the exception being specific partners or consultants who should also have this type of access.
Trust Center users with the Admin role will create and invite Organization Member records for each of these employees.
Access is based on the organization's domain
When a Trust Center is created, it is attached to one or more domains. Only users with an email address matching one of these domains can become Organization Members and access the Trust Center's backend.
Note: Domains must be unique to a single organization.
Working with Partners
When working with partners or MSSPs to administer a Trust Center, it must be considered that these users may support other SafeBase customers. Because domains are unique to the organization, additional requirements may exist to grant said user(s) access to the Trust Center.
Please reach out to support@safebase.io for help setting up this workflow.
How Organization Members are added to the Trust Center
Organization Members can be added to a Trust Center in multiple ways.
Signing Up (Email & Password) - By navigating directly to the Trust Center
If the user has a valid corporate/company email, they will be automatically added as an organization member.
Using the Continue with Google option works in the same way.
Controlling this automated signup feature is here.
Email Invitation - Existing organization admins can invite other members to the Trust Center
This process is outlined here
SAML/SSO - Once configured, a user that is granted permission via the organization's identity provider (IdP)
The user will be able to log in two different ways, either by navigating directly to the Trust Center and using their email to log in or by clicking on the assigned app within their IdP dashboard.
How to Resolve Duplicate Accounts
Note: If the organization member initially uses username and password as the login method, and then later utilizes the Google SSO or SAML SSO option, a distinct Organization Member record will be kept for each. Unused organization member logins can be suspended in the Trust Center's User Management table.
Enabling SAML SSO can lead to duplicate user accounts when users switch between login methods. This is due to SafeBase treating each unique login method as a separate entity to maintain audit trails and preserve individual user histories. Identifying and managing these duplicate accounts is crucial for maintaining an organized user database.
Identify the accounts: Determine which of the duplicate accounts is linked to SAML SSO (or the preferred login method) and which is not.
Suspend unnecessary accounts: If you no longer need the non-SAML SSO accounts, suspend them to prevent confusion. Suspended accounts become inactive but remain in the system for record-keeping purposes.
How to Prevent Duplicate Accounts in the Future
Standardize on a single login method: Require all users to authenticate through SAML SSO. This setting can be applied under Settings -> Security -> turn the "Require SAML authentication for all members" toggle on.
Disallowing other login methods (such as Google SSO) can ensure that duplicate accounts do not occur in the future. By consolidating authentication methods and managing duplicate accounts proactively, SafeBase administrators can maintain a streamlined user database and minimize confusion.
Organization Member Role-Based Access Control (RBAC)
Organizations can restrict a member's access by assigning specific roles using the Trust Center's RBAC controls. Information on how to create and manage Organization Members can be found here.
Restricting access should be done for various reasons. By assigning specific roles to organization members, users will only have access to specific components of the Trust Center.
For example, while Admins may need access to all Trust Center components, GTM teams can be given the role of Account Manager. While Account Managers can manage accounts and view content, they are unable to download and possibly distribute out-of-date security information or share sensitive documents before an NDA has been signed.
Accounts & Account Members
Accounts are an organization's customers, prospects, vendors, partners, and other external parties. Account members are users who belong to an external account.
Note: The full lifecycle of communication with external parties is managed via email. Once approved for access, the account member will receive an authenticated magic link. Account Members will never be required to create a SafeBase account, create a username/password, or use SSO to access a Trust Center.
Accounts are created when an account member who has requested access to the Trust Center is granted access.
Individual accounts are unique to a domain pulled from the requester's email.
For example, a request from "user@acme.com" will create the Account "Acme" with the domain "acme.com"
Account members must be granted access to a Trust Center to view and/or download private content published by an organization.
An organization reviews the account member's access requests and either approves or denies the request.
Account members who have been approved must sign an NDA (if required) to view and/or download any private content published by an organization.
Account members and all subsequent account members will be associated with an individual account by domain.
Account members with the same domain will be automatically added to the same account.
For example, if an account member with an @acme.com email requests access after the Acme account has been created, they will be added to that account.
Organizations can manually create accounts and add/invite account members, even before those users have requested access to the Trust Center.
Any domain that is granted access to restricted documents, whether created by the organization prior to an access request, or approved manually, counts towards your organization's paid domain allotment. Multiple domains may be mapped to one account.
If the account is only created as part of questionnaire upload, and that account's domain never has any account members that are granted access to the Trust Center, that domain is not counted towards your organization's paid domain allotment.
Additional settings for individual accounts, such as length of time before account expiration, NDA requirements, and scope of what content the account has access to, can be controlled globally or individually per account.
The following help articles have been created to describe how to create and manage Accounts in more detail:
Prevent Organization Members From Becoming Account Members
One of the foremost best practices that the SafeBase team recommends is preventing organization members from accessing the Trust Center as account members. This interrupts multiple workflows, skews Trust Center metrics, and bypasses the concepts enforced at the organizational level.
Besides internal instruction on utilizing the correct workflows for the Trust Center, an easy way to prevent an organization member from requesting access is by blocking users with the organization's domain from requesting access to the Trust Center.
This ensures all external access requests from your employees are denied, and allows you to present a custom message describing the appropriate way to access documents and other information.