Users & Permissions
This step configures who can access Guardian Pro and what actions they are allowed to perform. You can discover existing users from your AWS environment, create new Guardian Pro users, assign permission levels, and send invitations.
User Discovery
Guardian Pro can discover existing IAM users and SSO users in your AWS environment to help you quickly set up your team.
What Gets Discovered
- IAM users across your monitored accounts
- SSO (IAM Identity Center) users if you use AWS SSO
- User metadata including name, email, and associated account access
User discovery is optional. You can skip it and create Guardian Pro users manually if you prefer.
Reviewing Discovered Users
Discovered users are displayed in a table with:
- Name and email from the IAM or SSO profile
- AWS account access showing which accounts each user can access
- Suggested role based on their existing AWS permissions
You can select which discovered users to invite to Guardian Pro and adjust their role assignments before sending invitations.
Creating Guardian Pro Users
Whether you import discovered users or create them from scratch, each Guardian Pro user needs:
| Field | Description |
|---|---|
| Used for login and notifications. Must be unique across the organisation | |
| Display name | Shown in the Guardian Pro interface |
| Permission level | Determines what the user can see and do (see below) |
Adding Users Manually
- Click Add User in the onboarding wizard
- Enter the user's email and display name
- Select a permission level
- Repeat for additional users
You do not need to add all users during onboarding. Users can be added at any time from Settings > Users. See User Management for details.
Permission Levels
Guardian Pro provides three built-in permission levels that control access across all platform modules:
Read-Only
| Module | Access |
|---|---|
| Security findings | View |
| Cost analysis | View |
| Resources | View |
| Accounts | View |
| Users | View |
| Organisation settings | View |
Best for: stakeholders, auditors, and team members who need visibility without the ability to make changes.
Standard
| Module | Access |
|---|---|
| Security findings | View, Acknowledge, Suppress |
| Cost analysis | View, Run analysis |
| Resources | View, Trigger discovery |
| Accounts | View |
| Users | View |
| Organisation settings | View |
Best for: engineers and DevOps team members who actively work with findings and need to take non-destructive actions.
Admin
| Module | Access |
|---|---|
| Security findings | View, Acknowledge, Suppress, Remediate |
| Cost analysis | View, Run analysis, Configure budgets |
| Resources | View, Trigger discovery |
| Accounts | View, Add, Remove |
| Users | View, Invite, Modify, Remove |
| Organisation settings | View, Modify |
Best for: platform administrators, security leads, and DevOps managers who need full control over Guardian Pro configuration and remediation capabilities.
Only Admin users can execute remediation actions. If your team needs to fix findings through Guardian Pro, ensure at least one user has Admin permissions.
Mapping AWS Roles to Guardian Pro Permissions
For organisations using AWS SSO or IAM roles for team access, Guardian Pro supports role mapping. This automatically assigns Guardian Pro permissions based on a user's AWS role.
How Role Mapping Works
- Define a mapping rule: Associate an AWS IAM role or SSO permission set with a Guardian Pro permission level
- Users inherit permissions: When a user with a mapped role signs in, they automatically receive the corresponding Guardian Pro permission level
- Mappings update dynamically: If a user's AWS role changes, their Guardian Pro permissions update on next sign-in
Example Mappings
| AWS Role / Permission Set | Guardian Pro Permission |
|---|---|
AdministratorAccess | Admin |
PowerUserAccess | Standard |
ReadOnlyAccess | Read-Only |
SecurityAudit | Read-Only |
| Custom DevOps role | Standard |
Creating a Role Mapping
In the onboarding wizard:
- Click Add Role Mapping
- Select the AWS IAM role ARN or SSO permission set name
- Choose the corresponding Guardian Pro permission level
- Save the mapping
Role mappings are optional. You can assign permissions directly to individual users instead. Role mappings are most useful for large teams where permission management needs to scale with your AWS access patterns.
For detailed role mapping configuration, see Role Mappings.
Sending Invitations
After configuring users and permissions, send invitations to your team:
Invitation Process
- Review the user list -- confirm names, emails, and permission levels
- Click Send Invitations -- Guardian Pro sends a secure invitation email to each user
- Users accept and set passwords -- each invitation contains a unique link to create their Guardian Pro account
Invitation Details
- Validity: Invitations are valid for 7 days from the time they are sent
- Security: Each invitation contains a cryptographically signed token that cannot be forged or reused
- Resend: If an invitation expires, you can resend it from Settings > Users
You can send invitations during onboarding or defer them to later. Skipping this step does not block the rest of the setup process. You can invite users at any time from Settings > Users.
What Users See
Invited users receive an email containing:
- A brief introduction to Guardian Pro
- A secure link to accept the invitation and create their account
- The permission level assigned to them
- The organisation they are joining
Managing Users After Onboarding
User management is an ongoing process. After onboarding, you can:
- Add new users from Settings > Users
- Modify permission levels for existing users
- Deactivate users who no longer need access
- Update role mappings as your AWS roles evolve
- Resend expired invitations
See User Management and Role Mappings for detailed guides.
Troubleshooting
Invitation email not received
- Ask the user to check their spam or junk folder
- Verify the email address is correct in the user list
- Resend the invitation from the onboarding wizard or Settings > Users
- If the issue persists, check with your email administrator that emails from Guardian Pro are not being blocked
Cannot assign Admin permissions
Only the initial account creator (the user who started onboarding) has Admin permissions by default. This user can then grant Admin to others.
Role mapping not working
- Ensure the AWS role ARN or SSO permission set name is entered exactly as it appears in AWS
- Role mappings take effect on the user's next sign-in -- they are not applied retroactively to active sessions
- Verify the mapping is saved by checking Settings > Role Mappings
Next Steps
With your team configured, proceed to Complete Setup to finalise your Guardian Pro deployment and launch your first scan.
Related Pages
- Deploy StackSets -- previous step
- Complete Setup -- next step
- User Management -- detailed user management guide
- Role Mappings -- detailed role mapping guide
- Onboarding Overview -- full process summary