Expansion of user roles | Voters

Expansion of user roles

in progress

Savanna Wyman

Examples of different roles that would aid in "least privileges" to comply with audits: Sales & Billing roles, master Account Admin, tech admins that can work on client administration, etc.

March 25, 2021

Lance Fogle

The Security Engineer role has one permission too much: Change global preferences such as SAML SSO or manage Host Isolation settings
There is absolutely NO reason for a security engineer to be able to disable SSO or manage overall global preferences of any kind. A Security Engineer just needs to be able to take action on hosts within client orgs.
That global capability belongs to admin role I would think.

Dean Guo

We've just released an account-level Security Engineer role that provides more granular permissions. Notably, it allows for host isolation/de-isolation. See our support article for more details! https://support.huntress.io/hc/en-us/articles/4404012728083-User-Permissions

We are also close to launching a feature that will allow for internal orgs to be handled separately.

Dave Ellis

Dean Guo: Dean, this change being released resulted in our users suddenly losing permissions they had, yet, I don't see any notification that this was coming. In fact, if I hadn't been subscribed to this topic I wouldn't have had any idea what was going on.

Something with this kind of an impact should have been communicated ahead of time so we could understand what was changing and be ready for it. Now we're scrambling last minute to figure out what role people need to be at to accomplish what they need to do.

Dean Guo

Dave Ellis: Hi, I'm sorry for the scramble. This should not have impacted any existing permissions. Could you provide more details on what permissions were lost so we can help triage or run a hotfix? Feel free to message at dean.guo@huntresslabs.com

Dean Guo

Thank you to Dave for pointing out that we did inadvertently make a change to the bulk agent permissions for the "User" role during a refactor. We have reverted that back to the original permission set as of today.

Matt Collier

It would be great if we could allow tenant admins to be able to manually isolate/un-isolate their devices and also be able to download the agent and access the organization key.

Tyler Shoults

Having a tech admin that can handle un-isolation, etc without having access to billing would be extremely helpful.

Andrew Szokoly

Do we think there is any possibility of creating a " client organization level admin" permission that allows them to download the Huntress agent, either through binding an installer to some sort of organization identifier, OR, by dropping that newly registered into a generic client organization that can then be migrated later?

Greyson Phillips

This may already be roped in to discussion internally at Huntress but wanted to toss something in.

One of the reports we provide in our strategic business reviews to all clients is the Huntress report. Depending on where the review falls, the pre generated reports may not contain a ton of data so it is nice to generate custom reports. Currently, the "User" permission gives too much privilege at the account level that I do not want interns having. A role dedicated to informational/reporting purposes would work well for us.

Dima Kumets [Product Manager - Huntress]

We have now released two new roles: Marketing (only access to partner enablement system) and Finance (only access to billing).

I will leave the feature request as open though since that is just one of many pieces of functionality requested here.

Dima Kumets [Product Manager - Huntress]

marked this post as

in progress

Development is in progress for two new roles: Marketing (access to Partner Enablement Service only) and Finance (access to billing only). We will be developing more roles and rolling them out iteratively. Thanks to many of you who have taken the time to comment here and reach out to me directly.

Tony Graham

Agreed - a much needed ability to create roles with permissions assigned to them. One example that came up today would be to give readonly plus isolation capabilities so inhouse IT can isolate a machine immediately without need to create a ticket for the helpdesk to action (in a few minutes in the best case scenario).

Harry Boyne

This is 100% something we need - our billing/sales teams need certain access, and we also NEED to secure our internal organisation so the general team don't have access to it.

→