--- title: "Managing User Accounts" slug: "managing-user-accounts" description: "This article describes how to create, edit, and delete API, TAXII, standard, and Read Only user accounts in ThreatConnect." tags: ["Administrator"] updated: 2025-01-23T19:40:14Z published: 2025-01-23T19:40:14Z canonical: "knowledge.threatconnect.com/managing-user-accounts" --- > ## Documentation Index > Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt > Use this file to discover all available pages before exploring further. # Managing User Accounts ## Overview The following user account types can be created in ThreatConnect®: Application Programming Interface (API) users, TAXII™ users, ThreatConnect users with a variety of [System](https://knowledge.threatconnect.com/docs/threatconnect-system-roles-and-permissions) and [Organization roles](https://knowledge.threatconnect.com/docs/organization-roles), and Read Only Users (including Read Only Commenters). This article demonstrates how to view the membership of an [Organization](https://knowledge.threatconnect.com/docs/ownership-in-threatconnect), how to create each kind of user account, and how to edit and delete user accounts. ## Before You Start ### User Roles - To create user accounts, your user account must have an [Organization role](https://knowledge.threatconnect.com/docs/organization-roles) of Organization Administrator or a [System role](https://knowledge.threatconnect.com/docs/threatconnect-system-roles-and-permissions) of Administrator, Operations Administrator, or, if on an On-Premises or Dedicated Cloud instance, Accounts Administrator. - To view information on user accounts other than your own on the **Membership** tab of the **Organization Settings** screen, your user account must have an Organization role of Organization Administrator or a System role of Administrator, Operations Administrator, or, if on an On-Premises or Dedicated Cloud instance, Accounts Administrator. - To edit user accounts, your user account must have an Organization role of Organization Administrator or a System role of Administrator, Operations Administrator, or, if on an On-Premises or Dedicated Cloud instance, Accounts Administrator.NoteYou cannot edit a user account whose System role has a higher permission level than your user account’s System role. That is, a user account with a System role of Operations Administrator cannot edit a user account with a System role of Administrator; a user account with a System role of Accounts Administrator cannot edit a user account with a System role of Administrator or Operations Administrator; and a user account with a System role of User cannot edit a user account with a System role of Administrator, Operations Administrator, or Accounts Administrator. - To delete user accounts, your user account must have an Organization role of Organization Administrator or a System role of Administrator, Operations Administrator, or, if on an On-Premises or Dedicated Cloud instance, Accounts Administrator.NoteYou cannot delete a user account whose System role has a higher permission level than your user account’s System role. That is, a user account with a System role of Operations Administrator cannot delete a user account with a System role of Administrator; a user account with a System role of Accounts Administrator cannot delete a user account with a System role of Administrator or Operations Administrator; and a user account with a System role of User cannot delete a user account with a System role of Administrator, Operations Administrator, or Accounts Administrator. ## Viewing Membership for an Organization Hover over **Settings![Settings icon](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Settings%20icon.png)**on the top navigation bar and select **Org Settings** to display the **Membership** tab of the **Organization Settings**screen (Figure 1). The **Membership**tab includes a table listing all users in the Organization. Above the table, you can see how many more users of each type can be added to the Organization. NoteOnly users with a [System role](https://knowledge.threatconnect.com/docs/threatconnect-system-roles-and-permissions) of Administrator or Operations Administrator can change the maximum number of users of each type for an Organization. To change user limits for an Organization, edit the Organization on the **Organizations** tab of the **Account Settings** screen. See the “Configure an Organization Account” section of *ThreatConnect Account Administration Guide* for more information.NoteThe ability to create API users is determined by the terms of your ThreatConnect license. For more information, contact your Customer Success Manager. ![Figure 1_Managing User Accounts_7.7.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%201_Managing%20User%20Accounts_7.7.0.png) NoteThe **System Role** column will be displayed only if your user account has a System role of Administrator or Operations Administrator. ## Creating User Accounts You can create four types of user accounts in ThreatConnect: [API user](/v1/docs/managing-user-accounts#creating-an-api-user), [TAXII user](/v1/docs/managing-user-accounts#creating-a-taxii-user), [user](/v1/docs/managing-user-accounts#creating-a-user), and [Read Only User](/v1/docs/managing-user-accounts#creating-a-readonly-user). ### Creating an API User Follow these steps to create an API user account in ThreatConnect: 1. Hover over **Settings![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Settings%20icon.png)**on the top navigation bar and select **Org Settings**. 2. On the **Membership**tab of the **Organization Settings**screen (Figure 1), click **Create API User**. 3. Fill out the fields on the **API User Administration**window (Figure 2) as follows: ![Figure 2_Managing User Accounts_7.7.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%202_Managing%20User%20Accounts_7.7.0.png) - **First Name**: Enter the API user’s first name. - **Last Name:**Enter the API user’s last name.NoteThe API user’s first and last name will be displayed in areas of the Organization that log user activity or identify users who added or changed a threat intelligence object or Workflow Case. - **System Role**: Select the API user’s [System role](https://knowledge.threatconnect.com/docs/threatconnect-system-roles-and-permissions). Available System roles for API users include the following: - **Api User**: API users with this role can use all ThreatConnect v2 and v3 API endpoints, with the exception of the v3 API [TC Exchange™ administration endpoints](https://threatconnect.readme.io/reference/tc-exchange-administration). - **Exchange Admin**: API users with this role can use all ThreatConnect v2 and v3 API endpoints, including the v3 API [TC Exchange administration endpoints](https://threatconnect.readme.io/reference/tc-exchange-administration).NoteThe **System Role** dropdown is available only when the user creating the account has a System role of Operations Administrator or Administrator. If the dropdown is not available, a System role of Api User will be assigned to the API user automatically. - **Organization Role:** Select the API user’s [Organization role](https://knowledge.threatconnect.com/docs/organization-roles). - **Token Expiration (days)**: (Optional) Enter the number of days until the API user’s token will expire.NoteIf the API user will be using an [API token to authenticate API requests to ThreatConnect](https://threatconnect.readme.io/reference/getting-started-1#api-token), you must click **SAVE USER AND GENERATE TOKEN**to create the API user’s account and token. - **Disabled**: (Optional) Leave this checkbox cleared. When editing an existing API user, you can select this checkbox to disable the API user’s account, which is typically done when the API user no longer requires ThreatConnect access and the Administrator wishes to retain log integrity. - **Include in Observations and False Positives:** (Optional) Select the checkbox to allow data provided by the API user to be included in observation and [false-positive](https://knowledge.threatconnect.com/docs/false-positives) counts. - **Allow User to Exceed API Link Limit**: (Optional) Select the checkbox to override the system-level limit on the number of association levels that can be retrieved at one time for intelligence items using the ThreatConnect v3 API. - **Custom TQL Timeout**: (Optional) Select the checkbox to override the system-level [ThreatConnect Query Language (TQL)](https://knowledge.threatconnect.com/docs/threatconnect-query-language-tql)query timeout for the API user, and then enter the maximum amount of time, in milliseconds, that TQL queries made by the API user will be allowed to run before timing out.NoteThe **Custom TQL Timeout**checkbox will be available only when the user creating the account has a System role of Operations Administrator or Administrator. 4. Use one of the following methods to save and create the API user account: - If the API user will be using their [**Access ID**and **Secret Key**to authenticate API requests to ThreatConnect](https://threatconnect.readme.io/reference/getting-started-1#access-id-and-secret-key), record the **Secret Key**, as it will not be accessible after the **API User Administration**window is closed. Then click **SAVE**at the lower-right corner of the window. - If the API user will be using their [API token to authenticate API requests to ThreatConnect](https://threatconnect.readme.io/reference/getting-started-1#api-token), click **SAVE USER AND GENERATE TOKEN**to the right of the **Token Expiration (days)**field on the **API User Administration**window. ### Creating a TAXII User - See [*Using the ThreatConnect TAXII Server*](https://knowledge.threatconnect.com/docs/using-the-threatconnect-taxii-server) for  instruction on creating a TAXII user for the **TAXII 1.*x* server**. - See the [*Creating a TAXII User for the TAXII 2.1 Server*](/docs/creating-a-taxii-user-for-the-taxii-21-server) for instruction on creating a TAXII user for the **TAXII 2.1 server**. ### Creating a User Follow these steps to create a user account in ThreatConnect: 1. Hover over **Settings![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Settings%20icon.png)**on the top navigation bar and select **Org Settings**. 2. On the **Membership**tab of the **Organization Settings**screen (Figure 1), click **Create User**. 3. Fill out the fields on the **User Administration**window (Figure 3) as follows: ![Figure 3_Managing User Accounts_7.7.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%203_Managing%20User%20Accounts_7.7.0.png) - **E-Mail**: Enter an email address. This address will be the name of the user account. - **Password**: Enter the initial user password, which is subject to the ThreatConnect password policy defined within the system settings. The user will be prompted to change this password when they log into ThreatConnect for the first time. - **First Name**: Enter the user’s first name. - **Last Name**: Enter the user’s last name.NoteThe user’s first and last name will be displayed in areas of the Organization that log user activity or identify users who added, changed, or commented on a threat intelligence object or Workflow Case. In Communities that have profile anonymity turned off, the user’s first and last name will be displayed on posts they [created on the **Posts** screen](https://knowledge.threatconnect.com/docs/posts#creating-posts) and to Community Directors when viewing users in member Organizations. - **System Role**: Select the user’s [System role](https://knowledge.threatconnect.com/docs/threatconnect-system-roles-and-permissions).NoteThe **System Role** dropdown will be available only when the user creating the account has a System role of Administrator or Operations Administrator. If the dropdown is not available, a System role of User will be assigned to the user account automatically. - **Organization Role**: Select the user’s [Organization role](https://knowledge.threatconnect.com/docs/organization-roles).NoteIf you selected a System role of Super User, only an Organization role of Organization Administrator will be available in the **Organization Role** dropdown. - **Groups**: (Optional) Select one or more user groups to which to add the user. User groups allow multiple users to be assigned to [Workflow Cases](https://knowledge.threatconnect.com/docs/workflow-cases) and [Tasks](https://knowledge.threatconnect.com/docs/workflow-tasks) together. - **Locked**: (Optional) Leave this checkbox cleared. When editing an existing user account that has been locked by ThreatConnect, you can clear this checkbox to unlock the account. - **Disabled**: (Optional) Leave this checkbox cleared. When editing an existing user, you can select this checkbox to disable the user account, which is typically done when a user no longer requires ThreatConnect access and the Administrator wishes to retain log integrity. - **Password Reset Required**: (Optional) Select this checkbox to require the user to change their account password the next time they log into ThreatConnect. This checkbox is selected by default upon account creation, and it is cleared once the password has been changed. - **Multi-Factor Authentication Reset Required**: (Optional) Select this checkbox to require the user to configure multi-factor authentication (MFA) for their account or to reset MFA for a user who already has it configured (for example, if the user has lost their MFA token). An icon such as the Google Authenticator™![Google Authenticator icon](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Google%20Authenticator%20icon.png)logo will be displayed in the **Status**column for users who have MFA enabled.NoteMFA can be disabled for a user on the **Authenticator** tab of the **User Profile** screen for the user. To navigate to this screen, click on the user’s account name in the **Account** column of the **Membership** tab of the **Organization Settings** screen (Figure 1).ImportantIf a System Administrator has enforced MFA systemwide via the **twoFactorAuthenticationRequired** system setting, then MFA may not be disabled for individual users. - **Terms of Service Acceptance Required**: (Optional) Select this checkbox to reset the “terms of service” flag so the user is presented with the terms of service again. It is selected by default when creating a new user.NoteThe **Terms of Service Acceptance Required** checkbox will be available only when the user creating the account has a System role of Operations Administrator or Administrator and the **termsOfServiceRequireNewUserToAccept** system setting is turned on. - **Send Account Info E-mail**: (Optional) Select this checkbox to send an email with the account information to the email address entered in the **E-Mail**field. It is selected by default when creating a new user. - **Custom TQL Timeout:** (Optional) Select this checkbox to override the system-level [ThreatConnect Query Language (TQL)](https://knowledge.threatconnect.com/docs/threatconnect-query-language-tql)query timeout specified in the **tqlQueryTimeout**system setting for the user, and then enter the maximum amount of time, in milliseconds, that TQL queries made by the user will be allowed to run before timing out.NoteThe **Custom TQL Timeout**  checkbox will be available only when the user creating the account has a System role of Operations Administrator or Administrator. - **Time Zone**: (Optional) Select the time zone for the user. - **Log Out After**: (Optional) Select the amount of time of inactivity after which the user will be logged out. - **Summary E-mail Time**: (Optional) Select the time at which the user will receive daily summary emails of [followed items or other notifications](https://knowledge.threatconnect.com/docs/notifications-and-following) from ThreatConnect. 4. Click **SAVE**on the **User Administration**window. ### Creating a Read-Only User Follow these steps to create a Read Only User account in ThreatConnect: NoteRead Only User accounts do not count against an Organization’s user license limits as long as the accounts have a System role of Read Only User. Creating Read Only User accounts requires a license that allows Read Only Users. 1. Hover over **Settings![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Settings%20icon.png)**on the top navigation bar and select **Org Settings**. 2. On the **Membership**tab of the **Organization Settings**screen (Figure 1), click **Create Read Only User**. 3. Fill out the fields on the **User Administration**window (Figure 4) as follows: ![Figure 4_Managing User Accounts_7.7.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%204_Managing%20User%20Accounts_7.7.0.png) - **E-Mail**: Enter an email address. This address will be the name of the user account. - **Password**: Enter the initial user password, which is subject to the ThreatConnect password policy defined within the system settings. The user will be prompted to change this password when they log into ThreatConnect for the first time. - **First Name**: Enter the user’s first name. - **Last Name**: Enter the user’s last name.NoteFor Read Only Commenters, the user’s first and last name will be displayed in areas of the Organization that log user activity or identify users who commented on a threat intelligence object or Workflow Case. In Communities that have profile anonymity turned off, the user’s first and last name will be displayed on posts they [created on the **Posts**screen](https://knowledge.threatconnect.com/docs/posts#creating-posts) and to Community Directors when viewing users in member Organizations. - **System Role**: Retain the default selection of **Read Only User**. Changing the selection will result in the creation of a different kind of user.NoteThe **System Role** dropdown will be available only when the user creating the account has a System role of Operations Administrator or Administrator. If the dropdown is not available, a System role of Read Only User will be assigned to the user account automatically. - **Organization Role**: Select an [Organization role](https://knowledge.threatconnect.com/docs/organization-roles) of **Read Only User**or **Read Only Commenter**. - **Groups**: (Optional) Select user groups to which to add the user. User groups allow multiple users to be assigned to [Workflow Cases](https://knowledge.threatconnect.com/docs/workflow-cases) and [Tasks](https://knowledge.threatconnect.com/docs/workflow-tasks) together. - **Locked**: (Optional) Leave this checkbox cleared. When editing an existing user account that has been locked by ThreatConnect, clear this checkbox to unlock the account. - **Disabled**: (Optional) Leave this checkbox cleared. When editing an existing user, you can select this checkbox to disable the user account, which is typically done when a user no longer requires ThreatConnect access and the Administrator wishes to retain log integrity. - **Password Reset Required**: (Optional) Select this checkbox to require the user to change the account password upon next login. This checkbox is selected by default upon account creation, and it is cleared once the password has been changed. - **Multi-Factor Authentication Reset Required**: (Optional) Select this checkbox to require the user to configure MFA for their account or to reset MFA for a user who already has it configured (for example, if the user has lost their MFA token). An icon such as the Google Authenticator![A close-up of a coin Description automatically generated with medium confidence](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Google%20Authenticator%20icon.png)logo will be displayed in the **Status**column for users who have MFA enabled.NoteMFA can be disabled for a user on the **Authenticator** tab of the **User Profile** screen for the user. To navigate to this screen, click on the user’s account name in the **Account** column of the **Membership** tab of the **Organization Settings** screen (Figure 1).ImportantIf a System Administrator has enforced MFA systemwide via the **twoFactorAuthenticationRequired** system setting, then MFA may not be disabled for individual users. - **Terms of Service Acceptance Required**: (Optional) Select this checkbox to reset the “terms of service” flag so the user is presented with the terms of service again. It is selected by default when creating a new user.NoteThe **Terms of Service Acceptance Required** checkbox will be available only when the user creating the account has a System role of Operations Administrator or Administrator and the **termsOfServiceRequireNewUserToAccept** system setting is turned on. - **Send Account Info E-mail**: (Optional) Select this checkbox to send an email with the account information to the email address entered in the **E-Mail**field. It is selected by default when creating a new user. - **Custom TQL Timeout:** (Optional) Select this checkbox to override the system-level [ThreatConnect Query Language (TQL)](https://knowledge.threatconnect.com/docs/threatconnect-query-language-tql)query timeout specified in the **tqlQueryTimeout**system setting for the user, and then enter the maximum amount of time, in milliseconds, that TQL queries made by the user will be allowed to run before timing out.NoteThe **Custom TQL Timeout** checkbox will be available only when the user creating the account has a System role of Operations Administrator or Administrator. - **Time Zone**: (Optional) Select the time zone for the user. - **Log Out After**: (Optional) Select the amount of time of inactivity after which the user will be logged out. - **Summary E-mail Time**: (Optional) Select the time at which the user will receive daily summary emails of [followed items or other notifications](https://knowledge.threatconnect.com/docs/notifications-and-following) from ThreatConnect. 4. Click **SAVE**on the **User Administration**window. ## Editing User Accounts Follow these steps to edit a user account in ThreatConnect: 1. Hover over **Settings![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Settings%20icon.png)**on the top navigation bar and select **Org Settings**. 2. On the **Membership**tab of the **Organization Settings**screen (Figure 1), click **Edit**![Pencil icon_Black](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Pencil%20icon_Black.png)to the right of an entry in the table. 3. Make the desired changes in the **User Administration**window for the user account type.ImportantWhen you change a user’s [System role](https://knowledge.threatconnect.com/docs/threatconnect-system-roles-and-permissions), their [Community role](https://knowledge.threatconnect.com/docs/community-roles) in each Community and Source they belong to will be reset to the default Community role configured for their Organization in that owner. For example, consider a user with a System role of User and a Community role of Director in Community ABC. If Community ABC has a default role of Contributor for the user’s Organization, then the user's Community role in Community ABC will change from Director to Contributor if the user’s System role is changed (for example, from User to Operations Administrator). There is one notable exception: Users with a System role of Read Only User have only three Community roles available to them in any Community or Source: Commenter, User, and Banned. Therefore, users whose System role is changed to Read Only User will get the “highest” Community role available to them (Commenter) in a Community or Source if the default Community role configured for their Organization in that owner is anything other than Commenter, User, or Banned.ImportantThe **Send Account Info Email** checkbox in the **User Administration** window will not be displayed when edit a user account. It is displayed only when creating a new user. 4. Click **SAVE** on the **User Administration** window for the user account type. ## Deleting User Accounts Follow these steps to delete a user account in ThreatConnect: 1. Hover over **Settings![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Settings%20icon.png)**on the top navigation bar and select **Org Settings**. 2. On the **Membership**tab of the **Organization Settings**screen (Figure 1), click **Delete**![Trash icon_Black](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Trash%20icon_Black.png)to the right of an entry in the table. 3. If there are active [Playbooks assigned to execute under the user’s account](https://knowledge.threatconnect.com/docs/en/settings#run-as), the **User Deletion** window will display a dropdown to assign the Playbooks to a different user account. If there are [Job Apps](https://knowledge.threatconnect.com/docs/creating-jobs-using-tc-exchange-apps) assigned to execute under the user’s account, the **User Deletion**window will display a dropdown to assign the Job Apps to an API user account. Select a user account for each available dropdown.NoteWhen a user account is deleted, inactive Playbooks (i.e., Playbooks in design [mode](https://knowledge.threatconnect.com/docs/mode)) assigned to execute under the user’s account will automatically be assigned to the first user account listed on the **Membership** tab of the **Organization Settings** screen. 4. Click **YES** on the **User Deletion** window. *ThreatConnect® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc. Google Authenticator™ is a trademark of Google LLC. TAXII™ is a trademark of The MITRE Corporation.* 20037-01 v.14.A ## Related - [Creating a TAXII User for the TAXII 2.1 Server (App Version 1.0)](/creating-a-taxii-user-for-the-taxii-21-server.md) - [Notifications and Following](/notifications-and-following.md) - [ThreatConnect Owner Roles and Permissions](/threatconnect-owner-roles-and-permissions.md) - [ThreatConnect System Roles and Permissions](/threatconnect-system-roles-and-permissions.md) - [Using the ThreatConnect TAXII Server](/using-the-threatconnect-taxii-server.md)