Settings Enterprise
Settings covers personal account preferences, team access, and outbound alerting. Open it from the sidebar or the gear icon in the header.
Roles
Trapster uses four built-in roles. Assign a role when inviting a user from Settings > Users.
| Role | Choose when… |
|---|---|
| Administrator | Full platform ownership: users, namespaces, SSO, licensing, all Trapsters and integrations |
| Member | An operator who deploys Trapsters, creates honeytokens and breadcrumbs, and configures integrations within their namespaces |
| Analyst | A triage-only user who acknowledges and investigates incidents but must not change honeypot or integration configuration |
| Read-only | Stakeholders who need visibility (dashboards, incident history) without making any changes |
Member vs. Analyst
This is the most common decision for team leads:
| Member | Analyst | |
|---|---|---|
| View incidents, Trapsters, honeytokens | Yes (within assigned namespaces) | Yes (within assigned namespaces) |
| Acknowledge and delete incidents | Yes | Yes |
| Deploy Trapsters, edit services | Yes | No |
| Create honeytokens and breadcrumbs | Yes | No |
| Configure webhooks, syslog, global emails | Yes | No (view only) |
| Manage users or namespaces | No | No |
| Create personal access tokens | Yes | No |
Member is for someone who runs the deception platform day to day. Analyst is for someone who triages alerts but should not touch infrastructure or integrations.
Both roles are namespace-scoped the same way. Neither sees data outside assigned namespaces unless an Administrator grants them access to all namespaces.
See Roles and Permissions for the full capability matrix.
User notifications vs. organization integrations
Trapster splits alerting into two layers.
User notifications (Settings > Notifications)
Personal email preferences for your Trapster account:
| Level | What you receive by email |
|---|---|
| All notifications | Every incident type in your accessible namespaces |
| Only login attempts | Credential submissions, breadcrumb triggers, and honeytoken hits |
| No notifications | No incident emails |
This controls email to your user account only. It does not configure webhooks, syslog, or SIEM forwarding. It also does not affect whether other team members receive alerts.
Administrators can set a default alert level when inviting a user. Each user can change their own preference afterward.
Organization integrations (Settings > Integrations)
Organization-wide outbound channels that fire independently of any single user:
| Integration | Purpose |
|---|---|
| Emails | Distribution addresses (for example, soc@company.com) that are not tied to a Trapster user account |
| Webhooks | Teams, Slack, Splunk HEC, Sekoia, or custom HTTP endpoints |
| Syslog | Forward incidents and events to a syslog collector or SIEM |
Each integration can be scoped to all namespaces or selected namespaces, and filtered by action type (incidents vs. individual events).
Rule of thumb: use user notifications when a person wants email in their inbox with a personal signal-to-noise preference. Use organization integrations when the SOC pipeline, ticketing system, or SIEM must receive alerts regardless of who is logged in.
See Alerting for setup guides.
SSO
Settings > SSO configures Microsoft Entra ID sign-in using OAuth 2.0 / OpenID Connect. Register Trapster as an application in your Azure portal, then enter the client ID and secret in the dashboard.
How SSO behaves in practice:
- Optional, not mandatory. Enabling SSO adds a "Sign in with Microsoft" button on the login page. Email and password login continues to work for users who prefer it.
- Invite-only. SSO only works for users who already have a Trapster account with a matching email address. Unknown Microsoft accounts are rejected.
- Independent of Trapster 2FA. Two-factor authentication applies to the password login path. Users who sign in through Microsoft rely on your identity provider's MFA policies instead.
Only Administrators can configure SSO.
Two-factor authentication (2FA)
From Settings > Profile, users can enable TOTP-based 2FA with an authenticator app (FreeOTP, Microsoft Authenticator, and similar). After setup, password logins require a verification code. Recovery codes are provided at enrollment.
2FA is per-user and optional. It does not apply to SSO logins (Microsoft handles authentication for those users).
Users and invitations
Invite users from Settings > Users: email, role, namespace assignment, and optional default alert level.
What happens when someone accepts an invite
The invitation email contains a single link that combines account activation and password setup. When the invitee clicks it:
- They choose a password (one step; no separate email verification)
- Their account is activated immediately
- They are redirected to the login page (not straight into the dashboard)
- After signing in, they may be prompted to accept the EULA on first access if they have not already
Invitation links expire after 7 days. An Administrator can resend the invitation from the user's row menu in Settings > Users (only while the user is still inactive).
To cancel a pending invitation, delete the user from Settings > Users. This removes the inactive account entirely. There is no separate "revoke invite" action.
General settings
Settings > General (under Administration) is still available. It controls:
- Organization name shown in the dashboard
- Organization logo (optional, PNG/JPEG/GIF, max 10 MB)
There is no organization timezone setting in the current dashboard. Incident timestamps are stored in UTC and displayed in each user's browser locale. There are no scheduled reports tied to an organization timezone.
Only Administrators can change organization name and logo.
