This article brings together common customer questions and practical answers based on typical Secureframe workflows, compliance situations and unique tech stacks.

It is meant as quick reference material for day-to-day use of the product.

Admin roles and access

How to grant super admin access to a user in our account?

• To grant Super Admin access:

  1) Navigate to Personnel Page
  2) Search for the user
  3) Click the user's name or "edit details" from the 3-dot menu
  4) Click "Edit"
  5) Use the Access Role dropdown to select Super Admin
  6) Click "Save"

  Note: Only existing Super Admins can perform this action.

  [https://support.secureframe.com/hc/en-us/articles/360056675534-How-to-add-an-Admin-or-Super-Admin](https://support.secureframe.com/hc/en-us/articles/360056675534-How-to-add-an-Admin-or-Super-Admin)

Do Performance reviews need to be uniform across roles?

• Not necessarily. It’s fine if they vary based on role. However, it’s a good idea to add a line in your access control policy noting that review formats might vary.

Does the platform offer a concept of privilege levels and can low-level privilege roles be created?

• Yes, the platform offers role-based access provisioning that is fully customizable. You can assign users different levels of access, from super admin to access for only one module within the system.

For the ISMS Scope, 1a. “For ‘User of Documents,’ can we list just one role (e.g., CTO), or do we need multiple people?”

• Listing a single responsible role (such as CTO or equivalent) is sufficient.

What can entities consider doing as part of communicating roles and responsibilities?

• As part of communicating roles and responsibilities, entities can consider having personnel acknowledge their acceptance and understanding of their assigned roles and responsibilities.

What control within Secureframe covers maintaining a systems inventory (including physical devices, virtual devices, software, data and data flows, external information systems, and organizational roles)?

• This requirement is addressed through Secureframe’s asset inventory–related controls, which map to multiple frameworks (for example, SOC 2 CC1, ISO 27001 A.8.1.1/A.8.1.2, and NIST CM-8).

  These controls ensure organizations keep an up-to-date inventory of devices, systems, software, data flows, external systems, and roles. In Secureframe, this is supported through automated integrations (e.g., Secureframe Agent, Intune, Jamf, AWS, GCP) and by maintaining vendor and personnel inventories.

What is a method to document roles and responsibilities?

• method to document roles and responsibilities is a responsibility assignment matrix that includes who is responsible, accountable, consulted, and informed (also called a RACI matrix).

What is an example of a method to document roles and responsibilities?

• method to document roles and responsibilities is a responsibility assignment matrix that includes who is responsible, accountable, consulted, and informed (also called a RACI matrix).

What is another term for separating roles and functions?

• Separation or segregation of duties.

What is the goal of separating roles and functions between production and pre-production environments?

• To reduce the number of personnel with access to the production environment and account data and thereby minimize risk of unauthorized, unintentional, or inappropriate access to data and system components.

What is the objective of separating roles and functions in pre-production and production environments?

• To define and manage job roles and accountability that differentiate between pre-production and production activities to minimize the risk of unauthorized, unintentional, or inappropriate actions.

What is the role of a draft audit report?

• The draft report allows organizations to review and verify findings before the final report is issued.

What is the role of controls in compliance?

• Controls enforce policies and ensure compliance by implementing security processes, actions, and technologies.

What is the role of tests in compliance?

• Tests provide evidence that controls are implemented correctly and are operating effectively.

What may happen if roles and responsibilities are not formally assigned?

• Personnel may not be aware of their day-to-day responsibilities, and critical activities may not occur.

What permissions are required to set up Google Cloud Platform (GCP) integration in Secureframe?

• To fully set up GCP in Secureframe and grant the necessary access, you’ll need permissions that allow you to create roles, assign permissions, and connect service accounts.

  Minimum Required Permission:

  resourcemanager.projects.setIamPolicy – This is needed to grant a principal (such as Secureframe) access to a project. Without it, you can still create service accounts but cannot assign them to the required project roles.

  Recommended Role:

  Owner or Project IAM Admin – These roles contain resourcemanager.projects.setIamPolicy and other permissions needed to create service accounts, assign roles, and configure policies.

  Key Notes:

  You do not strictly need “global admin” privileges, but you do need to be able to create or update IAM policies on the project.

  If you only have partial permissions, you may be able to create the service account but won’t be able to grant it the required roles.

  If you lack this permission, work with your GCP admin to either grant you Project IAM Admin or add the specific resourcemanager.projects.setIamPolicy permission.

What role do assets play in compliance?

• Assets such as devices, cloud resources, and software must be tracked and secured to meet compliance requirements.

What should be done to verify that roles and responsibilities are assigned as defined and are understood?

• Interview personnel with responsibility for performing activities in Requirement 10 to verify that roles and responsibilities are assigned as defined and are understood.

What should be examined to verify that descriptions of roles and responsibilities are documented and assigned?

• Documentation.

What should be examined to verify that full PAN is only displayed for roles with a documented business need, and that PAN is masked for all other requests?

• Examine system configurations to verify that full PAN is only displayed for roles with a documented business need, and that PAN is masked for all other requests.

What should be examined to verify that roles and responsibilities are assigned as and are understood?

• Interviews with personnel with responsibility for performing activities in Requirement 7.

What should be examined to verify that roles and responsibilities are assigned as documented and are understood?

• Interview personnel with responsibility for performing activities in Requirement 8.

What should be examined to verify that the access control system(s) is configured to enforce permissions assigned to individuals, applications, and systems based on job classification and function?

• Vendor documentation and system settings.

What should be examined to verify the separation of roles and functions?

• Policies and procedures, observed processes, and interviews with personnel.

What will depend on several factors, including who has access to the decryption keys, the role performed by each party, and the agreement between parties?

• Determining which party is responsible for specific PCI DSS controls will depend on several factors, including who has access to the decryption keys, the role performed by each party, and the agreement between parties.

When creating a personal access token for the Supabase integration, the token inherits the connecting user's full permissions. Is there a way to restrict Secureframe's access to read-only?

• Yes. Create a dedicated service account in Supabase, assign it the Read-Only role, then use that account to connect to Secureframe. This ensures the integration token inherits only read permissions.

Where may roles and responsibilities be documented?

• Roles and responsibilities may be documented within policies and procedures or maintained within separate documents.

Why is it important to formally assign roles and responsibilities?

• If roles and responsibilities are not formally assigned, personnel may not be aware of their day-to-day responsibilities and critical activities may not occur.

Can an RBAC matrix be used in lieu of a User Access Review? Or vice-versa?

• No, these are two separate items. The User Access Review is crucial for SOC 2 and cannot be replaced by the RBAC matrix.

What does "least privileges" refer to?

• Providing only the minimum level of privileges needed to perform a job.

What does assigning least privileges help prevent?

• Users without sufficient knowledge about the application from incorrectly or accidentally changing application configuration or altering its security settings.

What does enforcing least privilege help to minimize?

• The scope of damage if an unauthorized person gains access to a user ID.

What is the difference between RBAC matrix & User Access Review?

• The RBAC matrix defines roles and permissions, while the User Access Review (UAR) is a detailed review of each individual's access and permissions at a granular level.

What will the auditor typically look for in the risk management section? In which situation could a documented risk be an issue for the cert? Suppose one of my in-scope systems does not have a "least privilege" RBAC system. We have identified that as a risk but chose to accept it → what would be the impacts on the audit? Will the auditor look for undocumented risks, and how much of an issue can the discovery of an undocumented risk be?

• Auditors will review your risk management process and documentation to ensure it’s complete, consistent, and aligned with your framework. They typically look for:

  A clear risk assessment methodology and process

  Identification of relevant threats and vulnerabilities

  Likelihood and impact ratings

  Documented risk treatment decisions (accept, avoid, mitigate, transfer)

  A risk register that ties back to treatment plans and the Statement of Applicability

  Evidence of periodic review of risks and accepted exceptions

  For your example: if an in-scope system doesn’t enforce least privilege RBAC (which is an ISO control), that would normally be considered a deviation. However, if you have documented and formally accepted this risk — with clear rationale, leadership sign-off, and periodic review — auditors typically accept that approach.

  Regarding undocumented risks: auditors don’t expect zero risks; they expect you to identify and document them. An undocumented risk is not automatically a finding unless it was intentionally excluded or it relates directly to a required control that is missing. In that case, it could raise concerns about your risk assessment process.

How does authorization work in the Secureframe API?

• Secureframe utilizes role-based access control (RBAC) to determine which requests are authorized based on the assigned company <> user.

  As an example, let’s say a user is assigned to a custom role called “Risk Manager”, and that role does not have permission to view Tests. If a request is made to a Tests endpoint with an API Key <> Secret pair assigned to that user, the request will fail.

  To determine the permissions of each role, navigate to the Secureframe Console -> Personnel -> Personnel settings -> Roles and click into the applicable role.

Does leaving service account excessive grants out of Scope in the test Service account privilege restriction for intra-project (GCP) for Service accounts in DEV/UAT environments a correct POV because they are not production ?

Marking service account privilege tests as out of scope solely because they are in DEV/UAT environments is generally not recommended without clear justification. Service accounts can still pose risks and should have properly managed privileges in all environments.
However, if you can verify that the service accounts are strictly segregated to non-production environments with no access to production systems, it may be reasonable to exclude them — provided this is well documented and justified.

I don't want to give a personal access token for Supabase because it has read/write access. What are my options?

You can create a service account in Supabase, grant it a Read Only role, and connect using that account's credentials to restrict our access to read only.

Is it an audit issue if service accounts are linked to a personal account instead of a dedicated service account email (e.g., serviceaccount@domain.com)?

While this typically isn’t an automatic audit failure, it can raise concerns:

Audit Impact: Auditors may note it as an observation (opportunity for improvement), since linking service accounts to a personal identity blurs accountability. This could raise red flags around access control and user access reviews (SOC 2 CC6.1 / ISO 27001 A.9.2.5).

Best Practice: Service accounts should be tied to unique, dedicated emails (e.g., serviceaccount@domain.com) rather than an individual’s personal account. This ensures clean separation between human and non-human identities and avoids confusion during access reviews.

Recommendation: If a customer has linked service accounts to a personal account, advise them to migrate these to unique service account identities. If that’s not possible before audit, they should document the rationale and demonstrate compensating controls (e.g., role-based restrictions, logging, monitoring).

Is it possible to request a feature where service accounts do not require the input of fictitious data?

Yes. You can submit a feature request for this or any other product feedback you would like the team to consider.

How can I find out who the administrator is for my tenant?

In Secureframe, Admins and Super Admins for your organization are the people who manage the tenant. If you are unsure who these people are at your organization you can reach out to success@secureframe.com or support@secureframe.com for a representative to assist.