Skip to main content
All CollectionsTroubleshooting and How-ToHow-To Articles
How to change a user’s account access level / role permission
How to change a user’s account access level / role permission
Written by Arick Disilva
Updated over 3 months ago

Changing a User's Account Access Level / Role Permission

You can change the access level of a user from their profile page (click EMPLOYEES menu then click the EDIT PROFILE button), on the ACCOUNT INFO tab:


Note that, the Account Access Level is different than an Access Control Policy. Account access levels control what top-level menus and features an admin or user can access. Whereas, access control policies allow you to control the permissions settings for non-admin privileged users such as a Department Manager.

Types of Account Access Levels / Role Permissions

Teramind has several account levels / role permissions you can assign to users to limit which features and options they can access. You can change the account access level of a user from their profile.

The access levels are prioritized as follows:

  1. Administrator

  2. Operational Administrator

  3. Infrastructure Administrator

  4. Department Manager (see the Configure > Departments section of the User Guide)

  5. Employee with List or RBAC-based permissions (see the Configure > Access Control section of the User Guide)

  6. Employee

If you change a user's access level from a lower role to a higher role, the previous permissions will be overridden. For example, if you change an "Employee with RBAC permissions" to a "Department Manager", they will now have the permissions available to a Department Manager and all their previous RBAC permissions will be ignored.


The most powerful access level. They can monitor all employees, other admins, and change any settings with no restrictions.

Operational Administrator

A step down from an Administrator access level, Operational Admins are granted the ability to manage global settings without being able to view monitoring data, screen recordings, or productivity metrics for employees or computers.

Has access to the following menus and privileges:

  • Time Tracking (Tracker, Tasks).

  • Behavior (Policies, Anomaly Rules).

  • Employees (with limitations, see below).

  • Computers (with limitations, see below).

  • Configure (Departments, Schedules, Positions, Productivity Profiles, Shared Lists).

  • System (Missing Users/Computers Report, Report Export - with limitations, see below).

  • My Account (Subscription, Server & Port, Support - cloud dashboards).

  • Settings (Monitoring Settings, Integration, System Settings).

  • Can adjust the monitoring profiles and settings.

  • Can access the hidden and revealed agent download links.

  • Can access remote deployment dashboard (on-premise dashboards).

  • Can create API Access Tokens.

  • Can edit subscription info (cloud dashboards).

  • Can access notifications list.

  • Can add new employees.

  • Can click the Update Agent button on the Computer's profile page (on-premise dashboards).


  • Under Time Tracking menu, cannot see Employee Cost, Task Cost, Time Records, Time Cards.

  • Under Behavior menu, cannot see Alerts.

  • Under Configure menu, cannot see Access Control.

  • Under My Account menu, cannot see Support Pin tab or generate a support pin (cloud dashboards).

  • While the Employees and Computers list is accessible, Operational Admins cannot browse any recordings or view monitoring data.

  • Can edit employee profiles at the same role level or lower (can edit other Operational Admins, Infrastructure Admins, and Employees) but cannot adjust an employee's access level (or create/edit access control policies).

  • Under System > Report Export, Operational Admins can only see a list of reports they directly exported.

  • Connect access Monitoring reports or BI Reports.

  • Cannot adjust an employee's access level (or create/edit access control policies).

  • While API tokens can be created, the All Tokens tab that Administrators see is not visible so tokens cannot be edited for other employees.

  • Note: Time Tracking > Tracker is only visible if you enable the 'User can clock in and out using Web interface' checkbox in the employee's profile.

Infrastructure Administrator

This access level has more limited access than an Administrator or Operational Administrator. Infrastructure Admins are not able to list employee or computer accounts or view any monitoring data, screen recordings, or productivity metrics but they are allowed to edit the subscription (cloud accounts), download agents, and adjust global dashboard settings and monitoring settings.

Has access to the following menus and privileges:

  • Time Tracking (Tracker).

  • Configure (Shared Lists).

  • My Account (Subscription, Server & Port, Support - cloud dashboards).

  • Settings (Monitoring Settings, Integration, System Settings).

  • Can adjust the monitoring profiles and settings

  • Can access the hidden and revealed agent download links.

  • Can access remote deployment dashboard (on-premise dashboards).

  • Can edit subscription info (cloud dashboards).


  • Under My Account menu, cannot see Support Pin tab or generate a support pin (cloud dashboards).

  • Cannot browse any recordings or view monitoring data.

  • Connect access Monitoring reports or BI Reports.

  • Cannot access notifications list.

  • Cannot add new employees.

  • Cannot create or edit API Access Tokens.

  • Note: Time Tracking > Tracker is only visible if you enable the 'User can clock in and out using Web interface' checkbox in the employee's profile.

Notes about Operational and Infrastructure Administrator Roles

Both the Infrastructure Administrator and Operational Administrator have access to system settings. If they use LDAP, SSO or SMTP solutions where they have full control, they might be able to login as an Admin in the system (i.e. authenticate with a different email). Or, with a SIEM integration, they may be able to read all monitoring data for employees. They also have access to monitoring profiles.

These are some indirect ways they might get access to otherwise restricted data.

Department Manager / Supervisor

This is a special type of permission not available under the Account Type and can only be created from the Departments menu. Please see the section Configure > Departments on the Teramind User Guide to learn more about departments.

Any employee that is not assigned one of the admin roles can be assigned as a department manager. These managers can then view/manage the employees in their assigned department.

The reports accessible in the dashboard will be very similar to what an Administrator can see but the results will be filtered to the employees that are listed in the Employees field for Departments that person manages.

Note that, if you change the account access level of a manager (i.e. make them an Admin, Infrastructure Admin etc.), that access level will override their Department Manager privilege.

Has access to the following menus and privileges:

  • Time Tracking (Tracker, Employee cost, Task cost, Time records, Time cards - with limitations, see below).

  • Dashboard (won't have the default Focus or Enterprise dashboards but can create their own).

  • BI Reports (All monitoring reports are available).

  • Monitoring (All monitoring reports are available).

  • Risk.

  • Productivity.

  • Behavior (Alerts).

  • Employees (with limitations, see below).

  • Computers (with limitations, see below).

  • Configure (Departments, with limitations, see below).

  • System (Missing Users/Computers, Video Export, Report Export, System Log - with limitations, see below).

  • Can create API tokens.


  • Under Time Tracking menu, cannot access tasks and therefore cannot add/edit tasks.

  • Cannot set employee and time costs.

  • Under Behavior menu, cannot access or edit behavior policies or anomaly rules.

  • Under Employees menu, cannot Add or Import employees or see license usage count (cloud dashboards).

  • Under Employees menu, cannot select employee accounts so the Action drop down menu options (lock, Unlock, Delete, Restore, Enable/Disable Monitoring, Bulk Edit) are not available.

  • Under Computers menu, cannot select computer accounts so the Action drop down menu options (Delete, Restore, Enable/Disable Monitoring, Enable/Disable offline notification, Uninstall Agent) are not available.

  • In Employee Profile, cannot enable/disable monitoring, delete, or edit employee account.

  • In Computer Profile, cannot enable/disable monitoring, delete or edit computer account.

  • Under Configure menu, can list Departments they manage but cannot view the list of employees in the department and cannot create/edit departments or add/remove employees in the department.

  • Under System > Video Export, can see any videos the manager has directly exported.

  • Under System > Report Export, managers can only see a list of reports they directly exported.

  • Under System > System Log, managers can only see an audit log for dashboard activity of employees they manage. Their own activity in the dashboard won't be listed unless their manager account is added into the Employees field of the department.

  • Cannot create or view any access control policies.

  • Cannot create or view productivity profiles.

  • Cannot access or edit any system settings or monitoring profiles.

  • Cannot access hidden agent download links. Only the revealed agent link is available to managers.

  • Cannot access the My Account menu (cloud dashboards).

  • Cannot access Notifications list.

  • While API tokens can be created, the All Tokens tab that Administrators see is not visible so tokens cannot be edited for other employees.

  • Note: Time Tracking > Tracker is only visible if you enable the 'User can clock in and out using Web interface' checkbox in the employee's profile.


Has access to the following menus and privileges

  • Time Tracking (Tracker) - if enabled by an admin on the user's profile.

  • Monitoring (Webpages & Applications, Screen Snapshots, Sessions) - if enabled by an admin on the user's profile.

  • Productivity - if enabled by an admin on the user's profile.

  • Can change some of their profile information such as password, email, etc.

  • Can download the Revealed Agent.


Employee access level can be changed with a RBAC policy. See below for more information.

Changing the 'Employee' Account's Access Level with a RBAC Policy

You can modify the behavior of the Employee account type and assign additional permission to it using a RBAC policy.

First, you will need to create a Role access control policy from the Configure > Access Control screen.

Then you can assign the Role policy to user with the Employee account type from the Employee's Profile > RBAC tab.

Did this answer your question?