Skip to main content

Built-in roles

Every organization member is assigned one of three built-in roles:

Owner

Full administrative control. Can manage billing, delete the organization, and perform all admin and member actions.

Admin

Can manage members, configure integrations, create and archive engagements, and access all engagement data.

Member

Can participate in engagements they have access to. Can create tasks, write wiki pages, and run API requests.

Permission matrix

The table below summarizes what each built-in role can do:
ActionMemberAdminOwner
View engagements
Create engagements
Archive engagements
Delete engagements
Invite members
Remove members
Change member roles
Configure integrations
Manage API keys
View billing
Manage billing
Configure SSO
Enforce 2FA
Delete organization
Transfer ownership

Custom roles

Custom roles are available on the Business and Enterprise plans.
If the built-in roles don’t match your team structure, you can create custom roles with fine-grained permission sets. To create a custom role:
  1. Go to Organization SettingsRoles.
  2. Click Create Custom Role.
  3. Enter a name for the role (e.g., “Report Reviewer” or “Recon Operator”).
  4. Toggle individual permissions on or off.
  5. Click Save Role.
Custom roles can be assigned to members just like built-in roles.

Two-factor authentication (2FA)

Pwnbook supports two-factor authentication for all user accounts, managed through WorkOS.

Enforcing 2FA for your organization

Owners and admins can require all organization members to have 2FA enabled:
  1. Go to Organization SettingsSecurity.
  2. Toggle Require Two-Factor Authentication.
  3. Save your settings.
When 2FA enforcement is enabled, any member without 2FA configured will be prompted to set it up before they can access the organization.

Setting up 2FA as a user

  1. Go to your Account Settings.
  2. Under Security, click Set Up Two-Factor Authentication.
  3. Scan the QR code with your authenticator app (e.g., 1Password, Authy, Google Authenticator).
  4. Enter the verification code to confirm setup.

Single Sign-On (SSO)

SSO is available on the Business and Enterprise plans.
Pwnbook supports SSO via WorkOS, which provides integrations with identity providers such as Okta, Azure AD, Google Workspace, and any SAML 2.0 or OIDC-compatible IdP.

Configuring SSO

  1. Go to Organization SettingsSecuritySingle Sign-On.
  2. Click Configure SSO.
  3. Select your identity provider from the list.
  4. Follow the setup wizard, which provides the ACS URL and Entity ID you’ll need to configure on your IdP side.
  5. After configuring your IdP, paste the metadata URL or upload the metadata XML into Pwnbook.
  6. Click Test Connection to verify the configuration.
  7. Enable SSO for your organization.
Once SSO is enabled, members can log in via your identity provider. You can optionally require SSO for all members, which prevents password-based logins.

SSO provisioning

When configured with directory sync (SCIM), Pwnbook can automatically provision and deprovision user accounts based on your identity provider’s user directory. Contact support for help configuring SCIM provisioning.