Six built-in roles fit most teams until they don't. "Can approve guardrails but not edit requirements." "Can manage billing and nothing else." "Can view findings across every workspace but write to none." You can now build custom roles for exactly those shapes, composed from Zenable's 47 granular permissions (and growing!) across 19 categories (requirements, guardrails, scopes, approvals, findings, billing, audit, and the rest), in a builder that sits right alongside the system roles.
Define a role at one of two levels. A workspace role lives with one tenant; a company role is defined once and assignable in every workspace under your org, including the ones you create next quarter, and can be the default that new users get on onboarding. When a workspace role proves out, promote it to company level in one click (audited, with identity preserved), and demote just as deliberately, with a live preview of exactly which assignments in which workspaces are affected before you commit.
We built this so delegated administration can't quietly become privilege escalation: every role create, edit, and grant runs through server-enforced privilege containment, so nobody can mint or hand out a role more powerful than what they hold themselves, and every grant and revocation lands in the audit log. Need a quick answer? zenable auth can-i requirements:write gives you a scriptable yes or no from the terminal. Available on Pro and Enterprise; the full permission matrix lives in the permissions docs.