We have listened to feedback from our most active users and are now introducing more granular access rights based on roles. As organizations grow larger with tens of places and hundreds of groups, assigning users just the access rights they need becomes more and more important to protect both admins and users from malicious or unintended privilege escalations.
Redesigned roles based on the ‘Principle of least privilege’ #
We’ve redesigned user roles following the ‘Principle of least privilege.’ This basic information security concept states that every part of a system must be able to access only the resources necessary to perform its task. Or in Kisi terms, this means that users’ access rights are limited to the minimum of what they need.
Introducing place-scoped resources #
To achieve this, we’ve created place-scoped resources, such as place groups. Now, we allow assigning roles on three different levels: organization, place, and group level:
1) Organization level roles allow you to share more granular access rights for resources that affect your entire Kisi organization. For example, a user can have the permission to perform auditing and reporting tasks, but not unlock doors and share access.
2) Place level roles allow you to manage facilities separately while maintaining a unified user list. For example, a Place Administrator at a warehouse will not be able to share access to the headquarters, even though both buildings are part of the same organization.
3) Group level roles only allow users to operate on the resources of a specific group. A Group Manager can create and delete Access links only for that specific group where they hold this right.
For a more comprehensive list of roles and permissions, please visit our documentation page.
Do you have a special use case? #
Shoot us an email and let us know which roles-related feature you’d like to see in Kisi. We’d be delighted to hear from you.
Katalin Haverinen-Varga
Product documentation writer with a passion to translate technical features into customer value.