Understanding Multiple Roles per User

Multiple Roles Per User

In addition to creating multiple user roles, administrators can assign up to ten roles to a single user. This article will cover how intersecting roles work in various scenarios.

Examples for Understanding Overlapping Roles

System Admin Role + Custom Role = Admin

An Admin user has the greatest amount of permissions and has access to all assets so adding a custom role does not limit permissions or access to certain assets. This user may be assigned an API key with Admin permission.

System Write Role + Custom Roll

A System Write Role user has all of the permissions and access as an Admin and therefore, adding a custom role will not limit the permissions or access to certain assets. The difference between Admin and Write System Roles is outlined in our Role Permissions article. This user may be assigned an API key with write permission.

System Write Role + System Read-Only Role

A user with two system roles will assume the greatest permissions among roles, will have access to all assets, and may be assigned an API key which reflects this.

System Read Only Role + Custom Role

A System Read Only User has read permissions over all assets. When adding a custom role with write permissions you can specify the risk meters you want to allow the user to have write access over when creating the custom role. For all assets that fall outside of the specific risk meters, the user will still only have read access. If the Custom Role provides write access over "All Assets" this combination will completely override the System Read Only Role in the UI only, and the user will have an API key with read -only access.

Custom Role + Custom Role 

Important: Permissions are additive over only the assets that all roles have in common. Where multiple roles share access to the same Risk Meters/assets, the greatest permissions apply to all. Where they do not share access to Risk Meters/assets, only the specific custom role permissions apply. This user will not have an API key.

Here is a simple example looking only at the question of whether the user obtains write permissions over all the assets in each role they are assigned.




Conflicts When Editing Assets

If a user with multiple roles attempts to edit a group of assets, and they do not have the permission to do so, they will see the following message:

"You do not have permission to affect all of the selected assets. Please contact your Kenna Admin if you believe you should have additional permission."



Assigning Multiple Roles to a User

To assign multiple roles to a single user, administrators can navigate to Settings → Users → Edit user and select up to ten roles from the drop down list.




Now, from the User list under the Settings menu, anyone with multiple roles will show at least more than one role in the Role column. 


Hovering on the role names will reveal all roles assigned.



Finally, if you click on the User's name to open up the User Details page, you will see all roles listed.


API Use with Multiple User Roles

API Keys

Important: Only users with System Roles may be assigned an API key. A user can have only one API key. A user with a Custom role and a System role may be assigned an API key that reflects their System Role permission. If the user is assigned two System Roles, their API key will have the permissions of the highest System Role.


API Endpoint Change

The Users API endpoints will change to reflect multiple role_ids and roles. If you are a heavy user of these endpoints, or use scripts that reference these endpoints, please note the changes. This will not be backwards compatible.

  1. The List User and Show User endpoints' responses will be changed. When showing or listing users, the role_id parameter will be called role_ids and will list an array of role_ids ; the role parameter will be called roles and will list an array of roles. Even where only one role is used, it will be listed in the array.

  2. The Create User and Update User endpoints will be changed. Both previously accepted and required either the role or role_id parameter in the request. With MRPU, roles and role_ids must be used rather than role and role_id and requires an array whether or not multiple roles are used. 

  3. Bulk Update Permissions will be changed to allow view_home_page and view_appsec_reporting_page to be updated.


  • Even when only one role is being assigned, plural options will show up with arrays once MRPU is released and feature flag is enabled.
  • All of the user's "roles" or "role_ids" should be provided in the arrays including the existing ones and the new ones, any existing "roles" or "role_ids" that are not included in the arrays will be unassigned from the user.

Was this article helpful?
2 out of 2 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.