We need Finance Role to be allowed to sync subscriptions so they can update Agreement qty. and manage agreements. Since this is not enabled, it forces an admin to intervene during the billing process due to lack of permissions.

We need the ability as an MSP to set Account users to access a subset of organizations. AutoElevate has a feature where we can say "This user can access all organizations EXCEPT [list one or more organizations in the account]". We don't want our regular techs being able to affect our internal systems but be able to affect our clients.

There needs to be a security level or option that gives a user the ability to do MS integrations for MDR without having admin access. Staff who do level 2 provisioning should not have access to billing information or be able to sign contracts on behalf of the company - these should be only available to owners/managers.

Please allow security engineers added on organization level have access to escalations for that organization. Does not make sense to remove this ability, especially looking at the description of security engineer role permissions: Security Engineers can: Act on an Escalation (Resend Report or Resolve)

Can you add an option where we can remove the ability for Security Engineers to Change global preferences such as SAML SSO and Change account-level AV policy

The Security Engineer role has one permission too much: Change global preferences such as SAML SSO or manage Host Isolation settings

There is absolutely NO reason for a security engineer to be able to disable SSO or manage overall global preferences of any kind. A Security Engineer just needs to be able to take action on hosts within client orgs.

That global capability belongs to admin role I would think.

We've just released an account-level Security Engineer role that provides more granular permissions. Notably, it allows for host isolation/de-isolation. See our support article for more details! https://support.huntress.io/hc/en-us/articles/4404012728083-User-Permissions

We are also close to launching a feature that will allow for internal orgs to be handled separately.

It would be great if we could allow tenant admins to be able to manually isolate/un-isolate their devices and also be able to download the agent and access the organization key.

Having a tech admin that can handle un-isolation, etc without having access to billing would be extremely helpful.

Do we think there is any possibility of creating a " client organization level admin" permission that allows them to download the Huntress agent, either through binding an installer to some sort of organization identifier, OR, by dropping that newly registered into a generic client organization that can then be migrated later?