Operator Roles
Velauth has three roles. The role is encoded in your licence key and cannot be changed from within the application — contact your administrator if your role needs to change.
Roles at a glance
Section titled “Roles at a glance”| Role | Read users & audit log | AD writes (unlock, enable, reset…) | Configure Velauth |
|---|---|---|---|
| Auditor | ✓ | — | — |
| Operator | ✓ | ✓ | — |
| Administrator | ✓ | ✓ | ✓ |
Auditor
Section titled “Auditor”Auditors have read-only access. They can:
- Browse and search the user list
- View account status (locked, disabled, password expiry)
- Read the full audit log
- Export reports to CSV
No buttons that write to Active Directory are available in the UI — they are hidden, not just greyed out.
Typical use: compliance officers, security reviewers, managers who need visibility without write access.
Operator
Section titled “Operator”Operators can do everything an Auditor can, plus perform AD write operations:
- Unlock locked accounts
- Enable and disable accounts
- Reset passwords (with dual-approval prompt if the Administrator has enabled that threshold)
- Set “must change password at next logon”
- Set or clear “password never expires”
Operators cannot change Velauth settings (rate limits, approval thresholds, domain connection, licence).
Typical use: help desk staff, IT support engineers.
Administrator
Section titled “Administrator”Administrators have full access, including everything an Operator can do plus:
- Change Velauth configuration (Settings pages)
- Adjust rate limits and approval thresholds
- Manage the domain connection
- View licence details
Typical use: IT managers, senior sysadmins who own the Velauth deployment.
How roles are assigned
Section titled “How roles are assigned”Roles are embedded in the licence key at purchase or renewal. To check your current role, open Settings → About — the role is shown next to the licence tier.
If you need a different role (e.g. upgrading a help desk account from Auditor to Operator), the licence key must be reissued. Contact [email protected].
The safety lock
Section titled “The safety lock”All write operations are gated behind a safety lock in the action panel. The lock must be disengaged before any AD change can be applied. This applies equally to Operators and Administrators and cannot be disabled. See Unlocking accounts and Resetting passwords for details.