Skip to main content
Kliper uses Role-Based Access Control (RBAC) to govern what each team member can do within your organization. Four built-in roles cover common access patterns, and administrators can create custom roles for specialized needs.

Roles and Permissions

Built-In Roles

RoleDescriptionTypical User
AdminFull access to all features, settings, and user managementQSA firm principal, IT administrator
ManagerManage assessments, tasks, and team members; approve findings; export reportsSenior QSA, engagement manager
ContributorComplete assessments and manage tasks; upload files; no user managementAssociate QSA, ISA
ViewerRead-only access to all data; no editing or management capabilitiesClient stakeholder, external reviewer

Permission Matrix

The table below shows exactly what each role can do across every resource category:
PermissionAdminManagerContributorViewer
Assessments
View assessmentsYesYesYesYes
Create assessmentsYesYes
Edit assessmentsYesYesYes
Delete assessmentsYes
Approve findingsYesYes
Export ROCYesYes
Tasks
View tasksYesYesYesYes
Create tasksYesYesYes
Edit tasksYesYesYes
Delete tasksYesYes
Files
View filesYesYesYesYes
Upload filesYesYesYes
Edit file metadataYesYes
Delete filesYes
Users
View team membersYesYes
Invite membersYesYes
Edit rolesYes
Remove membersYes
Reports
View reportsYesYesYesYes
Create reportsYesYes
Export reportsYesYes
Delete reportsYes
Integrations
View integrationsYesYes
Add integrationsYes
Edit integrationsYes
Remove integrationsYes
Settings
View settingsYesYes
Edit settingsYes
Manage securityYes
Screenshot of Permissions Matrix Page

Custom Roles

Admins can create custom roles that combine any set of permissions:
1

Navigate to Permissions

Go to Settings > Permissions & Roles.
2

Click Create Role

Click the + Create Role button. A dialog opens with a role name field, description, and a full permission selector.
3

Select Permissions

Permissions are organized by category (Assessments, Tasks, Files, Users, Reports, Integrations, Settings). Check individual permissions or use Select All / Clear per category.
4

Save the Role

Click Save. The custom role appears alongside the built-in roles and can be assigned to team members.
Built-in roles (Admin, Manager, Contributor, Viewer) are marked as “System” roles and cannot be modified or deleted. Only custom roles can be edited or removed.

Inviting Team Members

Kliper supports two methods for adding team members to your organization.

Method 1: Invite by Email

Use this when the person does not yet have a Kliper account, or when you are unsure.
1

Navigate to Team Settings

Go to Settings > Team. The team management page shows your current members, pending invitations, and admin count.
2

Click Invite Member

Click the Invite Member button to open the invitation dialog.
3

Select the Invite by Email Tab

Enter the invitee’s email address and select a role from the dropdown:
RoleDescription
AdminFull access to all features and settings
Editor (Manager)Can edit and manage assessments and content
ViewerRead-only access
4

Send Invitation

Click Send Invitation. The system creates a pending invitation with a unique token that expires in 7 days. The invitee receives an email with a link to accept.
Screenshot of Invite Member Dialog

Method 2: Add Existing User

Use this when the person already has a Kliper account but is not in your organization.
1

Open the Invite Dialog

Click Invite Member and select the Search Existing tab.
2

Search for the User

Type at least 2 characters of the user’s name or email. The search returns matching users who are not already in your organization (up to 10 results).
3

Select and Add

Choose a role from the dropdown, then click Add next to the user’s name. The user is added to your organization immediately — no invitation acceptance required.

Managing Invitations

The Team Settings page shows all pending invitations. For each pending invitation, you can:
  • Resend — send the invitation email again (useful if the original expired or was missed)
  • Revoke — cancel the invitation before it is accepted

Domain-Based Discovery

When a new user signs up with an email domain that matches your organization’s allowed domains, they can discover your organization and request to join. The organization’s Domain Join Policy controls this:
PolicyBehavior
Auto JoinUsers with a matching email domain are added automatically
Manual ApprovalUsers with a matching email domain can request to join; an admin must approve
ClosedNo domain-based discovery; invitations only

Managing Team Members

Viewing Your Team

Navigate to Settings > Team to see a table of all organization members:
ColumnWhat It Shows
MemberName and email address
RoleCurrent assigned role (Admin, Editor, Viewer, or custom)
StatusActive, Pending (invitation sent), or Invited
Last ActiveTimestamp of last platform activity
Use the search bar to filter members by name or email. Screenshot of Team Members Table

Changing a Member’s Role

From the team members table, click the actions menu on a member’s row and select Change Role. Choose the new role from the dropdown and confirm. The role change takes effect immediately.
You cannot remove the only Admin from an organization, and you cannot demote yourself from Admin if you are the sole administrator.

Removing a Member

Click the actions menu and select Remove from Team. A confirmation dialog appears. On confirmation, the user’s membership is deactivated and they lose access to all organization data.

Team Statistics

Three cards at the top of the Team Settings page summarize your team:
CardWhat It Shows
Active MembersTotal members with active status
Pending InvitationsInvitations awaiting acceptance
AdministratorsCount of users with Admin role

Two-Factor Authentication (2FA)

Kliper supports TOTP-based two-factor authentication for an additional layer of account security.

Setting Up 2FA

1

Navigate to Security Settings

Go to Settings > Security. The Two-Factor Authentication section shows your current 2FA status.
2

Click Enable 2FA

Click Enable. A setup wizard opens with three steps.
3

Scan the QR Code

A QR code is displayed on screen. Open your authenticator app (Google Authenticator, Authy, Microsoft Authenticator, or any TOTP-compatible app) and scan the code.If your authenticator cannot scan the QR code, click Enter manually to reveal the secret key as a text string.
4

Verify the Code

Enter the 6-digit code from your authenticator app into the verification field. Click Verify. The system confirms the code matches your secret.
5

Save Backup Codes

On successful verification, 8 backup codes are generated and displayed in a grid. Each code is an 8-character hex string (e.g., A1B2C3D4).
  • Click Copy to copy all codes to your clipboard
  • Click Download to save them as a .txt file
Store these codes securely. Each backup code can only be used once and replaces the authenticator code if your device is lost.
Screenshot of 2FA Setup Wizard

Signing In with 2FA

After 2FA is enabled, sign-in requires two steps:
  1. Enter your email and password (or use OAuth)
  2. Enter the 6-digit code from your authenticator app, or use one of your 8-character backup codes

Trusted Devices

After a successful 2FA verification, you can mark the device as trusted to skip 2FA for 30 days. Trusted devices are listed in Settings > Security > Trusted Devices with:
  • Device name and browser
  • IP address
  • Last used timestamp
  • Expiration date
Click Remove on any trusted device to revoke its trust status.

Disabling 2FA

In Settings > Security, click Disable 2FA. You must enter a current authenticator code to confirm. All backup codes are invalidated.

Passkeys (Passwordless Authentication)

Kliper supports WebAuthn-based passkeys for passwordless sign-in using biometrics (Face ID, Touch ID, Windows Hello) or hardware security keys.

Registering a Passkey

1

Navigate to Security Settings

Go to Settings > Security. Scroll to the Passkeys section.
2

Check Browser Support

The platform checks if your browser supports WebAuthn. If not, a message indicates that passkeys are not available on your current device.
3

Click Add Passkey

Click Add Passkey. Optionally enter a name for the passkey (e.g., “MacBook Touch ID”). Your browser’s passkey dialog opens.
4

Authenticate

Complete the biometric prompt (fingerprint, face scan, or PIN) on your device. The passkey is registered and linked to your account.

Managing Passkeys

Your registered passkeys are listed with:
FieldDescription
NameUser-given name or “Passkey” (default)
Device TypePlatform (built-in biometric) or cross-platform (hardware key)
Backed UpWhether the passkey is cloud-recoverable
CreatedRegistration date
Click Remove to delete a passkey. You can register multiple passkeys for different devices.

Signing In with a Passkey

On the sign-in page, click Sign in with passkey. Your browser prompts you to select and authenticate with a registered passkey. No password is needed. Screenshot of Passkey Manager

Account Security Settings

Additional security options available in Settings > Security:

Password Management

Change your password with real-time strength validation:
RequirementRule
LengthMinimum 8 characters
ComplexityUpper and lowercase letters, at least one number, at least one special character
A 5-level strength indicator provides visual feedback as you type.

Session Management

SettingDescription
Session TimeoutAutomatic logout after N minutes of inactivity (1–1440 minutes)
Active SessionsView all active sessions with device info, browser, and last activity time
Click Logout on any active session to terminate it remotely.

Appearance and Preferences

SettingOptions
ThemeLight, Dark, or System (follows OS preference)
Compact ModeToggle compact UI layout
AnimationsToggle UI animations
LanguageInterface language selector
TimezoneTimezone for displayed timestamps
Time Format12-hour or 24-hour
Week StartSunday or Monday