Cyrisma User Roles and Permissions

Last updated: December 23, 2025

Cyrisma uses role-based access control to ensure users can access only the features and data appropriate to their responsibilities. Roles differ between the MSP portal and client instances, and permissions are enforced strictly to maintain tenant isolation and security.

This article explains the available roles, what each role can do, and recommended best practices for assigning roles.

Understanding Role Scope in Cyrisma

Cyrisma operates in two contexts:

  • MSP Portal (msp.cyrisma.com)

    • Used by MSP staff to manage client environments

  • Client Instances (https://<customer-instance>.cyrisma.com)

    • Used by end customers to manage and remediate their own environment

Roles are scoped to one of these contexts and do not overlap unintentionally.

MSP Portal Roles

The following roles exist in the MSP portal.

Administrator (MSP)

Scope: MSP Portal
Instance Translation: Systems Administrator

Capabilities:

  • Full access to the MSP portal

  • Create, edit, and delete client instances

  • Access all client instances via single sign-on

  • Manage MSP users

  • Configure organization-wide settings

  • Reset passwords and disable users

This role has unrestricted access across all managed client environments.

Operator (MSP)

Scope: MSP Portal
Instance Translation: Departmental Manager

Capabilities:

  • Access client instances

  • View scan dashboards and results

  • Work with mitigation plans

  • View dark web results

  • View and manage assigned compliance tasks

  • Access industry comparisons and Shadow IT

This role is designed for operational oversight without administrative control.

Tech (MSP)

Scope: MSP Portal
Instance Translation: Security Administrator

Capabilities:

  • Access client instances

  • Perform security-related tasks within assigned instances

  • View and analyze scan results

  • Support remediation activities

This role is intended for MSP technical staff who perform hands-on security work but do not manage users or create instances.

Client Instance Roles

The following roles exist within individual client instances.

Systems Administrator

Scope: Client Instance

Capabilities:

  • Full access to all instance functionality

  • Create, edit, disable, and reset passwords for users

  • Configure system settings

  • Manage scan agents and provisioning

  • Configure and run scans

  • View and manage all results, dashboards, and reports

This is the highest-privilege role within a client environment.

Security Administrator

Scope: Client Instance

Capabilities:

  • Configure and run scans

  • View vulnerability, data, baseline, and mitigation results

  • Manage security-related settings

  • Access dashboards and reports

Restrictions:

  • Cannot manage users

  • Cannot provision or manage scan agents

This role is ideal for security-focused staff who should not have administrative control.

Departmental Manager

Scope: Client Instance

Capabilities:

  • View scan dashboards

  • Access mitigation plans

  • View dark web results

  • Work with assigned compliance tasks

  • Access industry comparisons and Shadow IT data

This role is intended for managers responsible for remediation oversight and compliance tracking.

Departmental User

Scope: Client Instance

Capabilities:

  • Access My Mitigation Plans

  • View assigned compliance tasks

This role is suitable for users who are responsible for completing specific remediation or compliance actions.

Executive

Scope: Client Instance

Capabilities:

  • View high-level dashboards only:

    • Data

    • Vulnerability

    • Secure Baseline

    • Mitigation

This role is read-focused and designed for leadership visibility without operational access.

Auditor

Scope: Client Instance

Capabilities:

  • Read-only access to all areas

  • View dashboards, scan results, and reports

Auditors cannot make changes or trigger scans.

Notification

Scope: Client Instance

Capabilities:

  • Receive system notifications only

This role does not grant access to the Cyrisma interface.

User Management Permissions

User management is restricted to the highest-privilege roles.

Action

MSP Portal

Client Instance

Create users

Administrator

Systems Administrator

Edit users

Administrator

Systems Administrator

Disable users

Administrator

Systems Administrator

Reset passwords

Administrator

Systems Administrator

Client users are created and managed within the client instance by a Systems Administrator.

Role Separation & Access Boundaries

  • MSP users:

    • Automatically have access to all client instances

    • Cannot be restricted to specific clients

  • Client users:

    • Can only access their own instance

    • Cannot see MSP portal data or other clients

  • Roles do not cross tenant boundaries

This strict separation ensures security and tenant isolation.

Best-Practice Role Assignment (Recommended)

For MSPs

  • MSP Security Engineers: Tech

  • MSP Helpdesk / Operations Staff: Operator

  • MSP Platform Owners: Administrator

Limit Administrator assignments to a small number of trusted users.

For Client Organizations

  • Client IT Administrators: Systems Administrator

  • Client Security Team: Security Administrator

  • Department Managers / Compliance Leads: Departmental Manager

  • Remediation Task Owners: Departmental User

  • Executives / Leadership: Executive

  • Auditors / Assessors: Auditor

Roles Not Recommended for Broad Assignment

  • Administrator (MSP)

  • Systems Administrator (Client)

These roles grant full control and should be limited to reduce risk.

Summary

Cyrisma roles are designed to:

  • Enforce least-privilege access

  • Maintain strong tenant separation

  • Support both MSP and client workflows

  • Provide visibility without unnecessary control

Assigning the correct role ensures users can perform their responsibilities efficiently while preserving platform security.