Team: Huntress Managed Endpoint Detection and Response (EDR)
Environment: Portal, Dashboard
Summary: How to set Huntress User Roles.
Setting Huntress User Permissions
Account-Level
Organization-Level
For information on adding or managing users, see this article: Managing Huntress Users.
If you have larger customers who need their own reporting integration but still require your expertise (co-managed IT, for example), you can view this page to learn more about the process of becoming a Huntress Reseller.
Account-level roles
Note: Account-level users (Admin, Security Engineer, User, Finance, Marketing, Read-Only) can see the account and any organizations their role allows. Account-level Admins and Security Engineers can access any organizations under the account.
| = allowed | — = not allowed | (1) = limited / see role details below |
| Permission | Admin | Security Engineer | Provisioner | User | Finance | Read-only |
|---|---|---|---|---|---|---|
| View and manage billing / invoices | — | — |
— | — | ||
| Manage account-level users | — | — |
— | — | — | |
| Create / modify / delete organizations | — | (1) |
(1) | — | — | |
| Manage integrations, SIEM, and SSO settings | — | (1) |
— | — | — | |
| Approve / reject Assisted Remediation, manage incident reports | — |
(1) | — | (1) | ||
| Manually isolate / de-isolate endpoints | — |
— | — | — | ||
| Managed Defender configuration and bulk actions | (1) |
— | — | — | ||
| Access Managed Security Awareness Training (SAT) | — |
— | — | — | ||
| Access Request SOC Support button | — |
— | — | — | ||
| Escalations / ITDR (Unwanted Access) | Can view and act on escalations across all orgs. ITDR Unwanted Access rules are managed when acting as an organization-level Admin (see org-level table). |
Can act on escalations (Resend / Resolve). Does not manage ITDR Unwanted Access rules at account level. |
— |
— |
— |
— |
Looking for Marketing? See here.
Account-level Admin
Summary: Full access across the Huntress account, including billing and configuration.
Admins can:
- View and modify everything across Huntress.
- View and modify billing information (invoices, contracts, payment methods).
- Manage account-level users and organizations.
- Manage integrations, SIEM, SSO, and other global settings.
- Perform all security actions available to Security Engineers and Users.
Admins cannot:
- There are no functional restrictions on the Admin role.
Account-level Security Engineer
Summary: Security-focused role with almost full security control, but no billing or core account administration.
Security Engineers can:
- Approve or reject Assisted Remediation.
- Manually isolate or de-isolate endpoints.
- Download the Huntress installer and view the account key.
- Manage Incident Reports.
- Perform bulk Managed Microsoft Defender actions such as quick/full scan, update, or change audit/enforce mode.
- Add or remove exclusions.
- Change global preferences pertaining to host isolation settings.
- Act on Escalations (Resend Report or Resolve).
- Bulk move or remove agents across organizations.
- Change account-level AV policy.
- Change organization-level AV policy.
- Access Managed Security Awareness Training via the SAT icon in the dashboard.
- Access the Request SOC Support button.
Security Engineers cannot:
- Create/modify/delete account-level users.
- Create/modify/delete organizations.
- View or change billing information (including invoices and contracts).
- Manage integration settings.
- Create/modify/delete SAML SSO configurations
- Regenerate an account key.
- Add SIEM sources.
- View or modify SIEM saved queries.
Account-level Provisioner
- Create, update, and decommission organizations (name, timezone, and other org-level settings)
- Create, update, and remove org-level users, and assign any role (including Admin) at the org level
- Configure ITDR: add, remove, and modify Microsoft and Google tenants, and generate onboarding assessments
- Configure managed antivirus policies at the account and organization level
- Manage antivirus and process/detection exclusions at the agent and organization level
- Configure organization-level SIEM log sources of all supported types (syslog, event logs, cloud integrations, etc.)
- Update Organization Mappings on an existing PSA integration
- Configure the recipient of monthly reports on an organization
- View or modify account-level settings
- Enable or disable tamper protection at the account or organization level
- Resolve incident reports, or resolve or manage escalations
- Change notification settings
- Create, update, or delete account-level users or memberships
- View billing or invoices, or modify billing, payment, trial, or subscription settings
- Add or remove PSA integrations, or change Notification Category settings on a PSA integration
Account-level User
Summary: Similar to Security Engineer, but with reduced security controls. Intended for general technical staff.
Users can:
- Create, modify, and delete organizations.
- Note: This is the only access Users have that Security Engineers do not. We are considering removing this capability from the User role in the future.
Users cannot:
- Manually isolate or de-isolate endpoints.
- Add or remove exclusions.
- Manage Incident Reports.
- Manage Escalations.
- Change global preferences such as SAML SSO or host isolation settings.
- Perform Managed Defender actions, including:
- Any bulk Managed Defender actions such as quick/full scan, update, or change audit/enforce mode.
- Change Managed Defender configuration at account, organization, or single-machine scope.
- Force a Managed Defender scan on a single target.
- Access Managed Security Awareness Training via the SAT icon in the dashboard.
-
Access the Request SOC Support button.
Finance
Summary: Billing-only role for finance teams.
- Limited to Billing and Invoices areas only:
- View past invoices.
- View breakdown of agents per organization in an invoice.
- View payment receipts.
- Update payment information.
- Update billing information.
Marketing
Marketing users can only access the Huntress Hub.
Read-Only
Read-only users can see everything an Account-level User can, but cannot modify, delete, or add anything across the Huntress dashboard.
Organization-level roles
No organization permission level has access to the Install Agent portion of the Huntress portal, which means they cannot access the Huntress installer or Account Key. Agent installs must be managed by the Account level users.
Account-level Admins and Security Engineers are ultimately responsible for responding to Escalations across the account.
= allowed — = not allowed
| Permission | Admin | Security Engineer | User | Read-only |
|---|---|---|---|---|
| View and download reports | ||||
| View investigations (within their organization) | ||||
| View binaries, autoruns, collected files, canaries, and External Recon | ||||
| Uninstall individual agents | — | |||
| Reject Assisted Remediation | — | |||
| Approve Assisted Remediation | — | — | ||
| Resolve Incident Reports (bulk and single) | — | — | ||
| Add organization-level users | — | — | ||
| Add / remove Managed Defender exclusions | — | — | ||
| Change Managed Defender configuration (org scope) | — | — | ||
| Perform bulk Managed Defender actions | — | — | ||
| Escalations / ITDR (Unwanted Access) | Can view all escalations for this organization, but can only respond to Unwanted Access (Country & VPN) escalations. | Cannot view or respond to escalations. | Cannot view or respond to escalations. | Cannot view or respond to escalations. |
Return to Account-level Admin / Security Engineer
Skip to Organization-level User
Organization-level Admin / Security Engineer
Summary: Org-scoped admin/security role.
Organization-level Admin / Security Engineer can :
- Perform all tasks that Organization Users can complete
- Approve Assisted Remediation.
- Bulk and single resolve Incident Reports.
- Add other organization-level users.
- Add/remove Managed Defender exclusions.
- Change Managed Defender configuration.
- Perform bulk Managed Defender actions.
- Push the Huntress System Extension to compatible macOS devices.
- Security Engineer: can uninstall the Huntress agent.
- Admins: can create and modify ITDR Unwanted Access rules.
- Escalation activity:
- Admins: can view all escalations, but can only respond to Unwanted Access (Country & VPN) escalations.
- Security Engineer: cannot view or respond to escalations.
Organization-level Security Engineers currently have similar permissions to Organization-level Admins. We’re evaluating whether the Organization-level Security Engineer role is necessary and, if so, what should be limited compared to Organization-level Admins. We’re always receptive to feedback on feedback.huntress.com.
Organization-level User
Summary: Org-scoped user who can see most things in their Huntress organization and take a limited set of actions.
Users can:
- View and download reports.
- View investigations within their organization(s).
- Uninstall individual agents.
- View binaries, autoruns, collected files, canaries, and External Recon.
- Reject Assisted Remediation.
Users cannot:
- View or access any other organization.
- View Escalations.
- Download the Huntress installer or view the account key.
- Modify or add users.
- Modify or add integrations.
- Bulk remove agents across organizations.
- View or change billing information (including invoices).
- Receive alert emails about new Incident Reports.
- Change global preferences.
- Change Managed Defender configuration at account, org, or single-machine scope.
- Perform any bulk Managed Defender actions such as quick/full scan, update, or change audit/enforce mode.
- Add or remove exclusions.
- Manually isolate endpoints.
- Manually de-isolate endpoints.
- Approve Assisted Remediation.
- Access Managed Security Awareness Training via the SAT icon in the dashboard.
- Access the Request SOC Support button.
Organization-level Read-Only
Read-only org-level users can see everything an Organization-level User can within their organization, but cannot modify, delete, or add anything.