> ## Documentation Index > Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt > Use this file to discover all available pages before exploring further. # Administer Users and Roles Applies to BloodHound Enterprise and CE ## Purpose This article provides a summary of assignable roles that are available when creating new users in BloodHound. ## Creating users Users are created through **Settings ** **Administration ** **Manage Users**, and clicking the button **Create User**. The following properties must be set on each user: | **Property** | **Description** | | --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Email Address | Text field for the user's email address. | | Principal Name | Text field for the username used for logging into BloodHound. Can be the same as email address. | | First Name | Text field for the user's first name. | | Last Name | Text field for the user's first name. | | Authentication Method | Drop-down selection for one of the available authentication methods to be used for the user.

\* Username / Password - Built-in authentication via username and password, supports TOTP-based multifactor authentication.
\* SAML - SAML 2.0-based Single-Sign-On as described in [SAML in BloodHound Enterprise](/manage-bloodhound/auth/saml).
| | Initial Password | Text field for the user's initial password. | | Force Password Reset? | Selecting this check box forces the user to reset their password on the next logon. Must comply with password requirements:

\* At least 12 characters long
\* Contain at least 1 lowercase character, 1 uppercase character, 1 number and 1 special character (!@#\$%^&\*) | | Role | Drop-down selection for one the available roles. | ## User Role Definitions BloodHound offers multiple roles for access control. Each user must be assigned one role. In BloodHound Enterprise, [Environment Targeted Access Control (ETAC)](/manage-bloodhound/auth/environment-targeted-access-control) can further limit which environments **User** and **Read-only** roles can access. ETAC does not change the baseline permissions in the role matrix below. Instead, it limits which environments those permissions apply to. For OpenGraph extensions, BloodHound separates read and write permissions. Users without permission to upload or delete extension schemas can still view extension content that their role allows, but the **Upload** and **Delete** extension buttons remain disabled. Scroll right to view the full table of permissions for each role. | | **Administrator** | **Power User** | **Auditor** | **User** | **Read-only** | **Upload-only** | | ------------------------------------------------------------------------------------------- | :-----------------------------------------------------------: | :-----------------------------------------------------------: | :-----------------------------------------------------------: | :-----------------------------------------------------------: | :-----------------------------------------------------------: | :-----------------------------------------------------------: | | **Tenant Administration** | | | | | | | | Add, Remove, Modify users | | - | - | - | - | - | | View users | | - | | - | - | - | | Add, Remove all API keys | | - | - | - | - | - | | View all API keys | | - | | - | - | - | | Add, Remove, View owned API keys | | | | | | - | | Add, Remove SAML provider configurations | | - | - | - | - | - | | View SAML provider configurations | | - | | - | - | - | | Clear the BloodHound database | | - | - | - | - | - | | View audit log | | - | | - | - | - | | Configure ETAC settings \[BHE] | | - | - | - | - | - | | Upload and delete OpenGraph extension schemas | | - | - | - | - | - | | View OpenGraph extensions, findings, and edges | | | | | | - | | **Attack Path Analysis** | | | | | | | | View any available tenant data, including active Attack Paths \[BHE], and explore the Graph | | | | | | - | | Create, Edit, Delete, Share owned Saved Cypher Queries | | | - | | - | - | | Accept Attack Path Impacted Principals \[BHE] | | | - | - | - | - | | Modify Tier Zero / High-Value Members | | | - | - | - | - | | Add, Edit, Remove Privilege Zones, Labels, and Selectors | | | - | - | - | - | | Approve and Revoke certification of Privilege Zone members | | | - | - | - | - | | View, Search, and Filter Privilege Zones Certification Queue | | | | - | - | - | | View, Search, and Filter Privilege Zones History Log | | | | | | - | | **Collector Clients and File Ingest** | | | | | | | | Download collector installation packages | | | | | | | | View collector client details \[BHE] | | | | | - | - | | View and Filter Finished Jobs Log and job details panel | | | | - | - | - | | Run collector client on-demand scan \[BHE] | | | - | - | - | - | | Add, modify, and remove a collector client \[BHE] | | | - | - | - | - | | Regenerate collector client credentials \[BHE] | | | - | - | - | - | | File Ingest | | | - | - | - | |