Auth
How access is controlled
Getting into 21RISK is one thing — that's authentication (logging in with your password, SSO, etc.). But once you're in, controlling who can do what is equally important. This is where authorization comes in.
21RISK gives you fine-grained control over access at multiple levels: globally across the organization, per board, and per site. This guide breaks down how it all works.
Global permissions Global permissions
Global permissions apply across your entire 21RISK organization. They control broad capabilities that aren't tied to any specific board.
There are seven global permissions :
| Permission | What it controls |
|---|---|
| Create Users | Invite new members to the organization |
| Update Users | Edit member profiles and settings |
| Delete Users | Remove members from the organization |
| Create Sites | Add new sites (locations) |
| Update Sites | Edit existing site information |
| Delete Sites | Remove sites from the organization |
| Access All Sites | View and interact with every site, regardless of specific site assignments |
These permissions can be assigned in two ways:
- Directly on a user — toggled in the member's settings.
- Through a user group — any user group can carry global permissions, and all its members inherit them.
Group Owners are super-admins. A Group Owner automatically has all global permissions and full access to every board and site in the organization.
Boards and board access Boards and board access
Boards are the core workspaces in 21RISK. Whether it's a compliance board for managing audits or an insurance board for tracking property values, each board has its own set of access controls.
Simply having a 21RISK account does not automatically give you access to any board. Access must be explicitly granted — either directly or through a user group.
Board permissions for compliance boards
| Permission | What it allows |
|---|---|
| Create Reports | Create new audit reports on the board |
| Update Reports & Actions | Edit existing reports and actions |
| Delete Reports & Actions | Remove reports and actions |
| Approve Actions | Approve submitted actions |
| Manage Access | Add or remove users and configure who can do what |
| Manage Settings | Edit board settings and configuration |
Viewers (users with access but no specific permissions) can see the board and its content, but cannot make changes.
Board permissions for insurance boards
Insurance boards have a different set of permissions tailored to property insurance workflows:
| Permission | What it allows |
|---|---|
| Read COPE & Values | View COPE data and property values |
| Update COPE & Values | Edit COPE data and property values |
| Read Risk Improvements | View risk improvement recommendations |
| Create Risk Improvements | Add new risk improvement items |
| Update Risk Improvements | Edit existing risk improvements |
| Delete Risk Improvements | Remove risk improvements |
| Approve Risk Improvements | Approve submitted risk improvements |
| Read NatCat | View natural catastrophe data |
| Manage Access | Configure who can access this board |
| Manage Settings | Edit board settings |
How board access is granted How board access is granted
A user can get access to a board from four different sources . When a user has access from multiple sources, all permissions are combined — you always get the broadest set of permissions available to you.
1. Direct access
An admin can grant a specific user access to a board and choose exactly which permissions they get. This is the most straightforward approach — one user, one board, specific permissions.
2. User group access
Instead of granting access user by user, you can grant an entire user group access to a board. Every member of that group will then have the permissions defined for the group on that board. This is especially powerful when you have many users who all need the same level of access.
3. Board owner
Board owners automatically have all permissions on their board. This is a special role that cannot be restricted — if you're an owner, you have full control.
4. Group Owner
Group Owners have full access to every board in the organization, with all permissions. This is the organization-level super-admin role.
Permissions are always additive. If a user gets "Create Reports" from direct access and "Delete Reports" from a user group, they end up with both. Permissions are never subtracted — you always get the union of all granted permissions.
Access roles Access roles
To make it easier to assign the right set of permissions, 21RISK offers pre-defined access roles :
| Role | Description |
|---|---|
| Viewer | Can view the board and its content, but cannot make changes |
| Contributer | Can create and update items |
| Editor | Can create, update, delete, and approve items |
| Admin | Full access, including managing who else can access the board |
| Custom | Pick and choose individual permissions |
These roles are simply shortcuts for common permission combinations. Behind the scenes, each role maps to a specific set of permissions. You can always use Custom for more fine-grained control.
User groups User groups
User groups let you organize members and manage their permissions collectively — both for global permissions and board access. There are two types of user groups in 21RISK.
Internal user groups
21RISK automatically creates and maintains these groups for you:
| Group | Who's in it |
|---|---|
| All Users | Every member in your organization |
| Internal Users | Members whose email matches one of your SSO domains |
| External Users | Members whose email does not match any of your SSO domains |
Internal groups are managed by the system — you can't add or remove members manually, rename them, or delete them. However, you can configure their permissions. For example, you might grant the "All Users" group viewer access on a specific board, ensuring every member can at least see it.
The Internal/External distinction is especially useful for organizations that work with external consultants, auditors, or partners. You can give all internal employees one level of access while restricting external users to a different set of permissions — and it all happens automatically based on their email domain.
Custom user groups
You can create your own user groups to match your organization's structure. For example:
- "Risk Managers" — members who manage risk across all compliance boards
- "Regional Admins EU" — users who administer boards for European sites
- "Insurance Read-Only" — external stakeholders who should only view insurance data
Custom groups give you full control: you decide who's a member, what global permissions the group has, and which boards the group can access.
Site access Site access
Sites represent physical locations in your organization — factories, offices, warehouses, stores, and so on. Sites can be organized in a hierarchy (for example: Region → Country → City → Building).
Site access controls which locations a user can see and work with. Like global permissions, site access is organization-wide — it's not tied to any specific board.
There are three ways a user gets site access:
- Direct assignment — An admin assigns specific sites to a user.
- Inheritance — If a user has access to a parent site, they automatically get access to all sites below it in the hierarchy. For example, granting access to "Europe" also grants access to every country, city, and building under "Europe."
- Access All Sites — The global permission that unlocks every site in the organization.
Inheritance makes managing large site hierarchies simple. Instead of assigning dozens of individual sites, grant access at a higher level in the hierarchy and let it cascade down.
Effective Access Effective Access
With multiple permission sources (direct access, user groups, board ownership, group ownership), it can sometimes be hard to know exactly who has access to what — and why.
That's where the Effective Access view comes in. Available on each board's access settings page, it gives you a complete overview:
- Every user who can access the board
- Which permissions each user has
- Where each permission comes from — whether it's from direct access, a specific user group, board ownership, or group ownership
For each permission, you can hover over it to see a tooltip explaining the source. For example, a user might have "Create Reports" from both direct access and the "Risk Managers" group — the tooltip will show both sources.
This is especially useful for:
- Auditing — Quickly verify who has access and why, for compliance or security reviews.
- Troubleshooting — If a user reports they can or can't do something, Effective Access shows you exactly what permissions they have and where they come from.
- Onboarding — When adding a new user, verify they have the right level of access before they start working.
Note: You need the Manage Access permission on a board to view its Effective Access page.