HYPR Roles Reference
HYPR uses role-based access control on two product surfaces — Control Center and the Affirm Helpdesk portal. Each surface has its own set of roles, and each role can be assigned directly in HYPR or mapped from an external identity provider via OIDC claims. This page is the cross-product reference; the linked configuration pages cover assignment workflows in detail.
End users of HYPR Passwordless (workstation unlock, web sign-in) and HYPR Adapt have no separate role concept — they authenticate as themselves. Affirm verification flow approvers and escalation approvers are per-workflow configuration assignments, not user-account roles, and are documented with the workflow configuration.
Roles by surface
HYPR Control Center
Five task-based roles. Configured at Standard Mode → Control Center Settings → Control Center Users, or Advanced Mode → Global Settings → Control Center Users. See Control Center Users and Roles for the full role definitions and assignment workflow.
| Role | Scope |
|---|---|
| Admin | Full access to all Control Center screens, settings, users, integrations, and Audit Trail. |
| App Manager | Integration administration: add (not delete) integrations; configure FIDO2 settings, Integration settings, and Access Tokens (cannot revoke Control Center tokens); send login recoveries and create magic links; view enrolled/pending users. |
| User Manager | End-user administration: delete HYPR Passwordless client users; send login recovery PINs; add/delete RP Application and Integration users; generate magic links; view authentication history. |
| Viewer | Read-only on Applications, Workstation, and Integrations pages. |
| Basic Login | Default for new users with no other role. Can authenticate but has no Control Center access. Appears in the Roles tab only and is not assignable via Add User. |
Audit Trail Access is a separate permission flag that stacks on top of the role. Admin users always have Audit Trail access; for the other roles it is optionally enabled per user.
HYPR Affirm Helpdesk
Two roles for the Affirm Helpdesk portal. See Affirm Helpdesk for portal capabilities and Affirm Helpdesk via Okta OIDC for the OIDC-claim assignment workflow.
| Role | Scope |
|---|---|
| Viewer | View verification workflows and activity records (read-only). |
| Editor | View and initialize verification workflows on a caller's behalf; participate in escalations. |
If a user is assigned the Helpdesk application in the IdP but the OIDC token includes no Helpdesk role claim, HYPR grants Viewer-level access by default. To deny entry to the portal entirely, remove the Helpdesk application assignment for that user in the IdP rather than relying on the absence of role claims.
External IdP claim mapping
HYPR reads role-mapping claims from the OIDC token returned by the identity provider. Configure these claims in your IdP authorization server (Okta, Entra ID, etc.) to drive role assignment from the IdP rather than per-user in Control Center.
| Claim Name | Value | Mapped HYPR role |
|---|---|---|
hypr_role | HYPR_ADMIN | Control Center → Admin |
hypr_role | HYPR_APP_MANAGER | Control Center → App Manager |
hypr_role | HYPR_USER_MANAGER | Control Center → User Manager |
hypr_role | HYPR_VIEWER | Control Center → Viewer |
hypr_role | HYPR_LOG_AUDITOR | Control Center → enables the Audit Trail Access permission flag (stacks on the user's existing role; not a standalone role) |
affirm_helpdesk_role | AFFIRM_HELPDESK_VIEWER or HYPR_AFFIRM_HELPDESK_VIEWER | Affirm Helpdesk → Viewer |
affirm_helpdesk_role | AFFIRM_HELPDESK_EDITOR or HYPR_AFFIRM_HELPDESK_EDITOR | Affirm Helpdesk → Editor |
For Helpdesk-portal sign-ins specifically, if affirm_helpdesk_role is not present in the token, HYPR checks hypr_role as a secondary claim before falling back to Viewer-level access.
Where roles are NOT used
The following are not user-account roles, despite sometimes being described in role-like vocabulary:
- HYPR Passwordless end users (workstation unlock, web sign-in via the HYPR Mobile App) — authenticate as themselves; no role assignment.
- HYPR Adapt — risk policies and signal handlers are administered via the Control Center role of the operating user; Adapt does not introduce additional roles.
- Affirm workflow approvers and escalation approvers — these are per-workflow assignments configured in the verification flow definition. See Approvers and Escalation Approvers.
See also
- Control Center Users and Roles — full Control Center role assignment workflow, including changing roles, removing users, and re-inviting users.
- Affirm Helpdesk — Helpdesk portal capabilities and configuration.
- Affirm Helpdesk via Okta OIDC — step-by-step Okta OIDC setup for Helpdesk-portal authentication.
- Configure Okta As an OIDC Provider for Control Center — Okta OIDC setup for Control Center sign-in and role mapping.