Administering users and roles

This article applies to BHCE and BHE


This article provides a summary of assignable roles that are available when creating new users in BloodHound.

Creating users

Users are created through Settings ⚙️Administration → Manage Users, and clicking the button CREATE USER.

The following properties must be set on each user:

Property Description
Email Address Text field for the user's email address.
Principal Name Text field for the username used for logging into BloodHound. Can be the same as email address.
First Name Text field for the user's first name.
Last Name Text field for the user's first name.
Authentication Method

Drop-down selection for one of the available authentication methods to be used for the user.

  • Username / Password - Built-in authentication via username and password, supports TOTP-based multi-factor authentication.
  • SAML - SAML 2.0-based Single-Sign-On as described in SAML in BloodHound Enterprise.

Read more in the article SAML in BloodHound Enterprise.

Initial Password Text field for the user's initial password.
Force Password Reset?

Selecting this check box forces the user to reset their password on the next logon. Must comply with password requirements:

  • At least 12 characters long
  • Contain at least 1 lowercase character, 1 uppercase character, 1 number and 1 special character (!@#$%^&*)


Drop-down selection for one the available roles.

For role access control definitions, see User Role Definitions.


User Role Definitions

BloodHound offers multiple roles for access control. Each user must be assigned one role.

  Administrator Power User User Read-only Upload-only
Tenant Administration
View, Add, Remove, and Modify users X - - - -
View, Add, Remove, and Modify API keys X - - - -
View, Add, or Remove SAML provider configurations X - - - -
Clear the BloodHound database X - - - -
Attack Path Analysis
View any available customer data, including active Attack Paths, and explore the Graph X X X X -
Mute Attack Path Impacted Principals X X - - -
Collector Clients and File Ingest

Download collector installation packages


View collector client details

X X X - -
Run collector client on demand scan X X - - -
Add collector client X X - - -
Modify collector client X X - - -
Remove collector client X X - - -
Regenerate collector client credentials X X - - -

File ingest

X X - - X