Managing access

runZero supports multiple concurrent users with a variety of roles. To add a team member, access the Your Team page, and use the Invite User button to send an invitation.

The Your team menu entry has four submenus. The first, Users, shows all users in the current client account. The second tab, Groups, lists the user groups available; the groups define the access and permissions users have within each organization. The third, Restricted, lists users who only have access to a single organization. The last tab lists users who have access to the current organization, as selected from the organization selector at the top of the screen.

User details page

From the Users page, click on a user to view their details page. The user details include a list of their effective access to each organization. While editing user permissions, the explicit assigned roles are displayed. View the user details page to understand effective access, even where explicit roles are not assigned.

Default roles

runZero allows roles to be defined per-user on both a default and per-organization basis. The standard privilege levels are administrator, user, billing, annotator, viewer, and no access. There is also a superuser role available to manage global settings. Where a per-organization role is defined, access will be provisioned based on most privilege.


The first user created within the runZero console is considered a superuser. This role allows management of global settings like subscriptions and SSO parameters, and is shown as an access level of “everything”.

If you are a superuser, you can promote someone else to be a superuser. To do this, check the row listing them, and click the Promote to superuser button.

If you are using SSO authentication, you should configure at least one superuser with a strong password and MFA that can used as a backup if SSO settings need to be changed in the future.

We strongly recommend having more than one superuser, particularly if you are using MFA. That way if an MFA token is lost or a superuser leaves your organization, another superuser can fix the problem.


Administrators can modify any aspect of an organization and have the unique ability to permanently delete bulk data, create additional organizations, and reset settings for other users.


Users have full access to an organization and can update sites, modify assets, schedule scans, and generally use most functionality. Users are not permitted to reset other users’ security credentials, bulk delete data, or delete an organization.


Billing users are unable to see any asset data, but can manage the licensing, billing, and entity settings for the account.


Annotators have the same permissions as a viewer, except they have the ability to add tags to assets. Annotators do not have any other write-access within an organization, so they are unable to modify or remove existing tags. Modifications to existing tags must be made by a runZero user or administrator.


Viewers have read-only access to an organization. This includes all inventory data and reports. Viewers are not allowed to interact with tasks, modify settings, or update assets. Viewers may not download the command-line runZero scanner or install runZero Explorers, and they do not have access to view API tokens or export tokens.

No Access

Accounts with no access, which is set in the global role, are limited to those organizations where they have been granted access. If no organizations are allowed, the user is limited to managing their own account settings.

These accounts can only see other users that share their authorized organizations. The no access global role can be used to create a single-organization user, such as a customer or third-party that needs access to the inventory for a specific organization. For consulting use cases, a single-organization user is a way to provide clients with visibility into their environment at no additional cost.

Account settings

The Account page is available to superusers. It contains settings which apply to all users and organizations within the account.

Single-sign on (SSO)

runZero supports the implementation of SSO through SAML2. If you use a SAML2-compatible single sign-on (SSO) implementation, the SSO Settings page can be used to configure an Identity Provider (IdP) and allow permitted users to login to the runZero console.

Multi-factor authentication (MFA)

runZero supports multi-factor authentication, also known as two-factor authentication or 2FA. Physical hardware keys such as Google TitanKey and Yubico YubiKey are supported via the WebAuthn standard.

You can configure MFA policies for your account via the Account settings page. If multi-factor authentication is required, users who do not have an MFA token set up will be required to set one up when they next log in. You can choose between requiring this for all users, or only requiring it for non-SSO users. The latter option is useful if your SSO server enforces MFA use.

Once a user registers one or more MFA tokens, they will be required to use one of the tokens every time they log in.

Note that changing the account settings to not require MFA will not alter the MFA status of existing accounts. Existing accounts will keep any existing MFA tokens they have registered, and will still be required to use one to log in. To disable MFA for a user, the user must clear the MFA token registration. To do this, they can go to their user settings page and click the red “Unlink” text next to the token ID in the bottom right.

Disabling support access

If you check the box labeled Disable support access to your account, runZero support staff will not be allowed to switch to your account.

If you choose to disable support access, this may make it harder for runZero support to answer any questions you have. In some cases we may need you to turn support access back on so that we can help you.

Idle times and login duration

You can set a maximum idle session time in minutes. If set, users whose web browsers don’t access runZero for the specified time period will be considered idle, and logged out.

You can also specify a maximum login duration. If set, users will be forced to log in again regularly, at least once every specified period.

Account API keys

The Account API is a REST API which allows account-level operations such as adding and removing organizations and sites, adding users, and accessing the system event log. The Generate API Key button on the Account page can be used to generate a token which will allow access to the Account API.

License information

The License tab shows information about your runZero software license, including how many assets you are licensed for, how many assets you have across all organizations, and when your license renews.

Entity information

The Entity tab allows you to update information about the legal entity runZero is licensed to. You should ensure that this information is kept up-to-date if your company changes name or location, as we use the information to calculate taxes and ensure compliance with appropriate regulations.