Team and roles
Your Pentestas tenant can have many users. Roles gate what each user can do.
Roles
| Role | Scan | View findings | Manage agents | Manage team | Billing |
|---|---|---|---|---|---|
| Admin | β | β | β | β | β |
| User | β | β | |||
| Viewer | β (read-only) |
Only an admin can change roles. There must always be at least one admin; the last admin can't downgrade themselves.
Inviting
Settings β Team β Invite. Enter email, pick a role, send.
The invitee gets an email with a one-time link. Following the link:
- If they already have a Pentestas account on another tenant, they're offered to switch (or stay with a pending invitation).
- Otherwise, they sign up fresh. The invitation auto-assigns them to your tenant.
Invitations expire after 7 days. Resend from the team page.
Removing
Settings β Team β pick user β Remove. Deletes the membership; the user keeps their account but loses access to this tenant. Their scans remain (owned by the tenant, not the removed user).
SSO (Enterprise)
Enterprise plans support SAML 2.0 and OIDC SSO. Configure:
- Settings β Team β Single sign-on.
- Upload your IdP's metadata XML (or configure manually).
- Match on email claim by default; optional custom attribute mapping.
With SSO enabled, your domain's users authenticate via the IdP instead of Pentestas passwords. You can still have a break-glass admin using password/OAuth; sensible default is to keep two of them.
Audit log
Every role change, invitation, removal, and login is audit-logged with IP + user agent. Admins can view Settings β Team β Audit log or export via API.