You can change the account type/access level of a user from their profile page.

1. Select Employees from the main menu.

2. Click the Three Dots icon in front of an employee’s name to open the Context Menu. Then select Edit Profile. The Edit Profile panel will open:

3. Select the Account tab.

4. Select an access level from the Access Level field.

5. Click the Apply changes button to save the profile.

Note that, the Account Access Level is different than an Access Control Policy. Account access levels control what top-level menus and features an admin or user can access. Whereas, access control policies allow you to control the permissions settings for non-admin privileged users such as a regular employee or department manager.

Types of Account Access Levels / Role Permissions

Teramind has several account levels / role permissions you can assign to users to limit which features and options they can access. You can change the account access level of a user from their profile.

The access levels are prioritized as follows:

Administrator
Operational Administrator
Infrastructure Administrator
Department Manager (see the Configurations > Departments section of the User Guide)
Employee with special permissions assigned via Access Control (see the Configurations > Access Control section of the User Guide)
Employee

If you change a user's access level from a lower role to a higher role, the previous permissions will be overridden. For example, if you change an "Employee with special permissions" to a "Department Manager", they will now have the permissions available to a Department Manager and all their previous access control permissions will be ignored.

Administrator

The most powerful access level. They can monitor all employees, other admins, and change any settings with no restrictions.

Operational Administrator

A step down from an Administrator access level, Operational Administrators are granted the ability to manage global settings without being able to view monitoring data.

The table below details the specific permissions and restrictions for users assigned this access level. It outlines their capabilities across various system features, including profile management, employee and computer administration, and configuration settings, providing a comprehensive overview of their operational scope.

My Profile	Can edit all information on their profile except for the Access Level even if the “Disable Self Edit” option is CHECKED on their profile’s Account tab.
Dashboards	X
Session Player	X
Employees	Can add regular employees only (Employee account access level). Can edit employee profiles at the same access level or lower (e.g., Operational Administrator, Infrastructure Administrator, Employee). For higher access level employees, they can see the Personal Info and the Account tab, but cannot edit anything. Cannot change the employee’s access level. Cannot change “User can clock in and out using Web interface” and “Access Level” options for their own profile. Cannot view an employee’s activity reports.
Computers	Cannot view a computer’s activity reports.
Configurations > Shared Lists	✔
Configurations > Behavior Policies	✔
Configurations > Access Control	X
Configurations > Monitoring Profiles	✔
Configurations > Productivity Profiles	Cannot create profiles but can edit profiles (can add new rules only, cannot change the profile name or assignments).
Configurations > Departments	✔
Configurations > Settings	Can only see the access tokens created by them under the Access Tokens tab.
Configurations > Positions	✔
Configurations > Tasks	✔
Configurations > Locations	✔
System > Download Agent	✔
System > Deployments	Cannot create/renew support PIN.
System > Dashboard Exports	Can only see/download their own exports.
System > Video Exports	X
Issues/Notifications Report	✔

Infrastructure Administrator

This access level has more limited access than an Administrator or Operational Administrator. Infrastructure Admins are not able to list employee or computer accounts or view any monitoring data, screen recordings, or productivity metrics but they are allowed to edit the subscription (cloud accounts), download agents, and adjust global dashboard settings and monitoring settings.

The table below outlines the specific permissions and restrictions for users holding this access level. It details their capabilities concerning profile management, configurations and monitoring profiles, and certain system functions, providing a clear overview of their role in managing system infrastructure.

My Profile	Can edit their name, email, phone, and monitoring options if the “Disable Self Edit” option is UNCHECKED on their profile’s Account tab.
Dashboards	X
Session Player	✔
Employees	X
Computers	X
Configurations > Shared Lists	✔
Configurations > Behavior Policies	X
Configurations > Access Control	X
Configurations > Monitoring Profiles	✔
Configurations > Productivity Profiles	X
Configurations > Departments	X
Configurations > Settings	Cannot access the Access Tokens tab.
Configurations > Positions	X
Configurations > Tasks	X
Configurations > Locations	X
System > Download Agent	✔
System > Deployments	Cannot create/renew support PIN.
System > Dashboard Exports	X
System > Video Exports	X
Issues/Notifications Report	X

Notes about Operational and Infrastructure Administrator Roles

Both the Infrastructure Administrator and Operational Administrator have access to system settings. If they use LDAP, SSO or SMTP solutions where they have full control, they might be able to login as an Admin in the system (i.e. authenticate with a different email). Or, with a SIEM integration, they may be able to read all monitoring data for employees. They also have access to monitoring profiles.

These are some indirect ways they might get access to otherwise restricted data.

Department Manager / Supervisor

This is a special type of permission not available under the Account Type and can only be created from the Departments menu. Please see the section Configure > Departments on the Teramind User Guide to learn more about departments.

Any employee that is not assigned one of the administrator roles can be assigned as a department manager. These managers can then view/manage the employees in their assigned department.

The reports accessible in the dashboards will be very similar to what an Administrator can see but the results will be filtered to the employees that are listed in the Employees field for Departments that person manages.

Note that, if you change the account access level of a manager (i.e. make them an Administrator, Infrastructure Administrator etc.), that access level will override their Department Manager privilege.

The table below details the specific permissions and restrictions for users assigned this access level. It outlines their capabilities concerning profile management, dashboard access and creation, and the ability to view and manage tasks and employee/computer data relevant to their department.

My Profile	Can edit their name, email, phone, and monitoring options if the “Disable Self Edit” option is UNCHECKED on their profile’s Account tab.
Dashboards	Can access all dashboards but can only see the data of employees under their department. Can create/clone dashboards.
Session Player	✔
Employees	Can only see the list of employees under their department and view their activity reports. Cannot add/edit employees. Cannot view/edit employee profiles. Cannot perform any Employee Actions such as delete, lock, turn monitoring on/off, etc.
Computers	Can only see the list of computers of the employees under their department and view their activity reports. Cannot see “Last Employees” and Agent Type (e.g., Stealth/Revealed) on the Computer Details screen. Cannot perform any Employee Actions such as delete, lock, turn monitoring on/off, etc. Cannot edit the computer’s information or settings (e.g., monitoring status, offline notification, etc.).
Configurations > Shared Lists	X
Configurations > Behavior Policies	X
Configurations > Access Control	X
Configurations > Monitoring Profiles	X
Configurations > Productivity Profiles	X
Configurations > Departments	Can view their own department(s) but cannot edit them
Configurations > Settings	Can only see the access tokens created by them under the Access Tokens tab.
Configurations > Positions	X
Configurations > Tasks	Can view and create their own tasks or tasks created by the employees under their department. Can only assign tasks to their employees and department(s) under their supervision, not others.
Configurations > Locations	X
System > Download Agent	Can only download the Revealed Agent
System > Deployments	X
System > Dashboard Exports	Can view/download their own exports.
System > Video Exports	Can view/download their own exports.
Issues/Notifications Report	X

Employee

An employee can access their activity reports and mange their profile - only if allowed by an administrator.

The table below outlines the specific permissions and restrictions for standard users with employee access. It details their capabilities for managing their own profile and viewing various dashboards and reports related to their personal activity.

My Profile	Can edit their name, email, phone, and monitoring options if the “Disable Self Edit” option is UNCHECKED on their profile’s Account tab.
Dashboards	If the “Disable Self Productivity Report” option in their profile’s Account tab is UNCHECKED, they will be able to view the Productivity > Basic and Productivity > Time Worked dashboards. If the “Disable Self Session Report” option in their profile’s Account tab is UNCHECKED, they will be able to view the Login Session dashboard. If the “Disable Self Snapshot Report” option in their profile’s Account tab is UNCHECKED, they will be able to view the Live > Snapshots dashboard. If the “Allow Viewing Activity Report” option in their profile’s Account tab is CHECKED, they will be able to view the Applications & Websites > Basic dashboard.
Session Player	For any of the dashboards above, the employee will not be able to activate the Session Player unless the “Allow self-history playback” option is CHECKED in their monitoring profile’s Account tab. In that case, they should be able to activate the Session Player and see their past records. But they cannot switch to the Live View mode.
Employees	X
Computers	X
Configurations > Shared Lists	X
Configurations > Behavior Policies	X
Configurations > Access Control	X
Configurations > Monitoring Profiles	X
Configurations > Productivity Profiles	X
Configurations > Departments	X
Configurations > Settings	X
Configurations > Positions	X
Configurations > Tasks	X
Configurations > Locations	X
System > Download Agent	Can only download the Revealed Agent
System > Deployments	X
System > Dashboard Exports	X
System > Video Exports	X
Issues/Notifications Report	X

Employee access level can be elevated via the Access Control policy. (see the Configurations > Access Control section of the User Guide)

Migrating from Teramind Legacy Platform

Employees

Configurations

Configurations > Access Control

How to change a user’s access level