Overview
Groups and security roles provide the organizational structure for managing access, assigning training, scoping access reviews, and controlling permissions within LowerPlane. Groups represent logical collections of employees (by department, function, or project), while security roles define what actions users can perform in the platform.
Groups
Groups are flexible containers for organizing employees. They serve multiple purposes across the platform:
- Training assignments — assign training courses to entire groups
- Access review scoping — include or exclude groups from access review campaigns
- Phishing campaigns — target phishing simulations at specific groups
- Reporting — filter and segment compliance metrics by group
Creating a Group
Navigate to People
Go to Personnel > People and select the Groups tab.
Click Add Group
Click Add Group to open the creation form.
Define the Group
Provide the following information:| Field | Required | Description |
|---|
| Name | Yes | Descriptive name for the group (e.g., “Engineering”, “Finance Team”, “SOC Analysts”) |
| Description | No | Explanation of the group’s purpose and membership criteria |
Save
Save the group. It is now available for member assignment and use across the platform.
Managing Group Membership
After creating a group, add members by selecting employees from the people directory. Group membership can be managed in two ways:
- From the group — open the group and add or remove members
- From the person — open an employee’s detail page and assign them to groups
Align your LowerPlane groups with your organizational structure (departments, teams, locations) to make training assignments and access reviews intuitive to manage.
Common Group Patterns
| Group | Purpose |
|---|
| Engineering | Technical staff who need secure coding training and access to development tools |
| Finance | Financial data handlers who need PCI-DSS and financial controls training |
| Customer Support | Staff with access to customer data, requiring privacy training |
| Executives | Leadership team with broad system access, requiring executive security briefings |
| Remote Workers | Employees working outside the office who need VPN and endpoint security training |
| Contractors | Non-employee workers who need limited-scope training and access reviews |
| New Hires | Recently onboarded employees completing initial security training |
| IT Administrators | Privileged access holders who need advanced security training |
Security Roles
Security roles define permissions and responsibilities within the LowerPlane platform. Roles control what users can see and do, ensuring proper separation of duties.
Built-in Roles
LowerPlane provides default security roles that cover common organizational needs:
| Role | Description |
|---|
| Admin | Full platform access including settings, user management, and all modules |
| GRC Manager | Full access to compliance, risk, vendor, and policy modules |
| Compliance Officer | Access to compliance frameworks, controls, evidence, and assessments |
| Risk Manager | Access to risk registers, risk library, and risk snapshots |
| Vendor Manager | Access to vendor management, intake submissions, and risk assessments |
| IT Security | Access to integrations, tests, devices, and access reviews |
| Auditor | Read-only access to compliance evidence, controls, and audit trails |
| Employee | Limited access through the employee portal (policies, training, devices) |
Assigning Security Roles
Security roles are assigned to individual people through their person detail page or during user creation. A person can have multiple roles, and their effective permissions are the union of all assigned roles.
Security roles control LowerPlane platform access. They are separate from the system access tracked in access reviews, which covers external applications and infrastructure.
Custom Roles
If the built-in roles do not match your organizational structure, you can create custom security roles with specific permission sets. Custom roles allow you to:
- Grant access to specific modules (compliance, risk, vendors, personnel)
- Restrict write access while allowing read access
- Create specialized roles for unique organizational needs
How Groups and Roles Work Together
Groups and security roles serve different but complementary purposes:
| Aspect | Groups | Security Roles |
|---|
| Purpose | Organize people for operational tasks | Control platform permissions |
| Scope | Training, access reviews, phishing campaigns | LowerPlane feature access |
| Membership | Multiple groups per person | Multiple roles per person |
| Created by | Any administrator | System-defined or custom |
| Used for | Scoping and targeting | Authorization and access control |
- An employee in the Engineering group (for training) with the Compliance Officer role (for platform access)
- A contractor in the Contractors group (for limited training) with the Employee role (for portal access only)
Permissions Model
Permissions in LowerPlane follow a role-based access control (RBAC) model:
- Each security role grants a set of permissions (read, write, delete) on specific resources
- A user’s effective permissions are the union of all their assigned roles
- If any role grants a permission, the user has that permission
- Users without a specific permission cannot see or access the corresponding features
Be careful when assigning the Admin role. It provides full access to all platform features including user management, billing, and destructive operations. Follow the principle of least privilege.
Compliance Relevance
Groups and roles support key compliance controls:
| Framework | Control | How Groups/Roles Help |
|---|
| ISO 27001 | A.9.1.2 | Access to networks and network services based on role |
| ISO 27001 | A.9.2.2 | User access provisioning based on group membership |
| SOC 2 | CC6.1 | Logical and physical access controls |
| SOC 2 | CC6.3 | Role-based access to sensitive data |
| HIPAA | 164.312(a)(1) | Unique user identification and role-based access |
| PCI-DSS | 7.1 | Limit access to system components by business need |
Best Practices
- Mirror your org chart in LowerPlane groups to make management intuitive
- Use the principle of least privilege when assigning security roles
- Review group membership quarterly to remove departed employees and add new hires
- Avoid assigning Admin to more than 2-3 people in the organization
- Document group purposes in the description field so new administrators understand the intent
- Create a “New Hires” group for initial onboarding training that is automatically assigned to new employees
- Audit role assignments as part of your access review process to ensure separation of duties
