--- title: "ThreatConnect System Roles and Permissions KB Article | ThreatConnect" slug: "threatconnect-system-roles-and-permissions" description: "Your System role determines your System-level permissions on your ThreatConnect instance. This article defines all ThreatConnect System roles, including the access and permissions each role has on each tab of the Settings menu screens." tags: ["Account Roles and Permissions", "Getting Started"] updated: 2024-09-20T19:59:01Z published: 2024-09-20T19:59:01Z --- > ## Documentation Index > Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt > Use this file to discover all available pages before exploring further. # ThreatConnect System Roles and Permissions ## Overview A user’s System role in ThreatConnect® determines the System-level permissions that they have on their ThreatConnect instance. These permissions cover access and functionalities on each of the following screens: - **System Settings** - **Account Settings** - **TC Exchange™ Settings** - **Organization Settings** - **Organization Config** This article defines the System roles provided in ThreatConnect, including the access and permissions each role has on each tab of the listed screens. See [*ThreatConnect Owner Roles and Permissions*](https://knowledge.threatconnect.com/docs/threatconnect-owner-roles-and-permissions) for information on Organization roles and Community roles*.* NoteIn addition to the System roles described in the [“System Roles”](/docs/threatconnect-system-roles-and-permissions#system-roles) section, there are three other System roles for specialized user types: **Api User**and **[Exchange Admin](https://threatconnect.readme.io/reference/tc-exchange-administration)** for [API Users](https://knowledge.threatconnect.com/docs/creating-user-accounts#creating-an-api-user), and **Taxii User** for [TAXII](https://knowledge.threatconnect.com/docs/using-the-threatconnect-taxii-server)™ [Users](https://knowledge.threatconnect.com/docs/creating-a-taxii-user-for-the-taxii-21-server). These roles are not covered in this article. ## System Roles Table 1 defines each System role in ThreatConnect. | System Role | Definitions | | --- | --- | | Administrator | The System role of **Administrator** is also known as the **System Administrator**, **or Sys Admin**. This role has the highest level of permissions, including full access to all System and Organization settings and configuration within the ThreatConnect instance. The Administrator role is typically used for administration purposes, but can perform all other functions, such as creating Indicators and Groups, viewing and adding dashboards, adding and modifying Workflow Cases, and adding and running Playbooks, within their home Organization (i.e., the Organization to which their account belongs). | | Operations Administrator | An **Operations Administrator** is a limited System Administrator account with read-only access at the System level and full administrative permissions at the Organization level. Operations Administrators can make administrative and configuration changes to Organizations, such as creating, deleting, and updating user accounts, and can add, modify, and remove Communities and Sources. Only Administrators and Operations Administrators can create accounts with System-level permissions (that is, accounts with a System role other than User or Read Only User). However, Operations Administrators may not create Administrator accounts. | | Accounts Administrator | An **Accounts Administrator** is a limited administrative account that has read-only access at the System and Organization levels; can create and modify, but not delete, Organizations; and can add Organizations to Communities and Sources. | | Community Leader | A **Community Leader** is a limited administrative account that has read-only access at the System and Organization levels. The main use case for a Community Leader is for read-only viewing of all Organizations in the System (i.e., on the ThreatConnect instance) in order to make informed requests to System Administrators (e.g., request changes to the System configuration or request creation of new Communities and Sources). For example, an MSSP with multiple clients in a single instance could use a Community Leader to have read-only visibility into all System administration pages for each client. | | Super User | A **Super User** is an account that enables users on multitenant instances to easily view and manage all of their customers’ data from a single user account. Super Users do not have any access or permissions at the System level, but do have full data-level, administrative, and configuration permission at the Organization level for all Organizations on the ThreatConnect instance. Super Users may view, create, edit, and delete data (dashboards, posts, threat intelligence, Workflow, and Playbooks) in all Organizations on the ThreatConnect instance. They also can administrate and configure all Organizations, including creating, deleting, and updating user accounts and adding, modifying, and deleting Organization-level variables, metrics, Attribute types, Indicator exclusion lists, and Security Labels. | | User | A **User** is an account that does not have any access or permissions at the System level. User accounts are typically given to analysts, Playbook developers, App developers, and others who need to assess threats, make intelligence-based recommendations, or conduct security operations for their company. The Organization-level access and permissions for a User account, as well as the User's access to threat intelligence, the ThreatConnect Workflow functionality, and Playbooks, are determined by the User's [Organization role](https://knowledge.threatconnect.com/docs/organization-roles). Users have access only to the Organization to which they belong in the System. | | Read Only User | A **Read Only User** is a user account that can only view existing data in the Organization(s) to which it belongs. Read Only Users do not have any access or permissions at the System level. Customers may create an unlimited number of Read Only User accounts in an Organization for free. All Read Only Users have an [Organization role](https://knowledge.threatconnect.com/docs/organization-roles) of Read Only User or Read Only Commenter. ImportantRead Only User accounts that do not count against an Organization’s user license limit must have a System role of Read Only User. Creating Read Only Users requires a license that allows Read Only Users. | ## System Role Permissions ### Administrator The following permissions assume that the Administrator has an [Organization role](https://knowledge.threatconnect.com/docs/organization-roles) of Organization Administrator, which is the Organization role that should be assigned to Administrators. - **System Settings**: Full - **Account Settings**: Full - **TC Exchange Settings**: Full - **Organization Settings** - **Home Organization**: Full - **Other Organizations**: Full - **Organization Config** - **Home Organization**: Full - **Other Organizations**: Full ### Operations Administrator The following permissions assume that the Operations Administrator has an [Organization role](https://knowledge.threatconnect.com/docs/organization-roles) of Organization Administrator, which is the Organization role that should be assigned to Operation Administrators. - **System Settings**: Read Only - **Account Settings**: Full - **TC Exchange Settings**: None - **Organization Settings** - **Home Organization**: Full - **Other Organizations**: No permissions on the **Apps**tab; Full permissions****on all other tabs - **Organization Config** - **Home Organization**: Full - **Other Organizations**: Full ### Accounts Administrator The following permissions assume that the Account Administrator has an [Organization role](https://knowledge.threatconnect.com/docs/organization-roles) of Standard User, which is the Organization role that should be assigned to Account Administrators. - **System Settings**: Read Only - **Account Settings**: Read, edit, and modify permissions on the **Organizations**tab; permissions to add Organizations to Communities on the **Communities/Sources**tab; Read Only permissions for all other tabs. - **TC Exchange Settings**: None - **Organization Settings** - **Home Organization**: Read Only permissions on all tabs except the **Apps** tab, in which an Accounts Administrator can run Jobs. In On-Premises or Dedicated Cloud instances, Accounts Administrators can create and edit user accounts with a System role of User or Read Only User, as well as API and TAXII Users, on the **Membership**tab. - **Other Organizations**: None - **Organization Config** - **Home Organization**: Read Only - **Other Organizations**: None ### Community Leader The following permissions assume that the Community Leader has an [Organization role](https://knowledge.threatconnect.com/docs/organization-roles) of Standard User, which is the Organization role that should be assigned to Community Leaders. - **System Settings**: Read Only - **Account Settings**: Read Only - **TC Exchange Settings**: None - **Organization Settings** - **Home Organization**: Read Only permissions on all tabs except for the **Apps** tab, in which a Community Leader can run Jobs. - **Other Organizations**: None - **Organization Config** - **Home Organization**: Read Only - **Other Organizations**: None ### Super User The following permissions reflect that the Super User has an [Organization role](https://knowledge.threatconnect.com/docs/organization-roles) of Organization Administrator, as this is the only Organization role that can be assigned to Super Users. - **System Settings**: None - **Account Settings**: None - **TC Exchange Settings**: None - **Organization Settings** - **Home Organization**: Full - **Other Organizations**: Full - **Organization Config** - **Home Organization**: Full - **Other Organizations**: Full ### User The following permissions assume that the User has an [Organization role](https://knowledge.threatconnect.com/docs/organization-roles) of Standard User; however, Users can be assigned any Organization role. Having an Organization role of Organization Administrator will provide a User with Full permissions on all tabs of the **Organization Settings**and **Organization Config** screens for their home Organization. - **System Settings**: None - **Account Settings**: None - **TC Exchange Settings**: None - **Organization Settings** - **Home Organization**: Read Only permissions on all tabs except for the **Apps**tab, in which a User can run Jobs. On the **Membership**tab, the User will see only their account listed in the table. Information about other users in the Organization will not be visible. If the User has an Organization role of Organization Administrator, then they will have Full permissions across the **Organization Settings** screen. - **Other Organizations**: None - **Organization Config** - **Home Organization**: Read Only - **Other Organizations**: None ### Read Only User The following permissions assume that the Read Only User has an [Organization role](https://knowledge.threatconnect.com/docs/organization-roles) of Read Only User or Read Only Commenter, which are the only Organization roles that may be assigned to Read Only Users. - **System Settings**: None - **Account Settings**: None - **TC Exchange Settings**: None - **Organization Settings** - **Home Organization**: Read Only - **Other Organizations**: None - **Organization Config** - **Home Organization**: Read Only - **Other Organizations**: None --- *ThreatConnect® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc.* *TAXII™ is a trademark of The MITRE Corporation.* 20098-01 v.03.B ## Related - [Managing User Accounts](/managing-user-accounts.md) - [ThreatConnect Owner Roles and Permissions](/threatconnect-owner-roles-and-permissions.md) - [ThreatConnect Super User Guide](/threatconnect-super-user-guide.md)