Platform Users
Platform Users are the individuals who can log in and use Hydden.Control. Administrators manage platform users, assign roles, and configure scoped access to ensure users have appropriate permissions for their responsibilities.
Overview
Platform Users represent individuals who can log in and interact with Hydden.Control. This is distinct from Owners, which represent identity owners (employees, contractors, vendors) whose accounts and access are being reviewed.
| Concept | Description | Examples |
|---|---|---|
| Platform Users | Users who log into Hydden.Control to manage and review access | Administrators, Reviewers, Auditors |
| Owners | Identity owners whose accounts and access are being governed | Employees with accounts in various systems |
Platform Users vs Owners
Platform Users have roles that determine what they can do in Hydden.Control. Owners are the people whose access is being reviewed in campaigns. A person can be both a Platform User and an Owner.
The Platform Users page displays all users in your organization with their:
- Name - User's display name
- Email - Authentication email address (must match SSO provider)
- Subject - Authentication subject from SSO provider
- Provider ID - Identity provider identifier
- Status - Active, Inactive, or Suspended
- Roles - Assigned role(s): Administrator, Reviewer, or Auditor
- Last Login - Most recent sign-in timestamp
- Created - Account creation date
- Token Version - Internal version for security token management
- Actions - Suspend, Edit, Delete options
User Roles
Hydden.Control supports three user roles, each with different capabilities:
| Role | Purpose | Access Level |
|---|---|---|
| Administrator | Set up and manage Hydden.Control | Full access to all features |
| Reviewer | Participate in access review campaigns | Scoped access to assigned reviews |
| Auditor | View campaign results and reports | Read-only scoped access |
Administrator
Administrators have full access to all Hydden.Control features:
- Create, modify, and delete campaigns
- Configure settings, rules, and policies
- Manage platform users
- Access all identity data
- View and export reports
Single Admin Protection
If you are the only administrator, you cannot downgrade your own role to prevent accidental lockout.
Reviewer
Reviewers participate in access review campaigns:
- Review accounts in campaigns where they are assigned as a reviewer
- Make accept, reject, and flag decisions
- Add comments to review decisions
- Generate campaign report downloads
- Read-only access to identity data within their scope
Auditor
Auditors view campaign results for compliance purposes:
- Read-only access to campaigns
- View review decisions and comments
- Generate campaign report downloads
- Read-only access to identity data within their scope
Scoped Access
Reviewers and Auditors have scoped access, meaning they can only access specific applications and account types. Administrators configure this scope when creating or editing users.
Assigned Applications
Specify which applications the user can access:
- Select specific applications from your connected data sources
- User can only view and review accounts associated with these applications
- Leave empty for no application restrictions (access all applications)
Account Types
Specify which types of accounts the user can access:
| Account Type | Description |
|---|---|
| User Account | Standard user accounts |
| Service Account | Non-human service accounts |
| Admin Account | Administrative accounts |
| Federated Account | Accounts from federated identity sources |
| System Account | System-generated accounts |
Select the account types relevant to the user's review responsibilities.
Scope Configuration
For Reviewers assigned to specific campaigns, configure their scope to match the campaign's target applications and account types.
Owner Management
Owners represent the individuals (employees, contractors, vendors) whose accounts and access are governed through Hydden.Control. While Platform Users manage the system, Owners are the subjects of access reviews.
Owner Attributes
Owners have rich attribute profiles synchronized from connected data sources:
| Attribute Category | Fields |
|---|---|
| Identity Information | Identity ID, Identity Name, Identity Email, Alt Email |
| Organizational Data | Department, Title, Location, Manager, Start Date, End Date |
| Contact Information | Mobile Phone, Phone |
| Owner Classification | Owner Type (Employee, Contractor, Vendor), Status (Active, Inactive) |
| Role Assignments | Assigned roles based on organizational attributes |
Owner Statistics and Risk Metrics
Each owner profile includes calculated risk metrics and statistics:
- Account Activity: Number of active, inactive, and dormant accounts
- Account Statistics: Total accounts owned, account distribution by type
- Breach Data: Accounts identified in known breach databases
- Group Membership: Groups the owner belongs to across systems
- Password and Security: Password age, MFA status across accounts
- Privilege: Privileged and highly privileged account counts
- Total Threat: Overall risk score calculated from account risks
- Stale Accounts: Accounts not used in 90, 180, or 365 days
- MFA Gaps: Accounts without MFA enabled
- Failed Logins: Accounts with recent failed authentication attempts
Owner vs Platform User Relationship
| Scenario | Platform User | Owner |
|---|---|---|
| IT Administrator managing Control | Yes (Administrator role) | Possibly (if they have accounts being reviewed) |
| Manager reviewing team access | Yes (Reviewer role) | Yes (they also have accounts in systems) |
| Employee with corporate accounts | No (doesn't manage Control) | Yes (their accounts are reviewed) |
| Service Account | No | No (represented as Account, not Owner) |
Synchronizing Owners
Owner data is synchronized from connected data sources:
- Navigate to Settings > Data Sync
- Configure sync for identity sources (Workday, HR systems, etc.)
- Run manual sync or schedule automatic synchronization
- Owner profiles are created/updated based on synchronized identity data
- Owners are automatically linked to their accounts via owner mapping algorithms
See Data Sync for detailed sync configuration.
Adding a User
Manual User Creation
- Navigate to Settings > Platform Users.
- Click + Add User.
- Enter the user's Email - must match their authentication provider email.
- Enter the user's Name - display name shown in the application.
- Select a Status:
- Active - User can log in
- Inactive - User cannot log in (preserved for reactivation)
- Suspended - User access temporarily revoked
- Select the user's Role:
- Administrator
- Reviewer
- Auditor
- If the role is Reviewer or Auditor, configure Scoped Access:
- Select Assigned Applications
- Select Account Types
- Click Create.
Editing a User
- Find the user in the Platform Users table.
- Click the Edit icon (pencil) in the Actions column.
- Modify user details as needed.
- Click Save.
::: note Role Changes and Token Invalidation When a user's role is changed, their token version is incremented. This invalidates all existing authentication tokens for that user, forcing them to sign in again with their new role. This security measure ensures users immediately operate under their new permission level and prevents privilege escalation from cached tokens. :::
User Status Management
Suspending a User
To temporarily revoke access:
- Click the Suspend icon in the Actions column.
- Confirm the suspension.
Suspended users cannot log in but their account and history are preserved.
Reactivating a User
- Click Edit on the suspended user.
- Change Status from Suspended to Active.
- Click Save.
Deleting a User
- Click the Delete icon in the Actions column.
- Confirm the deletion.
Permanent Action
Deleting a user permanently removes their account. Consider suspending instead to preserve audit history.
Role Definition Matrix
The following matrix details permissions for each role across Hydden.Control features:
| Feature | Administrator | Reviewer | Auditor |
|---|---|---|---|
| Accounts | Full access | Read only (scoped) | Read only (scoped) |
| Owners | Full access | Read only (scoped) | Read only (scoped) |
| Roles | Full access | Read only | Read only |
| Policies | Full access | No access | No access |
| Groups | Full access | Read only (scoped) | Read only (scoped) |
| Applications | Full access | Read only (scoped) | Read only (scoped) |
| Campaigns | Full access | Review assigned items | Read only |
| Settings | Full access | No access | No access |
| Job History | Full access | No access | No access |
| Audit Log | Full access | No access | No access |
| AI Assistant | Full access | Scoped access | Scoped access |
| UI Theme | Select theme | Select theme | Select theme |
| Profile | View/Edit | View/Edit | View/Edit |
Campaign Permissions Detail
| Action | Administrator | Reviewer | Auditor |
|---|---|---|---|
| Create campaigns | Yes | No | No |
| Modify campaigns | Yes | No | No |
| Delete campaigns | Yes | No | No |
| Start/extend/end campaigns | Yes | No | No |
| Review items | Yes | Yes (assigned only) | No |
| View campaign progress | Yes | Yes (assigned only) | Yes |
| Export reports | Yes | Yes | Yes |
Token Duration
Authentication tokens have the following expiration:
| Token Type | Duration |
|---|---|
| Access Token | 1 hour |
| Refresh Token | 24 hours |
Users are automatically signed out when both tokens expire. Sessions remain active as long as the user is actively using the application and the refresh token is valid.
Best Practices
- Least privilege - Assign the minimum role needed for each user's responsibilities
- Scope appropriately - Configure scoped access for Reviewers and Auditors to limit data exposure
- Regular review - Periodically audit platform users and remove those who no longer need access
- Multiple admins - Maintain at least two administrators to prevent lockout scenarios
- Use suspension - Suspend rather than delete users to preserve audit history
Related Topics
- Campaigns - Creating and managing campaigns
- AI Assistant - AI features and access
- Audit Log - Tracking user activities
- Settings Overview - All Settings options