Expansion of user roles
in progress
M
Matt MacDonald
Can you add an option where we can remove the ability for Security Engineers to Change global preferences such as SAML SSO and Change account-level AV policy
L
Lance Fogle
The Security Engineer role has one permission too much: Change global preferences such as SAML SSO or manage Host Isolation settings
There is absolutely NO reason for a security engineer to be able to disable SSO or manage overall global preferences of any kind. A Security Engineer just needs to be able to take action on hosts within client orgs.
That global capability belongs to admin role I would think.
D
Dean Guo
We've just released an account-level Security Engineer role that provides more granular permissions. Notably, it allows for host isolation/de-isolation. See our support article for more details! https://support.huntress.io/hc/en-us/articles/4404012728083-User-Permissions
We are also close to launching a feature that will allow for internal orgs to be handled separately.
D
Dave Ellis
Dean Guo: Dean, this change being released resulted in our users suddenly losing permissions they had, yet, I don't see any notification that this was coming. In fact, if I hadn't been subscribed to this topic I wouldn't have had any idea what was going on.
Something with this kind of an impact should have been communicated ahead of time so we could understand what was changing and be ready for it. Now we're scrambling last minute to figure out what role people need to be at to accomplish what they need to do.
D
Dean Guo
Dave Ellis: Hi, I'm sorry for the scramble. This should not have impacted any existing permissions. Could you provide more details on what permissions were lost so we can help triage or run a hotfix? Feel free to message at dean.guo@huntresslabs.com
D
Dean Guo
Thank you to Dave for pointing out that we did inadvertently make a change to the bulk agent permissions for the "User" role during a refactor. We have reverted that back to the original permission set as of today.
M
Matt Collier
It would be great if we could allow tenant admins to be able to manually isolate/un-isolate their devices and also be able to download the agent and access the organization key.
T
Tyler Shoults
Having a tech admin that can handle un-isolation, etc without having access to billing would be extremely helpful.
A
Andrew Szokoly
Do we think there is any possibility of creating a " client organization level admin" permission that allows them to download the Huntress agent, either through binding an installer to some sort of organization identifier, OR, by dropping that newly registered into a generic client organization that can then be migrated later?
G
Greyson Phillips
This may already be roped in to discussion internally at Huntress but wanted to toss something in.
One of the reports we provide in our strategic business reviews to all clients is the Huntress report. Depending on where the review falls, the pre generated reports may not contain a ton of data so it is nice to generate custom reports. Currently, the "User" permission gives too much privilege at the account level that I do not want interns having. A role dedicated to informational/reporting purposes would work well for us.
Dima Kumets [Product Manager - Huntress]
We have now released two new roles: Marketing (only access to partner enablement system) and Finance (only access to billing).
I will leave the feature request as open though since that is just one of many pieces of functionality requested here.
Dima Kumets [Product Manager - Huntress]
in progress
Development is in progress for two new roles: Marketing (access to Partner Enablement Service only) and Finance (access to billing only). We will be developing more roles and rolling them out iteratively. Thanks to many of you who have taken the time to comment here and reach out to me directly.
J
Jed Daniel
Agreed - a much needed ability to create roles with permissions assigned to them. One example that came up today would be to give readonly plus isolation capabilities so inhouse IT can isolate a machine immediately without need to create a ticket for the helpdesk to action (in a few minutes in the best case scenario).
Load More
→