Skip to main content

How to change a user’s access level / account type / role

Updated over a week ago

Changing an Employee's Account Access Level

You can change the account type/access level/role of an employee from their profile:

1. From the main menu, select Employees.

2. Scroll down to the employee who's account you want to change. Then click the Three Dots in front of their name. This will open the Context Menu.

3. From the Context Menu, select the Edit Profile option. This will open a panel on the right side of the screen.

4. Click the Account tab.

5. Select an account role from the Access Level drop-down menu.

6. Click the Apply changes button to set the access level.

Account Access Level vs. Access Control

Account Access Levels are built-in roles that control which core features an user can see and interact with. These are pre-defined, fixed roles, such as Administrator, Infrastructure Administrator, Employee, etc. and cannot be altered.

Access Control, on the other hand, allow you to create customized, granular permission settings for non-admin users (such as regular employees and department managers). By assigning these policies, you can precisely define which specific data or actions they are authorized to view or perform, effectively elevating their status with tailored privileges.

Access Levels Explained

Teramind has several account access levels you can assign to users to limit which features and options they can access. You can change the account access level of a user from their profile.

The access levels are prioritized as follows:

  1. Administrator

  2. Operational Administrator

  3. Infrastructure Administrator

  4. Department Manager (see the Configurations > Departments section of the User Guide)

  5. Employee with special permissions assigned via Access Control (see the Configurations > Access Control section of the User Guide)

  6. Employee

If you change a user's access level from a lower role to a higher role, the previous permissions will be overridden. For example, if you change an "Employee with special permissions" to a "Department Manager", they will now have the permissions available to a Department Manager and all their previous access control permissions will be ignored.

Administrator

The most powerful access level. They can monitor all employees, other admins, and change any settings with no restrictions.

Operational Administrator

A step down from an Administrator access level, Operational Administrators are granted the ability to manage global settings without being able to view monitoring data.

The table below details the specific permissions and restrictions for users assigned this access level. It outlines their capabilities across various system features, including profile management, employee and computer administration, and configuration settings, providing a comprehensive overview of their operational scope.

My Profile

  • Can edit all information on their profile except for the Access Level even if the “Disable Self Edit” option is CHECKED on their profile’s Account tab.

Dashboards

X

Session Player

X

Employees

  • Can add regular employees only (Employee account access level).

  • Can edit employee profiles at the same access level or lower (e.g., Operational Administrator, Infrastructure Administrator, Employee). For higher access level employees, they can see the Personal Info and the Account tab, but cannot edit anything.

  • Cannot change the employee’s access level.

  • Cannot change “User can clock in and out using Web interface” and “Access Level” options for their own profile.

  • Cannot view an employee’s activity reports.

Computers

  • Cannot view a computer’s activity reports.

Configurations > Shared Lists

Configurations > Behavior Policies

Configurations > Access Control

X

Configurations > Monitoring Profiles

Configurations > Productivity Profiles

  • Cannot create profiles but can edit profiles (can add new rules only, cannot change the profile name or assignments).

Configurations > Departments

Configurations > Settings

  • Can only see the access tokens created by them under the Access Tokens tab.

Configurations > Positions

Configurations > Tasks

Configurations > Locations

System > Download Agent

System > Deployments

  • Cannot create/renew support PIN.

System > Dashboard Exports

  • Can only see/download their own exports.

System > Video Exports

X

Issues/Notifications Report

Infrastructure Administrator

This access level has more limited access than an Administrator or Operational Administrator. Infrastructure Administrators are not able to list employee or computer accounts or view any monitoring data, screen recordings, or productivity metrics but they are allowed to edit the subscription (cloud accounts), download agents, and adjust global dashboard settings and monitoring settings.

The table below outlines the specific permissions and restrictions for users holding this access level. It details their capabilities concerning profile management, configurations and monitoring profiles, and certain system functions, providing a clear overview of their role in managing system infrastructure.

My Profile

  • Can edit their name, email, phone, and monitoring options if the “Disable Self Edit” option is UNCHECKED on their profile’s Account tab.

Dashboards

X

Session Player

X

Employees

X

Computers

X

Configurations > Shared Lists

Configurations > Behavior Policies

X

Configurations > Access Control

X

Configurations > Monitoring Profiles

Configurations > Productivity Profiles

X

Configurations > Departments

X

Configurations > Settings

  • Cannot access the Access Tokens tab.

Configurations > Positions

X

Configurations > Tasks

X

Configurations > Locations

X

System > Download Agent

System > Deployments

  • Cannot create/renew support PIN.

System > Dashboard Exports

X

System > Video Exports

X

Issues/Notifications Report

X

Department Manager / Supervisor

This is a special type of permission not available under the Account Type and can only be created from the Departments menu. Please see the section Configure > Departments on the Teramind User Guide to learn more about departments.

Any employee that is not assigned one of the administrator roles can be assigned as a department manager. These managers can then view/manage the employees in their assigned department.

The reports accessible in the dashboards will be very similar to what an Administrator can see but the results will be filtered to the employees that are listed in the Employees field for Departments that person manages.

Note that, if you change the account access level of a manager (i.e. make them an Administrator, Infrastructure Administrator etc.), that access level will override their Department Manager privilege.

The table below details the specific permissions and restrictions for users assigned this access level. It outlines their capabilities concerning profile management, dashboard access and creation, and the ability to view and manage tasks and employee/computer data relevant to their department.

My Profile

  • Can edit their name, email, phone, and monitoring options if the “Disable Self Edit” option is UNCHECKED on their profile’s Account tab.

Dashboards

  • Can access all dashboards but can only see the data of employees under their department.

  • Can create/clone dashboards.

Session Player

Employees

  • Can only see the list of employees under their department and view their activity reports.

  • Cannot add/edit employees.

  • Cannot view/edit employee profiles.

  • Cannot perform any Employee Actions such as delete, lock, turn monitoring on/off, etc.

Computers

  • Can only see the list of computers of the employees under their department and view their activity reports.

  • Cannot see “Last Employees” and Agent Type (e.g., Stealth/Revealed) on the Computer Details screen.

  • Cannot perform any Employee Actions such as delete, lock, turn monitoring on/off, etc.

  • Cannot edit the computer’s information or settings (e.g., monitoring status, offline notification, etc.).

Configurations > Shared Lists

X

Configurations > Behavior Policies

X

Configurations > Access Control

X

Configurations > Monitoring Profiles

X

Configurations > Productivity Profiles

X

Configurations > Departments

  • Can view their own department(s) but cannot edit them

Configurations > Settings

  • Can only see the access tokens created by them under the Access Tokens tab.

Configurations > Positions

X

Configurations > Tasks

  • Can view and create their own tasks or tasks created by the employees under their department.

  • Can only assign tasks to their employees and department(s) under their supervision, not others.

Configurations > Locations

X

System > Download Agent

  • Can only download the Revealed Agent

System > Deployments

X

System > Dashboard Exports

  • Can view/download their own exports.

System > Video Exports

  • Can view/download their own exports.

Issues/Notifications Report

X

Employee

An employee can access their activity reports and mange their profile - only if allowed by an administrator.

The table below outlines the specific permissions and restrictions for standard users with employee access. It details their capabilities for managing their own profile and viewing various dashboards and reports related to their personal activity.

My Profile

  • Can edit their name, email, phone, and monitoring options if the “Disable Self Edit” option is UNCHECKED on their profile’s Account tab.

Dashboards

  • If the “Disable Self Productivity Report” option in their profile’s Account tab is UNCHECKED, they will be able to view the Productivity > Basic and Productivity > Time Worked dashboards.

  • If the “Disable Self Session Report” option in their profile’s Account tab is UNCHECKED, they will be able to view the Login Session dashboard.

  • If the “Disable Self Snapshot Report” option in their profile’s Account tab is UNCHECKED, they will be able to view the Live > Snapshots dashboard.

  • If the “Allow Viewing Activity Report” option in their profile’s Account tab is CHECKED, they will be able to view the Applications & Websites > Basic dashboard.

Session Player

  • For any of the dashboards above, the employee will not be able to activate the Session Player unless the “Allow self-history playback” option is CHECKED in their monitoring profile’s Account tab. In that case, they should be able to activate the Session Player and see their past records. But they cannot switch to the Live View mode.

Employees

X

Computers

X

Configurations > Shared Lists

X

Configurations > Behavior Policies

X

Configurations > Access Control

X

Configurations > Monitoring Profiles

X

Configurations > Productivity Profiles

X

Configurations > Departments

X

Configurations > Settings

X

Configurations > Positions

X

Configurations > Tasks

X

Configurations > Locations

X

System > Download Agent

  • Can only download the Revealed Agent

System > Deployments

X

System > Dashboard Exports

X

System > Video Exports

X

Issues/Notifications Report

X

External Security Risks of Operational and Infrastructure Administrator Roles and How to Mitigate Them

The Operational Administrator and Infrastructure Administrator roles are granted access to system settings. This privilege presents several security risks when used with an external identity provider or third-party integrations:

Credential Escalation Risk: If these roles have control over authentication solutions (such as LDAP, SSO, or SMTP configurations), they may be able to manipulate settings to authenticate and log in as a full Administrator (e.g., by using a different, authorized email).

Monitoring Data Exposure: Access to monitoring profiles and system settings also enables them to integrate with external systems, such as a SIEM solution. A SIEM integration could allow them to read and access all monitoring data for employees, bypassing dashboard-level restrictions.

Mitigation Strategy

To mitigate the security risks, employ a three-pronged strategy:

  • External IdP Mapping: Avoid assigning users the inherently risky built-in roles when integrating with your external Identity Provider. Instead, map those users to the more restrictive Employee role.

  • Internal Privilege Control: Utilize Teramind’s Access Control Policies to grant only the exact, necessary system privileges (e.g., to edit a single monitoring profile), bypassing the full scope of the built-in admin access and upholding the Principle of Least Privilege.

  • SIEM Configurations: Configure your SIEM integrations to transmit only relevant security data points and logs. If needed, create multiple integrations for different analysts/use cases.

Related Articles
Migrating from Teramind Legacy to Teramind NextGen
Employees
Configurations
Configurations > Access Control
Configurations > Settings
Did this answer your question?