Docs/Admin Guide/Assignments

Assignments

Assign specific training modules to individual users, teams, or your entire organization. Track completion, set deadlines, and enforce mandatory training.

Creating an Assignment

To create a new assignment, navigate to Assignments in the admin sidebar and click "New Assignment". Follow these steps:

1. Content Area

Choose Practice (code review challenges), Learn (interactive attack scenarios), or Custom (a custom course you have built). If you pick Custom but your organization has not built any custom courses yet, the form shows an inline warning and the picker stays empty until at least one course exists.

2. Target

Select what to assign. The target hierarchy depends on the content area:

  • Practice: Category → Module → Topic (e.g. "OWASP Web Top 10 > A03 Injection > SQL Injection"). Picking only the category creates a category-level assignment that automatically covers every topic underneath.
  • Learn: Course → Scenario. Picking only the course covers every scenario underneath.
  • Custom: Pick one of your organization's custom courses. The course's items dictate which practice topics and learn scenarios are tracked for completion. See Custom Courses.

3. Assignee

Choose who receives the assignment: an Individual user, a Team, or the Entire Organization. Below the picker the form shows a live preview ("Will assign N challenges to {Assignee}") so you can sanity-check scope before submitting.

4. Deadline

Set a due date. Users will see overdue assignments highlighted in their dashboard.

5. Mandatory

Flag the assignment as required or optional. The flag is on by default — mandatory assignments appear prominently in the user's training queue and contribute to compliance reports; optional assignments are tracked but do not block compliance metrics.

6. Note

Add an optional description or context for the assignment (e.g. "Complete before the Q2 security audit"). The note shows in italic under the title on the assignment detail page and on the assignee's "My assignments" view.

Create Assignment Form

Here's what the assignment creation form looks like:

app.securecodinghub.com/organization/assignments
New assignment
Pick a content area, target, audience, and deadline.
practice
Code review challenges.
learn
Interactive scenarios.
custom
Curated course.
OWASP Web Top 10 / A03 Injection / SQL Injection
Will assign 11 challenges to 24 learners.
Team — Backend Team (24 members)
2026-04-15
required
optional
Complete before Q2 security audit.

Assignment Targets

You can assign training at different levels of granularity:

Content AreaTarget LevelExample
PracticeCategoryAll OWASP Web Top 10 challenges
PracticeModuleAll A03 Injection challenges
PracticeTopicSQL Injection challenges only
LearnCourseAll Web Security scenarios
LearnScenarioIDOR scenario only
CustomCustom courseThe "Q2 Onboarding" course you built under Custom Courses

Tracking Progress

Click on any assignment to view its detail page, which shows:

  • Overall completion rate — percentage of assigned users who have completed
  • Per-user progress bars — individual progress for each assignee
  • Overdue status — highlighted when past the deadline
  • Individual scores — challenge scores per user

Assignment Detail

Here's what an assignment detail page looks like:

app.securecodinghub.com/organization/assignments/d7c8a1b2…
SQL Injection — Practice
PRACTICEMANDATORYApr 15, 2026 deadline · Backend Team
Total Users
12
Backend Team
Completed
8
67% of users
Overdue
1
past deadline
Avg Progress
82%
across all assignees
User progress
12 assignees
Sarah Chen11/11
100%COMPLETED
James Park11/11
100%COMPLETED
Emma Wilson7/11
64%IN PROGRESS
Alex Kumar3/11
27%OVERDUE
Maria Santos0/11
0%NOT STARTED

Editing & Deactivating

You can edit an assignment's deadline, note, mandatory flag, and active state at any time. Changes apply immediately to all assignees.

The Delete action sets isActive=false — it does not erase the row. The assignment stops appearing in assignees' "My assignments" views and stops contributing to compliance metrics, but its per-user progress is preserved so historical reports continue to resolve. Reactivating a deactivated assignment is not exposed in the admin UI today; it is doable through the public API by sending {"isActive": true} against PATCH /api/public/v1/assignments/{id}.

The assignments list page also exposes an Export CSV button that downloads every assignment with its target, assignee, deadline, mandatory flag, and aggregate progress — useful for audit packs.

Picking the right scope for an assignment

The same training content can be assigned at a single topic, a module of related topics, or an entire category. Picking the right level of granularity is the difference between an assignment your team finishes in a week and one that drags on for a quarter while everyone half-engages. As a rule of thumb, assign by topic when you are reacting to a specific incident or pen-test finding, assign by module when onboarding a new hire, and assign by full category only when you have a measured runway of weeks and a clear compliance reason.

Topic versus full-track assignments

A single-topic assignment is the right tool when a recent pen test surfaced an SQL injection in your codebase, when a CVE in a library you depend on uses a class of vulnerability your team has not seen, or when an engineer needs a targeted refresher. The scope is small, the connection to real risk is direct, and engineers finish in a sitting or two. Completion rates on topic-level assignments are typically much higher than on category-level ones because the goal is concrete.

A full-track assignment — say, the entire OWASP Web Top 10 category — works for onboarding cohorts and annual mandatory training cycles, but it needs a realistic deadline. Plan on six to ten weeks for a category-level track at a sustainable pace of two to three hours per week of training time. Shorter deadlines push engineers into clicking through content without absorbing it, which defeats the purpose and produces a clean dashboard with weak retention behind it.

Time-boxing and compliance evidence

Set a deadline on every assignment, even the optional ones. A deadline reframes the assignment as a commitment rather than a backlog item, and the overdue indicator on the user dashboard becomes a useful nudge for line managers during one-on-ones. For mandatory training, set the deadline thirty days before the compliance evidence cutoff so you have buffer to chase down stragglers.

For organizations subject to PCI DSS 6.2.2 — which requires that developers receive secure coding training relevant to their job role at least annually — assignments serve as the primary evidence artifact. The assignee list shows scope, the completion timestamps show when training occurred, and the individual scores show whether learners engaged with the material. The same artifacts satisfy ISO 27001 Annex A.14 requirements for secure development training. Keep deactivated assignments in the system rather than deleting them, since the audit window for both standards extends back through prior years.

Tip: Assigning to a Team automatically includes future members. See Teams for details on team management.