Managing your team

Rumble supports multiple concurrent users with a variety of roles. To add a team member, access the Your Team page, and use the Add Team Member button to send an invitation.

Single sign-on (SSO)

If you use a SAML2-compatible single sign on (SSO) implementation, the SSO Settings page can be used to configure an Identity Provider (IdP) and allow permitted users to login to the Rumble console.

Rumble’s SSO implementation is designed to work with common SAML providers with minimal configuration requirements, but it has a few requirements:

  • Your SAML IdP should provide something that looks like an e-mail address in the NameID parameter. It doesn’t need to be a valid e-mail address, but it should be a unique value that has the same syntax as an e-mail address (
  • If the NameID does not look like an e-mail address, Rumble will check the fields email,, emailaddress and email address for a suitable ID.
  • Your users need to authenticate to a single domain such as, not to multiple domains or a domain with many subdomains.
  • Rumble will check for the user’s full name in the fields name, gecos, and displayname. If no full name field is found, Rumble will proceed to check for a first name in first_name, firstname, given_name, user.firstname, givenname or first name; and for a last name in last_name, lastname, family_name, user.lastname, surname, sn, or last name. These attributes are case insensitive.

Multi-factor authentication (MFA)

Rumble supports multi-factor authentication, also known as two-factor authentication or 2FA. Physical hardware keys such as Google TitanKey and Yubico YubiKey are supported via the WebAuthn standard.

You can configure MFA policies for your account via the Account settings page. If multi-factor authentication is required, users who do not have an MFA token set up will be required to set one up when they next log in. You can choose between requiring this for all users, or only requiring it for non-SSO users. The latter option is useful if your SSO server enforces MFA use.

Once a user registers one or more MFA tokens, they will be required to use one of the tokens every time they log in.

Note that changing the account settings to not require MFA will not alter the MFA status of existing accounts. Existing accounts will keep any existing MFA tokens they have registered, and will still be required to use one to log in. To disable MFA for a user, the user must clear the MFA token registration. To do this, they can go to their user settings page and click the red “Unlink” text next to the token ID in the bottom right.

Global roles

Rumble allows roles to be defined per-user at both the global and organization level. The standard roles are admin, user, viewer, and billing. There is also a superuser role available to manage global settings.


The first user created within the Rumble console is considered a superuser. This role allows management of global settings like subscriptions and SSO parameters and can be used to promote or demote other users as superusers. For SSO users, you should configure a single superuser with a strong password and MFA that can used as a backup if SSO settings need to be changed in the future.


Administrators can modify any aspect of an organization and have the unique ability to permanently delete bulk data, create additional organizations, and reset settings for other users.


Users have full access to an organization and can update sites, modify assets, schedule scans, and generally use most functionality. Users are not permitted to reset other user’s security credentials, bulk delete data, or delete an organization.


Annotators have the same permissions as a viewer, except they have the ability to add tags to assets. Annotators do not have any other write-access within an organization, so they are unable to modify or remove existing tags. Modifications to existing tags must be made by a Rumble user or administrator.


Viewers have read-only access to an organization. This includes all inventory data, all reports, and all task configurations. Viewers are not allowed to interact with tasks, modify settings, or update assets. Viewers may not download the command-line Rumble Scanner and install Rumble Explorers, and they do not have access to view API tokens or export tokens.


Billing users are unable to see any asset data, but can manage the licensing, billing, and entity settings for the account.

No Access

Accounts with no access, which is set in the global role, are limited to those organizations where they have been granted access. If no organizations are allowed, the user is limited to managing their own account settings.

These accounts can only see other users that share their authorized organizations. The no access global role can be used to create a single-organization user, such as a customer or third-party that needs access to the inventory for a specific organization. For consulting use cases, a single-organization user is a way to provide clients with visibility into their environment at no additional cost.