Team Management
Manage your Plexicus team: invite members, assign roles, handle departures, and audit changes.
Team management requires Admin role in your organization. Actions are logged in Settings → Organization → Audit Log.
Inviting Team Members
Send an Invite
- Go to Settings → Organization → Team.
- Click Invite Member.
- Enter:
- Email address — Team member's email
- Role — Select a role:
- Developer — View findings, create remediations, run scans
- Cyberoper — Manage integrations, policies, analytics
- Admin — Full organizational access
- Custom role (if your organization uses custom roles)
- Click Send Invite.
The team member receives an email with a link to join. The invite is valid for 7 days.
With SSO Enabled: If your organization has SSO configured, new team members must:
- Accept the invite
- Log in via your IdP (Okta, Azure AD, etc.)
Invites bypass password setup — users log in directly via SSO.
If you're using SCIM provisioning, users may be auto-synced from your IdP instead of manual invites.
Viewing Your Team
- Go to Settings → Organization → Team.
- You see all current members with:
- Name — Display name from profile
- Email — Account email
- Role — Current role (built-in or custom)
- Status — Active, Pending Invite, or Inactive
- Joined — Date they accepted invite
Filter & Search
- Filter by role: Click the role dropdown to show only members with a specific role
- Search: Use the search box to find members by email or name
Changing a Member's Role
Admins can reassign roles without removing the member:
- Go to Settings → Organization → Team.
- Find the member in the list.
- Click the member's row or click Edit (pencil icon).
- Select a new role from the dropdown.
- Click Save.
The member's permissions update immediately on their next action.
Privilege escalation: When promoting someone to Admin, consider the security implications. Admin access grants full organizational control including SSO configuration, team management, and billing settings.
Removing a Team Member
When a team member leaves or should no longer have access:
- Go to Settings → Organization → Team.
- Find the member in the list.
- Click Remove (trash icon).
- Confirm the action.
What happens:
- The member's access is immediately revoked.
- They can no longer log in.
- Their assigned findings and tasks remain in the system (not deleted).
- The removal action is logged in Audit Log with timestamp and admin who performed it.
Can they be re-invited? Yes — Admins can invite them again anytime by following Inviting Team Members above.
Removing a member does not delete their user account or personal data. It only revokes organizational access. For data deletion requests, contact Plexicus support.
Handling Pending Invites
Members show as Pending Invite until they click the invite link and set up their account (password + optional 2FA).
Resend an Invite
If a member didn't receive the invite or it expired (7-day window):
- Go to Settings → Organization → Team.
- Find the pending member.
- Click Resend Invite.
- The invite link is sent again.
Cancel a Pending Invite
To cancel an invite before it's accepted:
- Go to Settings → Organization → Team.
- Find the pending member.
- Click Remove (trash icon).
- Confirm.
The invite link becomes invalid. If you want to invite them again later, start fresh with Inviting Team Members.
Member Lifecycle
Onboarding a New Member
Step 1: Send Invite
- Email address + role selection
- Member receives invite email
Step 2: Member Accepts
- Member clicks the invite link
- Sets password (or skips if SSO enforced)
- Optionally sets up 2FA
- Account is now Active
Step 3: First Login
- If SSO is configured, member logs in via IdP
- If SSO is not configured, member logs in with email + password
- If group-role mapping is enabled, member may be auto-assigned a role (first login only)
Step 4: Onboarding Complete
- Member appears as Active in team list
- Can access dashboards, findings, and tools based on their role
Changing Roles Over Time
Team members' responsibilities may change. You can reassign roles at any time without removing them:
-
Member is promoted from Developer to Cyberoper (more permissions)
- Old Developer role is revoked
- New Cyberoper permissions are granted immediately
-
Member is demoted from Cyberoper to Developer (fewer permissions)
- Old Cyberoper permissions are revoked
- Member retains only Developer permissions
All role changes are logged in Audit Log.
Offboarding a Member
When a member leaves:
Immediate:
- Go to Settings → Organization → Team → Remove
- Access is revoked immediately
Follow-up:
- Review their recent actions in Audit Log to identify critical findings they were working on
- Reassign their tasks to remaining team members if needed
- Archive or document their work for compliance
Understanding Roles
Built-in Roles
Developer
-
Permissions:
- View findings from all applications
- Create and manage remediations
- Run scans
- Comment on findings
- View some analytics
-
Limitations:
- Cannot modify organization settings
- Cannot manage team members
- Cannot manage billing
- Cannot delete applications
- Cannot access audit logs
When to use: Developers, QA engineers, security researchers.
Cyberoper (Security Operations)
-
Permissions:
- All Developer permissions, plus:
- Manage security policies and configurations
- Connect and manage integrations (SCM, cloud providers, container registries)
- Manage applications and repositories
- View organization-level dashboards and analytics
- Access compliance reports (if enabled)
- Configure notification rules
- Manage custom scanning tools
-
Limitations:
- Cannot manage team members or roles
- Cannot manage billing or subscription
- Cannot access audit logs (retroactive access)
- Cannot configure SSO or authentication
When to use: DevSecOps engineers, security operations staff, platform engineers.
Admin
-
Permissions:
- All Cyberoper permissions, plus:
- Manage team members (invite, remove, assign roles)
- Create and modify custom roles
- Configure SSO / SAML / OIDC
- Manage SCIM provisioning
- Manage billing and subscription (SaaS)
- Export and manage audit logs
- Access break-glass emergency recovery (self-hosted)
- Configure organization settings
- Manage API tokens and integrations
-
Limitations:
- None — Admins have full access.
When to use: Organization admins, team leads, CISOs, account managers.
Custom Roles
Organizations on the Scale plan and above can create custom roles with granular permissions. See Roles & RBAC for details.
SSO Group-Based Role Assignment
If your organization uses SSO with group support, roles can be automatically assigned based on IdP groups at first login.
How It Works
- User logs in via SSO (SAML/OIDC)
- Plexicus checks their IdP groups (from SAML assertion or OIDC claims)
- If a group matches a configured mapping, the user is assigned the corresponding Plexicus role
- Existing users keep their manually assigned roles (group mappings don't override)
Configure Group Mappings
- Go to Settings → Authentication → SSO → Advanced Settings.
- Under Group Role Mappings, click Add Mapping:
- IdP Group — Exact group name from your IdP (e.g.,
security-team) - Plexicus Role — Select a role
- IdP Group — Exact group name from your IdP (e.g.,
- Click Save.
Example
Okta Groups → Plexicus Roles
security-team → Cyberoper
developers → Developer
admins → Admin
When an Okta user in the security-team group logs in for the first time, they're automatically assigned Cyberoper role.
Group-based role assignment applies only to new users on first login. Existing users retain their current role. Update existing users' roles manually if needed.
Auditing Team Changes
All team management actions are logged in Audit Log:
- Go to Settings → Organization → Audit Log.
- Filter by:
- Event Type:
member_invited,member_removed,role_assigned,role_changed - Date Range: Last 30 days, etc.
- Event Type:
Each log entry shows:
- Timestamp — When the action occurred
- Admin — Who performed the action
- Action — What happened (e.g., "member_removed", "role_changed")
- Details — Member email, old role, new role, etc.
Example audit trail:
| Timestamp | Admin | Event | Member | Details |
|---|---|---|---|---|
| 2026-07-02 14:30 | alice@example.com | member_invited | bob@company.com | Role: Developer |
| 2026-07-02 15:45 | alice@example.com | role_changed | bob@company.com | Developer → Cyberoper |
| 2026-07-03 09:00 | alice@example.com | member_removed | bob@company.com | Reason: Offboarding |
Best Practices
-
Principle of Least Privilege:
- Assign the minimum role needed for the job
- Prefer built-in roles over custom roles for simplicity
- Promote to Admin only when necessary
-
Use SSO Group Mappings:
- Configure group-to-role mappings in your IdP
- Automatically assign roles at login (reduces manual work)
- Avoid mixed manual + group-based assignments
-
Regular Audits:
- Review team members quarterly
- Identify unused accounts (no login in 90 days)
- Remove departing employees within 24 hours
- Document team changes in your security policy
-
Naming & Communication:
- Use descriptive role names for custom roles
- Communicate role changes to affected team members
- Document who has Admin access and why
-
Incident Response:
- If a team member is compromised, immediately remove them
- Check Audit Log for their recent actions
- Rotate credentials (API tokens, SCIM tokens, SSO secrets)
- Review what they accessed before removal
Troubleshooting
"Cannot remove this user" error
- User may be the only Admin — ensure you have another Admin before removing the last one
- Try refreshing the page and retry
"Invitation failed" or "Email bounce"
- Verify the email address is correct
- Check the member's email provider spam/junk folder
- Resend the invite (Resend an Invite)
- Member can request resend if their link expired
New member not seeing SSO option at login
- SSO may not be activated — go to Settings → Authentication → SSO and confirm it's active
- If using SSO Enforced, password login is hidden (expected)
- Clear browser cache and retry
Member still has access after removal
- Plexicus revokes access immediately, but:
- Active sessions remain valid until the JWT expires (typically 1 hour)
- Member must log out or session expires naturally
- For immediate session termination (self-hosted), restart the auth service