User Permissions

21 min. readlast update: 04.22.2025

After a user gets invited and their account has been created, you can set specific permissions for them. New users will have to be created or invited with a user role, which will be selected by the person creating or inviting the user. To edit these privileges, navigate to the Users page.  

Editing User Permissions in the ThreatLocker Portal 

On the Users page, select the name of the user you want to change the permissions on.  

 

In the Edit User' side panel, navigate to the 'Roles/Permissions' section. In the 'Individual Permissions' dropdown, you can select as many or as few permissions as needed. 

Definitions of Individual Permissions 

Approval Permissions 

If you would like your user to be able to approve requests using a maintenance mode, combine the 'Approval' permission with the corresponding 'Manage Maintenance Mode' permission (i.e., combine 'Approve for Entire Organization' with 'Manage Application Control Installation Mode' to allow the user to process approvals for the entire organization using Installation mode). 

  • Approve for Entire Organization This permission allows users to view the Approval Center page and approve application and storage requests at the Entire Organization Level, the Computer Group Level, or for a Single Computer. It grants access to approve by custom rule or hash only, but does not provide access to any maintenance modes. Combine it with a maintenance mode permission to give users access to use maintenance modes. 

  • Approve for Global - This permission allows users to view the Approval Center page and approve application and storage requests at the Global Group Level, the Entire Organization Level, the Computer Group Level, or for a Single Computer. It grants access to approve by custom rule or hash only, but does not provide access to any maintenance modes. Combine it with a maintenance mode permission to give users access to use maintenance modes. 

  • Approve for Group — This permission allows users to view the Approval Center page and approve application and storage requests at the Computer Group Level or for a Single Computer. It grants access to approve by custom rule or hash only, but does not provide access to any maintenance modes. Combine it with a maintenance mode permission to give users access to use maintenance modes.  

  • Approve for Single Computer - This permission allows users to view the Approval Center page and approve application and storage requests for a Single Computer. It grants access to approve by custom rule or hash only, but does not provide access to any maintenance modes. Combine it with a maintenance mode permission to give users access to use maintenance modes. 

  • Approve for Single Computer (Application Only) - This option allows users to view the Approval Center page and approve application requests for a single endpoint at a time. It does not grant the ability to approve storage requests. 

  • Elevation Administrator —This permission allows you to set an Elevation maintenance mode from the Devices page when combined with a permission that provides access to the Devices page and to approve Elevation requests. It must be combined with one of the other Approval permissions to gain access to the Approval Center page. 

  • View Approvals - This allows you to view the Approvals Center page and open the approvals, but it does not allow you to action the requests. 

Administrator Permissions

  • Assign Roles - This provides the ability to assign and remove User Roles from administrators. A Role is a collection of permissions. 

  • Change Permission —This permission allows a user to add or remove individual permissions. It must be combined with either the 'Edit Administrators' or the 'View Administrators' permission, which gives the user access to the Users page. This permission does NOT allow the user to apply or edit User Roles. 

  • Edit Administrators — This permission allows you to view the Users page, add a new user, invite a new user, delete a user, reset passwords, and edit the information of listed administrators, but it does not allow you to change a user's permissions. 

  • Edit Logon Settings - This permission gives the user the ability to edit logon settings. 

  • Role Administrator - This provides the ability to create new User Roles, edit existing User Roles, and make changes to User Roles. A Role is a collection of permissions. 

  • View Administrators - This permission gives view-only access to the Users page. 

Application Control Permission 

  • Allow Application Merge — This permission allows you to merge application definitions, but it does not provide viewing access to the Application Control > Applications page. You will also need to add the ability to Edit Application Control Applications.   

  • Edit Application Control Applications - This provides the ability to view the Application Control > Applications page, to enable and disable applications, use the remove unused applications button, and to create, edit and delete applications.  

  • Edit Application Control Policies - This permission gives the user full control of the Application Control > Policies page, including creating new application policies, editing policies, deleting policies, and moving policies. 

  • Manage Tags — This permission allows you to edit and create new tags and add items to existing tags. 

  • Promote to Entire Organization - This grants the user the ability to promote existing Application Control Application Policies to the Computer Group or Entire Organization level. 

  • Promote to Group — This allows the user to promote existing Application Control Application Policies to the Computer Group level. 

Billing Permissions 

  • Edit Billing - This gives the user the ability to view the Billing page and make changes to the information displayed on the Billing page. 

  • View Billing - This gives the user view-only access to the Billing page.    

Community Permissions 

  • Manage Community - This permission grants the user the ability to publish policies to the Community and add and remove subscriptions and subscribers. 

  • View Community - This permission grants the user view-only access to the Community and policies that are published on the Community. 

Computer Permissions 

  • Allow View Check-in History - When combined with either View or Edit Computers, will permit access to view the Check-in History tab in the Devices sidebar. 

  • Edit Computer Groups - This gives the user access to the Devices > Groups tab, provides the ability to create, edit, and delete computer groups, change the Update Channel of a group, and update the ThreatLocker Version of a group.  

  • Edit Computers - This permission allows the user to access the Devices page and the QR Scanner on the Mobile App. It does not grant the ability to change maintenance modes. 

  • Install Computers — This permission will grant access to the Install Computers button and view-only access to the Devices page. 

  • View Computers - This permission will provide view-only access to the Devices page. 

  • View Override Codes — This permission is included in the Super Admin permissions and is needed to view the Override Codes report. 

General Permissions 

  • Edit Integrations - This permission gives the user the ability to view the Integrations page, create, edit and delete integrations. 

  • Edit Mutual Action Plans - This permission grants the users the ability to add Key Stakeholders, add notes, upload files, and mark tasks complete. 

  • Manage Community - This permission allows the user to view and change Community Settings. Combined with other permissions, such as Application Control Permissions or ThreatLocker Detect Permissions, this can also permit the user to apply ThreatLocker Community policies to the organization. 

  • Manage Local Admin Settings - This permission allows the user to manage the local Windows and MacOS administrators on all endpoints with ThreatLocker installed. 

  • Super Admin - This provides the user full control of all listed user permissions for the parent account, including child organizations, and provides access to the System Audit page.  

  • Super Admin - Child - This permission grants the user full control of all listed user permissions only on child organizations, not on the Organization this user is set on. This does not provide access to the System Audit page. For example, if Company A manages Company B and Company C, a super admin-child set on Company A will not have permissions on Company A, but will have full permissions on Company B and Company C. 

  • Super Admin – Logged-In Organization Only - This permission grants the user full control of all listed user permissions only on the logged-in organization. This admin will have no permission to access child organizations.

  • View Community This permission grants the user view-only access to the Community page. 

  • Manage Local Admin Settings - This permission grants the user the ability to manage the local Windows and macOS administrators on all endpoints with ThreatLocker installed. 

  • View Health Center - This permission grants the user view-only access to the Health Center.  

  • View Mutual Action Plans - This permission grants the user view-only access to the Mutual Action Plans, including notes and files. 

  • View ReportsThis provides access to the Reports page, where the user can generate and view reports.   

  • View System Audit - This provides access to the System Audit page. 

  • View Unified Audit - This allows the user to view and search the Unified Audit page and view the file history for audit entries, but it does not provide permission to add to applications, permit applications, or deny applications.  

Network Control Permissions 

  • Edit Network Control Authorization Hosts - This provides the ability to edit, add, or delete authorization hosts and create their passwords. 

  • Edit Network Control Policies - This provides the ability to edit, add, or delete Network Control policies.  

Organization Permissions 

  • Edit Organizations - This permission grants the user the ability to view the Organizations page, delete an empty organization, use the 'Deploy Policies' button located at the top of the page, and edit the General, Billing, Exclusions, Tray, and Branding settings for the organization. 

  • View Organizations - This provides the ability to view the Organizations page, to delete an empty organization, and use the 'Deploy Policies' button located at the top of the Organizations page.  

Storage Control Permissions 

  • Edit Storage Control Policies - This allows you to edit, add, or delete Storage Control policies. 

  • Edit Storage Control Storage Devices - This allows you to edit, add, or delete Storage Devices. 

Configuration Manager Permissions 

  • Edit Configuration Manager Policies - This provides the ability to add, edit, or delete Configuration Manager policies.  

  • View Configuration Manager - This provides the ability to view Configuration Manager policies. 

  • View ThreatLocker Administrator Password — This permission allows the user to view the TLAPS password on the Devices page, as set by a Configuration Manager policy.  

ThreatLocker Detect Permissions 

  • Allow Remediation - This permission is NOT included in Super Admin. It needs to be combined with View Computers and View Threats at a minimum. It allows access to use the Remediator. If the Remediator is not already installed on the target endpoint, this will require Edit Computers to gain access to download and install the Remediator. 

  • Edit All ThreatLocker Detect Policies - This allows you to edit, add, or delete ThreatLocker Detect policies. 

  • Manage Cyber Hero Response Settings - This permission grants access to view and edit Cyber Hero Response Settings for Endpoint and Cloud Detect. It must be combined with at least View ThreatLocker Detect Policies to access the ThreatLocker Detect page. 

  • Manage All ThreatLocker Detect Remediations - This grants the user access to the Response Center Remediation page. It must be combined with View Computers to view the alert sidebar. It allows the user to put a computer into lockdown or isolate. 

  • Manage All ThreatLocker Detect Threats — This grants the user access to the Response Center Threats page. The user can view and clear alerts, update the threat status, and view, add, edit, and delete exclusions for both Cloud and Endpoint Detect. 

  • View All ThreatLocker Detect Policies - This allows you to view ThreatLocker Detect policies. 

  • View All ThreatLocker Detect Remediations - This provides view-only access to the Response Center > Remediation tab. 

  • View All ThreatLocker Detect Threats - This provides view-only access to the Response Center > Threats tab.  

Endpoint Detect Permissions 

  • View Endpoint Detect Policies - This allows you to view Endpoint Detect policies. 

  • Edit Endpoint Detect Policies - This allows you to edit, add, or delete Endpoint Detect policies. 

  • View Endpoint Detect Remediation - This allows view access to the Response Center > Remediation tab and shows all Endpoint Detect Remediations. Also allows view of the Detect Dashboard, but only for Endpoint Detect.

  • Edit Endpoint Detect Remediation - This allows edit access to the Response Center > Remediation tab and shows all Endpoint Detect Remediations with the ability to action them. Also allows viewing of the Detect Dashboard, but only for Endpoint Detect.

  • View Endpoint Detect Threats - This allows view access to the Response Center > Threats tab and shows Endpoint threats. This allows access to view the ThreatLocker Detect tabs on the computer sidebar. Also allows view of the Detect Dashboard, but only for Endpoint Detect.

  • Edit Endpoint Detect Threats - This allows edit access to the Response Center > Threats tab and shows Endpoint threats, and allows you to action them. This allows access to view the ThreatLocker Detect tabs on the computer sidebar. Also allows view of the Detect Dashboard, but only for Endpoint Detect.

Cloud Detect Permissions 

  • View Cloud Detect Policies - This allows you to view Cloud Detect policies

  • Edit Cloud Detect Policies - This allows you to edit, add, or delete Cloud Detect policies.

  • View Cloud Detect Remediation - This allows edit access to the Response Center > Remediation tab and shows all Cloud Detect Remediations with the ability to action them. Also allows view of the Detect Dashboard, but only for Cloud Detect.

  • Edit Cloud Detect Remediation - This allows edit access to the Response Center > Remediation tab and shows all Cloud  Detect Remediations with the ability to action them. Also allows view of the Detect Dashboard, but only for Cloud Detect.

  • View Cloud Detect Threats — This allows view access to the Response Center > Threats tab and shows Cloud threats. Also allows view of the Detect Dashboard, but only for Cloud Detect.

  • Edit Cloud Detect Threats - This allows edit access to the Response Center > Threats tab and shows Endpoint threats, and allows you to action them. Also allows view of the Detect Dashboard, but only for Cloud Detect.

Cloud Control Permissions 

  • View Cloud Control - This allows the user to view the Cloud Control “Microsoft 365 Control” named locations but not edit them.

  • Edit Cloud Control - This allows the user to view and edit the Cloud Control “Microsoft 365 Control” named locations.

Mobile Permissions 

  • View Mobile Devices - This allows the user to view Mobile devices on the Devices > Mobile tab, but not edit them.

  • Edit Mobile Devices - This allows the user to view and edit Mobile devices on the Devices > Mobile tab.

Maintenance Mode Permissions 

  • Manage All Maintenance Modes -This allows the user to enable/disable ALL maintenance modes via the Devices page. It must be combined with the Edit Computers permission before the user can open the Devices sidebar and schedule maintenance modes. It must be combined with Edit Application Control Applications permission before Application Control Learning Mode or Application Control Installation Mode can be used. It must be combined with the Approval permission before the user can action Approval Requests.  

  • Manage Application Control Installation Mode - This allows the user to enable/disable Application Control Installation mode via the Devices page. It must be combined with the Edit Computers permission before the user can open the Devices sidebar and schedule maintenance modes. It must be combined with the Approval permission before the user can action Approval Requests. 

  • Manage Application Control Learning Mode -This allows the user to enable/disable Application Control Learning mode via the Devices page. It must be combined with the Edit Computers permission before the user can open the Devices sidebar and schedule maintenance modes. It must be combined with the Approval permission before the user can action Approval Requests. 

  • Manage Application Control Monitor Only - This allows the user to enable/disable Application Control Monitor Only mode via the Devices page. It must be combined with the Edit Computers permission before the user can open the Devices sidebar and schedule maintenance modes. It must be combined with the Approval permission before the user can action Approval Requests. 

  • Manage Network Control Monitor Only - This allows the user to enable/disable Network Control Monitor Only mode via the Devices page. It must be combined with the Edit Computers permission before the user can open the Devices sidebar and schedule maintenance modes.  

  • Manage Storage Control Monitor Only - This allows the user to enable/disable Storage Control Monitor Only mode via the Devices page. It must be combined with the Edit Computers permission before the user can open the Devices sidebar and schedule maintenance modes. It must be combined with the Approval permission before the user can action Approval Requests. 

  • Manage Tamper Protection - This allows the user to enable/disable Tamper Protection via the Devices page. It must be combined with the Edit Computers permission before the user can open the Devices sidebar and schedule maintenance modes. 

Patch Management Permissions

  • View Patch Management Policies - This provides view only access to the Patch Managment Policies tab, Upcoming Patches tab, and Missing Updates tab and view only access to the Patch Management policy sidebars. The user cannot create and edit Patch Management Polices, skip, patch, mark complete, or abort any missing updates or upcoming patches.
  • Edit Patch Management Policies - This provides full to the Patch Managment Policies tab, Upcoming Patches tab, and Missing Updates tab. User can create and edit Patch Management Polices, skip, patch, mark complete, and abort any missing updates and upcoming patches.

 Web Control Permissions 

  • View Web Control PoliciesThis provides view only access to the Web Control modules page and view only access to Web Control policy sidebars. The user receives no ability to edit any details on the main grid, create Web Control policies, or update existing polices. 

  • Edit Web Control Policies –This permission allows the user to view and edit the Web Control page and policies. It permits the user full access to the page as well as the ability to process Web Control approval requests. 

Built-In Roles 

For your convenience, ThreatLocker now provides users with built-in roles. These roles are for Administrator, Billing, Owner, and Read Only and have a pre-existing set of permissions that ThreatLocker has set up for you. Below are the lists of built-in roles and their permissions. Select the dropdown arrow to expand each list of permissions. 

Note: If your organization existed prior to the creation of these built-in roles (1/15/2024), you will have to create them manually. 

Administrator

  • Approve for Entire Organization 

  • Approve for Group 

  • Approve for Single Computer 

  • Approve for Single Computer (Application Only) 

  • Elevation Administrator 

  • View Approvals 

  • Role Administrator

  • View Administrators 

  • Assign Roles 

  • Change Permission 

  • Edit Administrators 

  • Edit Logon Settings 

  • Allow Application Merge 

  • Edit Application Control Applications 

  • Edit Application Control Policies 

  • Manage Tags 

  • Promote To Entire Organization 

  • Promote To Group 

  • Edit Computer Groups 

  • Edit Computers 

  • Allow View Checkin History 

  • Install Computers 

  • View Computers 

  • View Override Codes 

  • View Unified Audit 

  • View Health Center 

  • View Reports 

  • View System Audit 

  • Super Admin 

  • Super Admin – Child 

  • Super Admin –Parent Only 

  • Edit Integrations 

  • Edit Network Control Authorization Hosts 

  • Edit Network Control Policies 

  • Edit Organizations 

  • View Organizations 

  • Edit Storage Control Policies 

  • Edit Storage Control Storage Devices 

  • Edit Configuration Manager Policies 

  • View Configuration Manager 

  • View ThreatLocker Administrator Password 

  • View ThreatLocker Detect Policies 

  • View ThreatLocker Detect Remediations 

  • View ThreatLocker Detect Threats 

  • Edit ThreatLocker Detect Policies 

  • Manage ThreatLocker Detect Remediations 

  • Manage ThreatLocker Detect Threats 

Billing

  • View Billing 

  • Edit Billing 

Owner

  • Approve for Entire Organization 

  • Approve for Group 

  • Approve for Single Computer 

  • Approve for Single Computer (Application Only) 

  • Elevation Administrator 

  • View Approvals 

  • Role Administrator 

  • View Administrators 

  • Assign Roles 

  • Change Permission 

  • Edit Administrators 

  • Edit Logon Settings 

  • Allow Application Merge 

  • Edit Application Control Applications 

  • Edit Application Control Policies 

  • Manage Tags 

  • Promote To Entire Organization 

  • Promote To Group 

  • View Billing 

  • Edit Billing 

  • Edit Computer Groups 

  • Edit Computers 

  • Allow View Checkin History 

  • Install Computers 

  • View Computers 

  • View Override Codes 

  • View Unified Audit 

  • View Health Center 

  • View Reports 

  • View System Audit 

  • Super Admin 

  • Super Admin – Child 

  • Super Admin – Parent Only 

  • Edit Integrations 

  • Edit Network Control Authorization Hosts 

  • Edit Network Control Policies 

  • Edit Organizations 

  • View Organizations 

  • Edit storage Control Policies 

  • Edit Storage Control Storage Devices 

  • Edit Configuration Manager Policies 

  • View Configuration Manager 

  • View ThreatLocker Administrator Password 

  • View ThreatLocker Detect Policies 

  • View ThreatLocker Detect Remediations 

  • View ThreatLocker Detect Threats 

  • Edit ThreatLocker Detect Policies 

  • Manage ThreatLocker Detect Remediations 

  • Manage ThreatLocker Detect Threats

    Accordion summary...

    Accordion body...

     

Read Only

  • View Approvals 

  • View Administrators 

  • View Computers 

  • View Unified Audit 

  • View Health Center 

  • View Reports 

  • View System Audit 

  • View Configuration Manager 

  • View ThreatLocker Detect Policies 

  • View ThreatLocker Detect Remediations 

  • View ThreatLocker Detect Threats 

Creating Custom User Roles 

Administrators can create custom user roles based on their organization's specific needs. Once created, these user roles can be applied to specific administrators. These roles are organization-specific and must be created at the organization level where they will be applied.    

First, navigate to the ‘Users’ page, then select the ‘Roles’ tab shown in the top right of the page. Once selected, you will see the ‘+ New Role button on the top left side of the page 

Select '+ New Role'. 

 

Insert a name for the user role in the 'Role Name' textbox. 

If desired, input a description for the user role in the 'Description' textbox. 

Expand the 'Role Permissions' dropdown menu and select the checkbox next to the permissions you wish to include in this custom user role.  

Once you have made all the selections needed for this user role, select '+ Create Role'. 

undefined 

The role will now appear in the list on the main page. If you need to make changes to this role, selecting the role will open the ‘Edit Role’ side panel in which you can add and delete role permissions or change the name/description. 

Roles can be deleted by selecting the delete icon. 

 

Applying Custom User Roles 

 Once created, custom user roles can be applied to administrators in the same way as applying specific permissions. 

On the 'Users’ page, select the name of the user you want to change the permissions on.   

 

In the Edit User' side panel, navigate to the 'Roles/Permissions' section.  

Expand the 'Role' dropdown menu to select the desired role. 

Optionally, you can select the organization to apply this custom role to. This is beneficial for organizations with child organizations, allowing the user to have different permissions for different organizations. 

Select the '+' icon to add the role. 

undefined 

Select 'Save' to save your changes. 

Deprecated Permissions 

Please Note: All deprecated permissions that are currently applied will continue to work as expected. 

  • Approve for Entire Organization (Learning Mode Only) - can process application or storage approval requests for an entire organization, a group, or a single computer, and when combined with edit computer, ONLY use Learning Mode. 

  • Approve for Entire Organization (Installation Mode Only) - can process application or storage approval requests for an entire organization, a group, or a single computer, and when combined with edit computer, ONLY use Installation Mode. 

  • Approve for Group (Learning Mode Only) - can process application or storage approval requests for a group or a single computer, and when combined with Edit Computer, use ONLY Learning Mode. 

  • Approve for Group (Installation Mode Only) - can process application or storage approval requests for a group or a single computer, and when combined with Edit Computer, use ONLY Installation Mode. 

  • Approve for Single Computer (Learning Mode Only) - can process application or storage approval requests for a single computer, and when combined with Edit Computer, ONLY use Learning Mode. 

  • Approve for Single Computer (Installation Mode Only) - can process application or storage approval requests for a single computer, and when combined with edit computer, ONLY use Installation Mode. 

  • Approve for Single Computer (Application and Learning Mode Only) - can process application approval requests for a single computer, and when combined with edit computer, ONLY use Learning Mode. 

  • Approve for Single Computer (Application and Installation Mode Only) - can process application approval requests for a single computer, and when combined with edit computer, ONLY use Installation Mode. 

  

 

 

Was this article helpful?