Skip to content
VeraFrame Docs

Users and roles

VeraFrame has three roles, each with a well-defined scope of what they can see and do.

These are VeraFrame application roles. In enterprise JWT/OIDC deployments, they can be mapped from your identity provider’s roles. They are separate from any source-data access roles you may use to limit which source groups a user is allowed to query.

The three roles

Admin

  • Full access to the Admin dashboard.
  • Can create, modify, and delete users.
  • Can manage source groups, document templates, and (where available) compliance settings.
  • Can access billing and open the Stripe portal.
  • Can export audit logs.

In shared SaaS, the tenant owner account has extra protection: the owner account cannot be deleted, and an admin also cannot delete their own currently signed-in account.

User

  • Access to the main tool (Generate, Audit, Ask, JSON API modes).
  • Can view their own validation history.
  • Can approve, override, and edit findings in their own runs.
  • Cannot access Admin dashboard features.
  • Cannot change tenant configuration.

This is the role your everyday team members use.

Viewer

  • Read-only access to the main tool and their own validation history.
  • Can view trust reports but cannot run validations.
  • Cannot make corrections.

Useful for reviewers, auditors, or observers who need visibility but not operational rights.

Adding users

The Users tab appears in the Admin dashboard when your tenant is on the SaaS Cloud plan with OIDC authentication (the default for self-service signups). From the Users tab:

  1. Click Add user.
  2. Enter the email address.
  3. Select a role (admin, user, or viewer).
  4. Enter a display name (optional).
  5. Set a password for the user.
  6. Click Save.

The new user can sign in immediately with their email and password.

Changing a user’s role

From the Users tab, click the user’s row, pick the new role from the dropdown, and save. Role changes take effect on the user’s next request — there is no session invalidation required.

Removing a user

From the Users tab, open the user, click Delete, and confirm. Deleting a user removes their access immediately. Their past validation history is preserved in the audit trail (with their user ID recorded) but is no longer attributed to an active account.

You cannot delete your own account while signed in as that account, and the tenant owner account cannot be deleted from the UI.

Authentication

Depending on how your tenant was provisioned, users authenticate either through:

  • OIDC / Cognito — the default for self-service SaaS signups. Users sign in via a hosted login page.
  • Local email + password — available for older tenants and specific deployment types. Admins manage passwords directly.

In customer-specific JWT/OIDC deployments, it is common to:

  • map customer identity-provider roles into VeraFrame app roles (admin, user, viewer)
  • use separate JWT/OIDC roles or claims for source-group access control

The Users tab only appears when OIDC authentication is active on the tenant.

Session behavior

  • Sessions are token-based and persist across browser tabs.
  • Sign-out ends the session.
  • Browser storage is used to keep the current session between page loads.