Overview
Faction provides comprehensive user and team management with role-based access control (RBAC), team organization, and granular permissions. This guide covers creating users, assigning roles, managing teams, and configuring access levels.User Roles and Permissions
Faction implements six primary user roles, each with specific capabilities:Admin
Full System Access
- Manage users and permissions
- Configure system settings
- Access all assessments and data
- Install and configure extensions
- Manage templates and configurations
Assessor
Security Testing
- Create and edit assessments
- Add vulnerabilities and findings
- Upload evidence and files
- Collaborate on assessments
- Generate reports
- Submit for peer review
Manager
Team Oversight
- View all team assessments
- Review reports and metrics
- Track team progress
- Assign assessments
- Access dashboards and analytics
Engagement Contact
Stakeholder Role
- View assigned assessments
- Receive notifications
- Download reports
- Provide business context
- Limited editing capabilities
Remediation Contact
Fix Coordination
- Access remediation queue
- Schedule verification testing
- Track vulnerability status
- Coordinate with assessors
- Update fix status (dev/prod)
Executive
Strategic Oversight
- View high-level dashboards
- Access executive summaries
- Review risk metrics
- Limited operational access
Creating and Managing Users
Add New User
Click Create User and provide:
- First Name: User’s first name
- Last Name: User’s last name
- Email: Email address (used for notifications)
- Username: Login username
- Password: Initial password (user can change later)
If LDAP, OAuth 2.0, or SAML2 authentication is configured, external users may be auto-provisioned on first login.
Assign Team
Select which team the user belongs to. Teams provide:
- Organizational grouping
- Access control boundaries
- Assessment assignment pools
- Reporting hierarchy
Users can only belong to one team at a time. Create multiple teams for different business units, geographic regions, or functional groups.
Configure Permissions
Enable appropriate roles by checking permission boxes:
- Admin: Full system control
- Assessor: Can create/edit assessments
- Manager: Can view team data
- Engagement: Can view as engagement contact
- Remediation: Can manage remediation queue
- Executive: Dashboard and summary access
Set Access Level
Choose data visibility scope:
All Data (Access Level 0)
User can see all assessments across all teams. Typically for:- Administrators
- Managers with organization-wide oversight
- Executives needing complete visibility
Team Only (Access Level 1)
User can only see assessments for their assigned team. Best for:- Team-specific assessors
- Team managers
- Contractors with limited scope
User Only (Access Level 2)
User can only see assessments they’re directly assigned to. Used for:- External consultants
- Limited-scope contractors
- Engagement contacts with strict access control
Configure Authentication Method
Select how the user will authenticate:
- Native: Username/password in Faction database
- LDAP: Active Directory or LDAP server
- OAuth 2.0: External OAuth provider
- SAML2: SAML-based SSO
Managing Teams
Teams organize users and assessments into logical groups:Creating a Team
Create New Team
Click Add Team and provide:
- Team Name: Descriptive name (e.g., “AppSec Team”, “East Coast Pentesters”)
- Description: Purpose and scope of the team
Team Benefits
- Access Control: Limit assessment visibility by team
- Assignment Pools: Select assessors from relevant teams
- Reporting: Generate team-specific metrics
- Collaboration: Team members automatically see shared assessments
- Workload Distribution: Balance assessments across team members
Campaigns and Organization
Campaigns provide another organizational layer:- Purpose: Group related assessments across teams
- Use Cases:
- Quarterly testing programs
- Compliance initiatives (e.g., “2026 SOC 2 Prep”)
- Vendor assessment programs
- Recurring client engagements
Creating a Campaign
- Navigate to Settings > Campaigns
- Click Add Campaign
- Enter campaign name and description
- Assign assessments to the campaign during creation or later
Campaigns are referenced in Assessment.java via the
campaign field (~/workspace/source/src/com/fuse/dao/Assessment.java:72).Access Control Matrix
| Role | Create Assessment | Edit Vulnerability | View Reports | Manage Users | Access Remediation Queue |
|---|---|---|---|---|---|
| Admin | ✓ | ✓ | ✓ | ✓ | ✓ |
| Assessor | ✓ | ✓ | ✓ | ✗ | ✗ |
| Manager | ✗ | ✗ | ✓ | ✗ | ✗ |
| Engagement | ✗ | ✗ | ✓ (assigned only) | ✗ | ✗ |
| Remediation | ✗ | ✗ | ✓ (assigned only) | ✗ | ✓ |
| Executive | ✗ | ✗ | ✓ (summaries) | ✗ | ✗ |
User Account Management
Deactivating Users
Rather than deleting users (which can break assessment history):- Navigate to the user profile
- Set Inactive status to
true - Inactive users:
- Cannot log in
- Don’t appear in assignment dropdowns
- Retain association with past assessments
- Can be reactivated if needed
Password Management
For native authentication:- Users can change their own passwords via profile settings
- Admins can reset passwords for any user
- Password complexity requirements can be configured system-wide
- Failed authentication attempts are tracked to prevent brute force
Login Tracking
Faction tracks:- Last Login: Most recent successful authentication
- Login Time: Current session start time
- Failed Auth Count: Number of consecutive failures
Authentication Methods
Native Authentication
Standard username/password stored in Faction:- Simple setup, no external dependencies
- Password hashing for security
- Built-in password reset flow
LDAP Integration
Integrate with Active Directory or LDAP servers:- Central user management
- Sync with corporate directory
- Single source of truth for user data
- LDAP DN stored per user for binding
OAuth 2.0
Delegated authentication via OAuth providers:- Google, Microsoft, GitHub, etc.
- No password management in Faction
- Improved security posture
- User-friendly SSO experience
SAML2
Enterprise SSO via SAML:- Compatible with Okta, Auth0, Azure AD
- Organization-wide SSO policies
- MFA enforcement at IdP level
- Audit trail in external system
Authentication method configuration is done in system settings, not per-user (though users can be tagged with their auth method).
User Profile and Avatars
Users can customize their profiles:- Avatar: Upload profile picture (stored as GUID)
- Display Name: First and last name
- Email: Contact email for notifications
- Preferences: Personal settings and defaults
Best Practices
Principle of Least Privilege
Grant only the permissions necessary for each user’s role. Avoid making all users admins.
Use Team Organization
Structure teams by function, geography, or business unit for clear access control.
Deactivate, Don't Delete
Mark users inactive instead of deleting to preserve assessment history and audit trails.
Regular Access Reviews
Periodically review user permissions and remove unnecessary access.
Leverage SSO
Use LDAP, OAuth, or SAML for centralized authentication and better security.
Monitor Failed Logins
Track failed authentication attempts to detect potential security issues.
Related Resources
Creating Assessments
Assign team members to assessments
Remediation Workflow
Remediation contact responsibilities
API Reference
Automate user management via API
Installation Guide
Configure authentication methods