Browse Admin Console
- Application categories (Zero Trust app management)
- Active Directory group policies
- Content categories
- Custom block pages
- Don't mix DNS providers
- Prevent DNS bypass
- Safe Search explained
- Safe Search supported search engines
- Security categories
- Working with policies
- Working with allow and block lists
- YouTube Restricted Mode explained
Add system users (role-based access)
Add and manage operator accounts in the ScoutDNS Admin Console. Four built-in roles (Super Admin / Admin / Service Desk / Viewer) and how to transfer Super Admin between users.
ScoutDNS supports role-based access control so multiple operators can share an account with the right level of access. This article covers adding operators directly in ScoutDNS.
[!NOTE] To manage role assignments through Microsoft Entra ID instead of (or in addition to) local ScoutDNS users, see SSO with Entra ID. For MSPs granting access to third-party accounts, see Organization Operators.
Built-in roles
| Role | Manage users | Allow/Block lists | Other objects | Notes |
|---|---|---|---|---|
| Super Admin | Create and remove all users (including other admins) | Full | Create, edit, view all | One per account |
| Admin | Create and remove all users except Super Admin | Full | Create, edit, view all | Most common admin role |
| Service Desk | None | Edit allow/block lists | View-only on everything else | For support-tier operators who tune lists but don’t change policy |
| Viewer | None | View-only | View-only | Read-only access |
[!NOTE] When SSO is enabled, Super Admin and Organization Operator accounts are exempt, they continue to use local logins. See SSO with Entra ID.
Create an operator account
- Open Access Management (profile icon, top right) and click New.
- Enter the operator’s email, first name, and last name.
- Pick a role.
- Save.
What happens next depends on whether the email is already known to ScoutDNS:
- Existing ScoutDNS user: their account is linked to yours with the selected role.
- New email: a new operator account is created with the chosen role.
[!IMPORTANT] Once an operator account is created or linked, you cannot edit name or email from your side. Only the operator themselves can update those fields. You can still change their role or revoke access at any time.
Revoke access
To remove an operator’s access to your account:
- Open the operator on the Access Management page.
- Click Revoke Access under their name.
This removes the operator from your account only. If their email is linked to other ScoutDNS accounts, those remain unaffected.
Transfer the Super Admin role
Only the current Super Admin can transfer the role to another operator, and the target must already be an Admin on the account.
- On the Access Management page, click Promote New Super Admin at the top.
- Select an existing Admin to take over the role.
- Confirm.
The previous Super Admin is automatically downgraded to Admin after the transfer. You can keep them as an Admin or revoke their access entirely.
[!IMPORTANT] Make sure the new Super Admin has 2FA enabled before the transfer, see Two-factor authentication. The Super Admin is your break-glass account if SSO ever needs to be turned off.
Related
- Two-factor authentication
- SSO with Microsoft Entra ID
- Organizations, multi-tenant access for MSPs