User Permissions

14 min. readlast update: 02.07.2024

After an administrator gets invited and their account has been created, you can set specific permissions for them. By default, the new administrator will not have any permissions assigned. To edit these privileges, navigate to the Administrators page.  

Note: This article contains directions for both the ThreatLocker Portal and the ThreatLocker Legacy Portal. If you are using the Legacy Portal, you can find the appropriate directions by scrolling down in the article. 

Editing User Permissions in the ThreatLocker Portal

On the Administrators page, select the name of the administrator you want to change the permissions on. 

undefined

In the 'Update Administrator' side panel, navigate to the 'Roles/Permissions' section. In the 'Individual Permissions' dropdown, you can select as many or as few permissions as needed.

Defintions of Individual Permissions

Approval Permissions

Along with approving requests, if you would like your administrator to have the ability to set maintenance modes for your computers, you will need to combine one of these 'Approval' privileges with the 'Edit Computers' permission.

  • Approve for Entire Organization - This provides the ability to view the Approval Center page, approve application and storage requests at the Entire Organization Level, or the Group Level, or for a Single Computer.
  • Approve for Group - This permission provides the ability to view the Approval Center page, approve application and storage requests for Computer Groups or a Single Computer.
  • Approve for Single Computer - This permission provides the ability to view the Approval Center page and approve application and storage requests for a singular endpoint. 
  • Approve for Single Computer (Application Only)- This provides the ability to view the Approval Center page, approve application requests for a singular endpoint. This does not grant the ability to approve storage requests.
  • Elevation Administrator - This provides the ability to approve Elevation requests. It must be combined with one of the other Approval permissions to gain access to the Approval Center page.
  • View Approvals - This provides the ability to view the Approvals Center page, but not the ability to open the requests.  

Administrator Permissions

  • Assign Roles - This provides the ability to assign roles to administrators giving them specific permissions.
  • Change Permission - This provides the ability to edit permissions for a user. This must be combined with either the 'Edit Administrators' permission or the 'View Adminstrators' permission, which gives the user access to the Administrators page.
  • Edit Administrators - This permission provides the ability to view the Administrators page, add a new administrator, invite a new administrator, delete an administrator, reset passwords, and edit the information of listed administrators, minus the ability to change a user's permissions. 
  • Role Administrator - This provides the ability to add permissions and make changes to administrator roles.
  • View Administrators - This permission gives the administrator the ability to view the Administrators page.

Application Control Permission

  • Allow Application Merge - This permission provides the ability to merge application definitions, but it does not provide viewing access to the Application Control > Applications page. You will also need to add the ability to Edit Application Control Applications.  
  • Edit Application Control Applications - This provides the ability to view the Application Control > Applications page, edit applications, create new applications and delete applications.
  • Edit Application Control Policies - This permission gives the administrator full control of the Application Control > Policies page including creating new application policies, editing policies, deleting policies, and moving policies. 
  • Manage Tags - This permission gives the ability to edit and create new tags, as well as to add items to those tags.

Billing Permissions

  • Edit Billing - This gives the user the ability to view the Billing page and make changes to the information displayed on the Billing page.
  • View Billing - This gives the administrator the ability to only view the Billing page.   

Computer Permissions

  • Edit Computer Groups - This provides the ability to edit listed computer groups on the Computer Groups page. Changes include creating a new computer group, editing the title of a group, deleting a group, updating the ThreatLocker Version, and changing the Update Channel. 
  • Edit Computers - This permission allows the administrator to access the QR Scanner on the Mobile App and everything on the Computers page except the 'Maintenance Mode' button. 
  • View Override Codes - This permission is needed to be able to view the Override Codes report (unless the administrator has Super Admin permissions).

General Permissions

  • Edit Integrations - This permission gives the administrator the ability to view the Integrations page, create and delete integrations. 
  • Super Admin - This provides the administrator full control of all listed user permissions for the parent account, including child organizations, and provides access to the System Audit page. 
  • Super Admin-Child - This permission grants the administrator full control of all listed user permissions only on child organizations, not on the Organization this user is set on. This does not provide access to the System Audit page. For example, if Company A manages Company B and Company C, a super admin-child set on Company A will not have permissions on Company A, but will have full permissions on Company B and Company C.
  • Super Admin - Parent Only
  • View Reports - This provides access to the Reports page where the administrator has the ability to generate and view reports.  
  • View System Audit - This provides access to the System Audit page.
  • View Unified Audit - This provides the administrator the ability to view and search the Unified Audit page, view the file history for audit entries, but does not provide permission to add to applications, permit vendor, or permit or deny applications.   

Network Control Permissions

  • Edit NC Authorization Hosts - This provides the ability to edit, add, or delete authorization hosts and create the passwords.
  • Edit Network Control Policies - This provides the ability to edit, add, or delete Network Control policies. 

Organization Permissions

  • Edit Organizations - This permission grants the administrator the ability to view the Organizations page, delete an empty organization, the ability to use the 'Deploy Policies' button located at the top of the page, and edit the General, Billing, Exclusions, Tray, and Branding, settings for the organization. 
  • View Organizations - This provides the ability to view the Organizations page, the ability to delete an empty organization, and the ability to use the 'Deploy Policies' button located at the top of the Organizations page. 

Storage Control Permissions

  • Edit Storage Control Policies - This provides the ability to edit, add, or delete Storage Control policies. 
  • Edit Storage Control Storage Devices - This provides the ability to edit, add, or delete storage devices

Configuration Manager Permissions

  • Edit Configuration Manager Policies - This provides the ability to edit, add, or delete Configuration Manager policies.  
  • View Configuration Manager - This provides the ability to view Configuration Manager policies.  

ThreatLocker Ops Permissions

  • Edit ThreatLocker Ops - This provides the ability to edit, add, or delete ThreatLocker Ops policies.  
  • View ThreatLocker Ops - This provides the ability to view ThreatLocker Ops policies. 

 

Creating Custom User Roles

Administrators can create custom user roles based on their organization's specific needs. Once created, these user roles can be applied to specific administrators. These roles are organization-specific, and must be created at the organization level where they will be applied.   

Navigate to the Administrators page and switch to the Roles tab. 

Select '+ New Role'.

undefined

 

Insert a name for the user role in the 'Role Name' textbox.

If desired, input a description for the user role in the 'Description' textbox.

Expand the 'Role Permissions' dropdown menu and select the checkbox next to the permissions you wish to include in this custom user role. 

Once you have made all the selections needed for this user role, select '+ Create Role'.

undefined

 

The role will now appear in the list on the main page. If you need to make changes to this role, clicking the 'Edit' button will open the 'Update Role' panel.   

undefined

 

Roles can be deleted by selecting the delete icon to the right role name.  

Applying Custom User Roles

 Once created, custom user roles can be applied to administrators in the same way as applying specific permissions.

On the Administrators page, select the name of the administrator you want to change the permissions on.  

undefined

 

In the 'Update Administrator' side panel, navigate to the 'Roles/Permissions' section. 

Expand the 'Role' dropdown menu to select the desired role.

Optionally, you can select the organization to apply this custom role to. This is beneficial for organizations with child organizaions; allowing the administrator to have different permissions for different organizations.

Select the '+' icon to add the role.

undefined

 

Select 'Update Admin' to save your changes.

Editing User Permissions in the ThreatLocker Legacy Portal

On the Administrators page, select the 'Edit' button next to the administrator you want to change the permissions on.

undefined

Scroll down to the bottom of the edit window to reach the 'Add and remove the user permissions as required' dropdown box.

undefined

You can select as many or as few permissions as needed.

undefined

 

 

Super Administrator Permissions

Super Admin - This provides the administrator full control of all listed user permissions for the parent account, including child organizations, and provides access to the System Audit page. 

Super Admin-Child - This permission grants the administrator full control of all listed user permissions only on child organizations, not on the Organization this user is set on. This does not provide access to the System Audit page. For example, if Company A manages Company B and Company C, a super admin-child set on Company A will not have permissions on Company A, but will have full permissions on Company B and Company C.

 

Approval Permissions

Along with approving requests, if you would like your administrator to have the ability to set maintenance modes for your computers, you will need to combine one of these 'Approval' privileges with the 'Edit Computers' permission.

undefined

  

Approve for Entire Organization - This provides the ability to view the Approval Center page, approve application and storage requests at the Entire Organization Level, or the Group Level, or for a Single Computer.

Approve for Group - This permission provides the ability to view the Approval Center page, approve application and storage requests for Computer Groups or a Single Computer.

Approve for Single Computer - This permission provides the ability to view the Approval Center page and approve application and storage requests for a singular endpoint. 

Approve for Single Computer (Application Only)- This provides the ability to view the Approval Center page, approve application requests for a singular endpoint. This does not grant the ability to approve storage requests.

View Approvals - This provides the ability to view the Approvals Center page, but not the ability to open the requests.   

Elevation Administrator - This provides the ability to approve Elevation requests. It must be combined with one of the other Approval permissions to gain access to the Approval Center page. 

 

Administrator Permissions

Change Permission - This provides the ability to edit permissions for a user. This must be combined with either the 'Edit Administrators' permission or the 'View Adminstrators' permission, which gives the user access to the Administrators page.

Edit Administrators - This permission provides the ability to view the Administrators page, add a new administrator, invite a new administrator, delete an administrator, reset passwords, and edit the information of listed administrators, minus the ability to change a user's permissions. 

View Administrators - This permission gives the administrator the ability to view the Administrators page.

Edit Login Settings - This permission grants the administrator full access to the Login Settings page. 

  

Application Control Permissions

Edit Application Control Applications - This provides the ability to view the Application Control > Applications page, edit applications, create new applications and delete applications.

Edit Application Control Policies - This permission gives the administrator full control of the Application Control > Policies page including creating new application policies, editing policies, deleting policies, and moving policies. 

Allow Application Merge - This permission provides the ability to merge application definitions, but it does not provide viewing access to the Application Control > Applications page. You will also need to add the ability to Edit Application Control Applications.  

View Approvals - This provides the ability to view the Approvals Center page, but not the ability to open the requests.  

 

Billing Permissions

Edit Billing - This gives the user the ability to view the Billing page and make changes to the information displayed on the Billing page.

View Billing - This gives the administrator the ability to only view the Billing page.   

Edit Computer Groups - This provides the ability to edit listed computer groups on the Computer Groups page. Changes include creating a new computer group, editing the title of a group, deleting a group, updating the ThreatLocker Version, and changing the Update Channel.

Edit Computers - This permission allows the administrator to access everything on the Computers page except the 'Maintenance Mode' button.

Edit Integrations - This permission gives the administrator the ability to view the Integrations page, create and delete integrations. 

Edit Organizations - This permission grants the administrator the ability to view the Organizations page, delete an empty organization, the ability to use the 'Deploy Policies' button located at the top of the page, and edit the General, Billing, Exclusions, Tray, and Branding, settings for the organization. 

 

Storage Control Permissions

Edit Storage Control Policies - This permission grants the administrator access to the Storage Control > Policies page, the ability to create new storage policies, edit storage policies, move storage policies, and delete storage policies. This does not grant the administrator access to the Storage Control > Devices page.

Edit Storage Control Storage Devices - This permission grants the administrator access to the Storage Control > Devices page, the ability to create new devices, edit devices, and delete devices.

 

Miscellaneous View-Only Permissions

View Unified Audit - This provides the administrator the ability to view and search the Unified Audit page, view the file history for audit entries, but does not provide permission to add to applications, permit vendor, or permit or deny applications.  

View Organizations - This provides the ability to view the Organizations page, the ability to delete an empty organization, and the ability to use the 'Deploy Policies' button located at the top of the Organizations page.

View Reports - This provides access to the Reports page where the administrator has the ability to generate and view reports. 

 

Creating Custom User Roles

 

Administrators can create custom user roles based on their organization's specific needs. Once created, these user roles can be applied to specific administrators. These roles are organization-specific, and must be created at the organization level where they will be applied. 

 

Login to the ThreatLocker Portal.

From the Organizations page, select 'Manage' next to the organization you wish to set up custom user roles for.

Navigate to the Security Center > User Roles.

 

undefined

Select 'New User Role'.

undefined

 

Insert a name for the user role in the User Role Name textbox.

undefined

 

If desired, input a description for the user role in the User Role Description textbox.

undefined

 

Select the checkbox next to the permissions you wish to include in this custom user role. 

undefined

 

Once you have made all the selections needed for this user role, click the 'Save' button in the top left corner of the User Role Definition window.

undefined

 

The role will now appear in the list on the main page. If you need to make changes to this role, clicking the 'Edit' button will open the User Role Definition window.

undefined

 

Roles can be deleted if needed by selecting the checkbox next to the role name and clicking the 'Delete' button at the top of the screen.

Applying Custom User Roles

 

Once created, custom user roles can be applied to administrators in the same way as applying specific permissions.

Navigate to the Administrators page.

Select the 'Edit' button next to the administrator on which you wish to apply the custom role. The roles will be listed at the top of the permission list in a section titled 'Roles'. Select any role(s) you wish to apply and click 'Save'.

 

undefined

 

 

 

  

Was this article helpful?