Restricting User Access with Campaign Tags and Role-Based Access Controls (RBAC)

Restricting user access with campaign tags and role-based access controls (RBAC) can be useful if you're a managed service provider using a single CanIPhish tenant for multiple customers. In the event you have a customer who wants access to CanIPhish, you can restrict their access so they can only view campaign information that specifically relates to their business - hiding all other customer data.

This article will guide you through the various steps involved with configuring CanIPhish in this manner.

• Getting started
• Creating a campaign with tags
• Creating a user with campaign tag restrictions
• See it in action!

Getting Started

To get started you need an active CanIPhish account with Administrative privileges (if you don't have an active account, click here to get started).

1. Login to your CanIPhish account and traverse to the Campaigns page: https://caniphish.com/User/Campaigns

Creating a campaign with tags

2. Click 'New Campaign' followed by 'Show Advanced Options...'

3. In the 'Campaign Tags' input, specify a campaign tag which can be used to represent a business you're conducting simulated phishing training for. You can enter one or more campaign tags in this input. Hit space or enter to lock a tag in.

4. Complete the campaign setup wizard and Save the campaign. Once the campaign has been saved, CanIPhish will store the campaign tags in our database and we can begin restricting user access.

Creating a user with campaign tag restrictions

5. Traverse to the Platform Management page: https://caniphish.com/User/UserProfile?queryType=ManageTenant

6. Click Add New User

7. Input the First + Last Name and Email Address of the user. Select the 'Platform Reporter' role and then select the relevant campaign tags for the user. The user will then be able to see all data relating to campaigns with these tags associated to them.

8. Click Save.

See it in action!

9. The user will then receive an email inviting them to create an account with CanIPhish. If you've implemented allowlisting, this email will appear to come from the domain that you've allowlisted (such as the example below):

10. The user will then need to click the link in the email and follow the registration steps to create their account. Once logged in the user will be immediately directed to the Reporting page, where they'll only be able to see campaign data with tags they've been authorised to see.