Manage access
Access overview
Helm uses enterprise-grade access control designed for growing organizations managing vulnerability data across departments, business units, and teams while maintaining security and compliance.
Workspaces bring organizational structure to Helm with granular permissions, enabling you to control exactly who accesses which products and vulnerability data across your entire portfolio.
Three-level permission system
Helm uses a three-level permission system to control who can access your products and vulnerability data:
Org owner: Has complete access to everything in your organization. Creates workspaces and assigns Workspace admins and Users to workspaces.
Workspace admin: Has full control within assigned workspaces. Can create products, invite users, and set all permissions within their workspace(s).
User: Has specific permissions you assign. Gets access to particular products within a workspace, with separate permissions for SBOM and vulnerability data.
How workspaces organize access
Workspaces are organizational containers that separate different areas of your business - departments, teams, or business units. This ensures that only people in your workspace can access your products, SBOMs, and vulnerability data.
Each product belongs to exactly one workspace and cannot be moved between workspaces. This ensures clear organizational boundaries, prevents accidental data exposure, and maintains audit trail integrity.
Team members are assigned roles within each workspace they have access to. The same person might be a Workspace admin in Engineering but a User in the Marketing workspace.
Permission flow
Access control follows a specific sequence:
Team members are assigned a role within a workspace (Workspace admin or User)
Workspace admins automatically get full access to all products in their workspace
Team members with the User role get no access until you specifically assign them to products
For each User, you will add each user to the product, then set their SBOM permissions and vulnerability permissions (Modify, View, or None), respectively.
Key capabilities
Organize by department: Separate teams into distinct workspaces (Engineering, R&D, Marketing) ensuring teams only access their relevant products, SBOMs, and vulnerability data.
Flexible permission combinations: Assign any combination of SBOM and vulnerability permissions per product - modify both, view both, modify one and view the other, or grant access to only one area.
Centralized user management: Invite and manage users from a single location, assign them to multiple workspaces at once, and track pending invitations with automatic 7-day expiration for security.
Complete audit trails: View workspace history showing SBOMs uploaded, user invitations and acceptances, and user removals with timestamps and attribution for complete compliance tracking.
FDA submission readiness: Control which team members can generate and access FDA-ready reports (VEX, VDR, SBOM exports) based on their permissions, ensuring proper oversight of regulatory documentation.
Administration interface
If you have the role of Org owner or Workspace admin, you’ll see an Administration icon on the sidebar. You can manage your workspaces, users and products from here.
Workspaces tab
Create and manage workspaces
Create products within workspaces
Invite users to workspaces
When you click into a specific workspace, you'll see Workspace users and Workspace products subtabs for that workspace.
Workspace users subtab: Invite users to a workspace and manage users and their roles in this workspace.
Workspace products subtab: Create products, rename products, set product access
Users tab
View all users across the organization
Org owners can invite users to multiple workspaces
Only org owners can remove users from the Users tab, which will remove the user from the organization
Workspace admins can view users across the organization, but will only see the workspace access of users in workspaces that the Workspace admin has control of.
Both org owner and workspace admins can resend invites
Get started
As Org owner, you are the only one who can create workspaces, but your workspace admins can take care of everything else.
As the Org owner, you'll first need to create one or more workspaces.
During workspace creation, you can invite users to your workspace, and set their respective role in that workspace. You can also skip this step and invite them later.
Workspace admins automatically get full access to all products in their workspace, so you only need to set specific permissions for User-role members.
After creating the workspace, you can create products within each workspace.
For each product, you can then add from the existing workspace users the ones that should have access to each product, and set what SBOM and vulnerability permissions each will have.
If you want to add product versions or upload SBOMs for this product, you can do so from the Products page.
On the Products page, make sure your product is selected in the product drop-down.
Click the Add version button in the empty state or upload an SBOM (which will enable you to create a version).
Users tab: Invite and manage users
In the Users tab, permission vary by role:
Org owner:
Remove users from the Users tab - this will revoke all access and remove them from the organization. You can re-invite them, but cannot undo this change.
Both org owner and workspace admins can:
Invite users to one or more workspaces
Resend invites
Search and filter users
Invite users to a workspace
The Org owner can invite users to a workspace from the Users tab.
In the Users tab, click Invite users.
Enter the user's email.
When the user accepts the invite and signs in for the first time, they will be prompted to provide their full name.
Select the workspace this user should have access to.
After sending this invite, you can add the user to other workspaces from the Users tab
Specify the user role for the workspace.
Workspace admin: Give the new user full permissions to that workspace.
User: You will need to set SBOM and vulnerability modification or viewing permissions for all products within that workspace.
Click Add another user to invite another user. You can invite as many users as needed.
Click Invite X users.
You will see an on-screen success notification, reminding you to set the users' product access so that when they accept the invite, they'll be ready to go.
Your team members will be sent invites, which will contain their workspace and role.
After sending invites, these users will display in the tab with a Pending status. As soon as they accept their invite, their status will change to Active.
You will not receive an email notification at this time, so make sure to keep track of this.
If a user hasn't accepted within 3 days, the invite link will expire for your security.
You can click the actions overflow ... button > Resend invite at any time.
If you need to change permissions for a Pending user, you'll need to remove them from the users list, then re-add them with the adjusted permissions. This will send out a new invite.
For team members with the User role:
Workspaces and roles you selected during the invite process will be shown in the Workspace access drop-down of the Users tab.
For each user, it will show each workspace paired with its role, such as Engineering: Workspace admin.
Manage users
In the Users tab, you will see a list of all users.
You can filter down to a particular workspace to see those assigned users.
You can manage user access to products within the workspace the product is assigned to.
Change user role
Team members with higher permissions can change the role or remove anyone with lower permissions, thus:
Org owner can change the role or remove anyone from the user list
Workspace admins must go into a workspace to manage users (e.g., change role, remove, set product access)
Change user role or product access: When you change role or product access permissions for a team member, you will need to let them know about this change.
If you change a Workspace admin to a User, you’ll need to set product access for them to view and modify SBOMs and vulnerabilities.
Add or remove users from workspaces: Users will receive an email only if they have been invited to additional workspaces, not when they have been removed from them. You will need to let them know about that change.
Remove users from organization list
Only org owners can remove users from the organization list.
On each user you want to remove, click the action overflow ... button > Remove from organization. This will display a confirmation modal.
Confirm the access revocation. You'll see a toast notification that the users were removed.
Removed users will not get an email notification of this change.
You can always re-invite a user that has been removed.
User roles
You can assign users full workspace privileges as Workspace admins, or you can assign them the User role, then configure their permissions to view and modify your SBOM and vulnerabilities.
Org owner role
There is only one Org owner. This user has full access to all workspaces within your organization, and can:
Manage all users across organization, including removing user access completely.
Invite new and add existing users to one or more workspaces, and set their roles within each workspace.
Create and manage alias rules to automatically link software across all workspaces to known software in the NVD.
Create and manage lifecycle rules to automate population of level of support and EOS/EOL information.
Workspace admin role
This user has full admin permissions to a workspace and can:
Invite new or add existing users to a workspace, and set their roles within the workspace
Change the role of team members with the User role or remove them from the workspace.
Be a Workspace admin in multiple workspaces, or have a lower role in another workspace. Their permissions must be set in each workspace they will have access to.
This role cannot:
Create workspaces
Create alias or lifecycle rules
Change the role of other workspace admins
Remove users from the organization
User role
Has SBOM and/or vulnerability access to selected products only
Workspaces tab: Create and manage workspaces
Workspace overview
A workspace is a way of separating areas of a business, such as departments, teams, business units. This ensures that only people in your workspace can access your products, SBOMs, and vulnerability data.
From the Workspaces tab, you can:
Create and manage workspaces
Create products within a workspace
Invite new or add existing to each product in the workspace
Manage existing users and their product access for each workspace
Create a workspace
Org owner role
If you're the Org owner, you can view and manage all workspaces.
Click Administration in the sidebar, then click the Workspaces tab.
Click the Create workspace action link in the toolbar. This will display the Create workspace panel.
You can invite new or add existing users now or at a later time.
Specify the new workspace name. Each workspace will have the default name of Organization name-Workspace.
In the Invite users section, specify the email of each user, as well as their role within this workspace. Click Continue to move to the next step.
Click Skip for now to invite new or add existing users later.
In the Add existing users section, click the Add existing users drop-down multi-select. As soon as you select each user, they will display below in A-Z order.
Set the role for each user.
Workspace admin: Has full access to this workspace.
User: Has access to specified products in this workspace.
Click Create workspace. The new workspace card will display in alphabetical order in the workspaces list.
Each workspace card has a link to Manage users and Manage products.
Click Manage users to display a list of users assigned to this workspace. You can also invite new users or add existing ones.
Click Manage products to display a list of products in this workspace, where you can set each user's SBOM and vulnerability access within each product.
Workspace admin role
If you're a Workspace admin, you will need to contact your Org owner to create another workspace and assign you to it. You can see who your Org owner is in your user avatar drop-down in the main navigation.
Create a product to associate with a workspace
In the Workspaces tab, click the Manage products link on a workspace card.
If you do not have products in this workspace yet, click the Go to products page button. You can add products and product versions from this page.
On the Products page, click the Upload SBOM button or Create product link to create your first product.
If you click Upload SBOM, you'll create a version during this upload process. If you just want to create products and versions, click the Add version button in the empty state or upload an SBOM (which will enable you to create a version).
If you already have products in this workspace, this will display a list of all associated products in this workspace,
Products are organized alphabetically.
If you want to add product versions or upload SBOMs for this product, you can do so from the Products page.
On the Products page, make sure your product is selected in the product drop-down.
Click the Add version button in the empty state or upload an SBOM (which will enable you to create a version).
Set user access for products within a workspace
Users can be granted permissions to view or modify SBOMs and vulnerabilities within a workspace. Their permissions must be set in each workspace they will have access to. Users can be assigned SBOM and vulnerability modification or viewing permissions for each product they are assigned to.
Navigate to Administration > Workspaces tab.
This will display the card list of workspaces.
Workspaces are ordered alphabetically.
Click Manage products on the workspace card. This will display the Workspace products tab and the Workspace users tab, with Workspace products selected. This shows all products within that workspace.
Products are ordered alphabetically.
You can create additional products in the workspace.
The breadcrumb trail workspace drop-down will update to the selected workspace. You can select the < All workspaces link to return to the list of workspaces.
For each product, click the Available users multi-select drop-down.
The drop-down is grouped into Workspace users and Available users. This enables you to add users in this workspace to this product, or to add users that are in the organization to this workspace.
If you need to invite new users to a workspace, click the Workspace users tab, then click the Invite new users link in the toolbar. In the wizard that displays, provide the user information, then assign each user to one or more workspaces and set their respective role in each workspace.
As you click each user, they will appear below where you can set their SBOM and vulnerability access to Modify, View, or None, respectively.
If you set the user role to Workspace admin, these will default to Modify for both, and will be disabled.
Removing users:
To remove users that have already been granted access to this workspace, click the Remove action. This will prompt you to confirm removing that user.
If you add users from the drop-down, but haven't saved these changes yet, click Remove. These users will automatically be removed since they have not received any invite yet.
When you have added users to each desired product, click Save changes at the bottom of the list.
You'll see a success toast notification.
Newly-added users will be sent email invites to join your workspace.
Removed users will not get a notification of their changed access, so you should contact them to let them know.
Invite users to a workspace
As an Org owner or Workspace admin, you can invite new users into a particular workspace from the Workspace users tab within that workspace or can invite them from the global Users tab.
Navigate to Administration > Workspaces tab.
Click the Manage users link on the workspace card. This will display the Workspace products and Workspace users tabs, with the Workspace users tab selected.
In the Workspace users tab, click Invite new users. This will display the Invite users wizard.
Enter the user's email.
When the user accepts the invite, they will be prompted to provide their full name.
Select the workspace this user should have access to.
If you have access to only one workspace, that workspace is selected by default.
Specify the user role for the workspace.
Workspace admin: Give the new user full permissions to that workspace.
User: You will need to set SBOM and vulnerability modification or viewing permissions for all products within that workspace.
Click Add another user to invite another user. You can invite as many users as needed.
Click Invite X users.
You will see an on-screen success notification, reminding you to set the users' product access so that when they accept the invite, they'll be ready to go.
Your team members will be sent invites, which will contain their role and any product access information.
After sending invites, these users will display in the tab with a Pending status. As soon as they accept their invite, their status will change to Active.
You will not receive an email notification at this time, so make sure to keep track of this.
If a user hasn't accepted within 7 business days, the invite link will expire for your security.
You can click the actions overflow ... button > Resend invite at any time.
If you need to change permissions for a Pending user, you'll need to remove them from the users list, then re-add them with the adjusted permissions. This will send out a new invite.
For team members with the User role:
Workspaces and roles you selected during the invite process will be shown in the Workspace access drop-down of the Users tab.
For each user, it will show each workspace paired with its role, such as Engineering: Workspace admin.
User permission combinations
Modify SBOMs and vulnerabilities: This user has full access to that product. All workspace admins will be automatically set to this.
Modify SBOMs, view vulnerabilities: This user has the following permissions:
Upload SBOMs
Create and manage components, as well as apply suggested matches for components
View vulnerabilities and recommended Windows KB patches for vulnerabilities
View Dashboard
Export all FDA-ready reports and download previously run reports
View SBOMs, modify vulnerabilities: This user has the following permissions:
View products and their components, as well as suggested matches for components
Rescore and remediate vulnerabilities, as well as apply recommended Windows KB patches to vulns
View Dashboard
Export all FDA-ready reports and download previously run reports
View SBOMs, view vulnerabilities: This user has the following permissions:
View products and their components, as well as suggested matches for components
View vulnerabilities and recommended Windows KB patches for vulnerabilities
View Dashboard
Export all FDA-ready reports and download previously run reports
Modify SBOMs only: This user has SBOM modify and Vuln none permissions. This role has the following permissions:
Upload SBOMs
Create and manage products and components, as well as apply suggested matches for components
View product information on Dashboard for that workspace
Export these FDA-ready reports: SBOM in JSON, SBOM in CSV, and download these previously run reports.
View SBOMs only: Requires SBOM view and Vuln none permissions. This user has the following permissions:
View products and components
Export these FDA-ready reports: SBOM in JSON, SBOM in CSV, and download these previously run reports.
Modify vulnerabilities only: This role has SBOM none and Vuln modify permissions. This user has the following permissions:
View vulnerabilities list
Rescore and remediate vulnerabilities, as well as apply recommended Windows KB patches to vulns
View vulnerability information on Dashboard
Export these FDA-ready reports: VEX, vulnerabilities CSV, and download these previously run reports.
View vulnerabilities only: Requires SBOM none and Vuln view permissions. This user has the following permissions:
View vulnerabilities list, as well as recommended Windows KB patches to resolve vulnerabilities
View vulnerability information on Dashboard for products
Export these FDA-ready reports for products: VEX, vulnerabilities CSV, and download these previously run reports.
Rename a workspace
In the Workspaces tab, click the actions overflow ... button > Rename workspace.
In the panel that displays, edit the workspace name, then click Rename workspace.
You'll see a toast notification that your workspace was updated.
Remove users from a workspace
To remove users from a workspace, go to the Workspaces tab.
If user only has access to one workspace, this will remove them from Users tab as well. You can always send them a new invite.
Click Manage users link on the workspace card. This will display the Users tab with all users in this workspace.
For each user you want to remove, click the Remove... action link. This will mark those users for removal.
Click Save changes. You'll be prompted to confirm the removal.
You'll see a toast notification.
Users will not be notified of their revoked access. You'll need to contact your users separately to let them know about access changes.
Transfer org ownership
If you need to transfer org ownership, contact us so we can make this adjustment for you.
Last updated
Was this helpful?