Users & Roles in Your goMISP instance

Intro

Managing users securely is a key part of running MISP, especially in environments where multiple analysts, administrators, or external partners are involved. MISP uses a role-based access control model to define what users can see and do within the platform. Whether you're adding a threat analyst, a system administrator, or a syncing partner, it's important to assign the right permissions from the start.

Key Concepts and Roles

When your goMISP instance is created, it is assigned a unique organization. This acts as your company's identity within the platform - grouping your users, events, and shared data in a secure and isolated environment.

• Your Organization in MISP

  • When we create your goMISP instance, we leave the org name as "ORGNAME" as a placeholder for the appropriate name of the actual organization you would like to use.

  • This organization is your company’s identity inside the platform.

  • It groups your users, events, and shared data and keeps it isolated from other organization that you may create in the future.

    
    

• Admin Account (Your Responsibility)

  You receive a default admin account. You are responsible for managing your admin credentials. Change your password upon first login.

  • Username: admin@admin.test

  • Password: Provided securely via email or setup form

  This account has full administrative access to your instance and full control over your MISP environment.

  
  

  As the customer, you are responsible for:

  • Changing the password after first login

  • Managing your organization's users and roles

  • Controlling data visibility and distribution

  • Enabling/disabling public feeds and enrichment modules

  • Creating and configuring events and attributes

  Treat this account like a root-level admin for your organization.

  
  

• Your Users

  • Users are your team members who log into MISP to view, create, or analyze threat intelligence.

  • You can create as many users as needed - and assign them roles with the right permissions.

You can create multiple users for your team, each with a role tailored to their responsibilities. Here's a breakdown of common roles:

• Support Account

  We also create a support user used by the goMISP team to help you manage and maintain your instance.

  • Username: support@gomisp.com

    
    

  🔒 Important:

  Do not delete or modify this user!

  
  

  We use this account for:

  • Troubleshooting technical issues

  • Performing updates

  • Restoring access if needed

  • Ensuring your instance runs securely and reliably

  Removing this account may result in delayed or unavailable support.

  
  

Overview of the different roles

Adding roles as a site admin

As a site administrator, you're responsible for managing user accounts across all organizations in your MISP instance. This includes creating accounts for analysts, sync users, or organization-level administrators.

Here's how to securely add new users - Step-by-Step.

Step 1: Navigate to the User Management Interface

1. Log in to MISP with a site admin account 🠒 Go to the Administration menu (gear icon) 🠒 Select List Users

2. Click on Add User in the top-right corner.

Step 2: Fill in User Details

On the "Add User" form, provide the following:

• Email address: This will be the username.

• Organisation: Choose the user's organization from the dropdown.

• Role: Select a predefined role:

  • User (analyst): can view and create events depending on permissions.

  • Org Admin: manages users within their own organization.

  • Sync User: used for syncing between MISP instances.

  • Site Admin: full access across the entire instance (use with caution).

  • Others: You can add roles and adjust their rights.

• NIDS SID (Network Intrusion Detection System Signature ID): a unique identifier for a specific intrusion detection rule

• Password: Either generate one (tick the box)

  
  

Best Practices for User Creation

• Apply least privilege: Start with the lowest needed role; elevate only if necessary.

• Use 2FA: Encourage all users, especially admins, to enable two-factor authentication.

• Segregate by organization: Ensure each user is linked to the correct org to enforce data separation and event visibility rules.

• Avoid unnecessary Site Admin roles: Reserve this for technical administrators only.

  
  

Final Step: Save the User

Once the form is complete, click Submit. The user will now appear in the user list (Administration 🠒 List Users), and you can manage their settings, reset passwords, or deactivate them at any time.

Add or Edit roles as a site admin

Step 1: Add new roles

As a site admin you have the right to add new roles or edit already existing roles.

To add a new role with new permissions. Go to Administration menu 🠒 Select Add Role and then fill out the needed information (Name, Memory limit, Permissions, Maximum execution time).

Step 2: List and Edit existing roles

Once you've created custom roles or want to review existing ones, MISP makes it easy to view and manage all role configurations in one place.

To access the list of roles:

Go to the top menu → Administration → List Roles

Then click the edit icon next to the role you'd like to modify.

This brings up a full overview of that role’s permissions, including whether it has admin rights, can publish events, manage tags, access templates etc.

You can also delete roles using the trash icon, found next to the edit button or just press Delete Role in the left upper corner.

Note: Before deleting a role, make sure that no users are currently assigned to it. MISP will not allow you to delete a role that’s still in use.

This interface offers a fast way to:

• Audit your current permission structure

• Fine-tune roles for your organization’s security model

• Ensure users only have access to the capabilities they need