Operator Roles
DirWarden has three roles. The role is encoded in your licence key and cannot be changed from within the application — contact your administrator if your role needs to change.
Roles at a glance
| Role | Read users & audit log | AD writes (unlock, enable, reset…) | Configure DirWarden |
|---|---|---|---|
| Auditor | ✓ | — | — |
| Operator | ✓ | ✓ | — |
| Administrator | ✓ | ✓ | ✓ |
Auditor
Auditors have read-only access. They can:
- Browse and search the user list
- View account status (locked, disabled, password expiry)
- Read the full audit log
- Export reports to CSV
No buttons that write to Active Directory are available in the UI — they are hidden, not just greyed out.
Typical use: compliance officers, security reviewers, managers who need visibility without write access.
Operator
Operators can do everything an Auditor can, plus perform AD write operations:
- Unlock locked accounts
- Enable and disable accounts
- Reset passwords (with dual-approval prompt if the Administrator has enabled that threshold)
- Set “must change password at next logon”
- Set or clear “password never expires”
Operators cannot change DirWarden settings (rate limits, approval thresholds, domain connection, licence).
Typical use: help desk staff, IT support engineers.
Administrator
Administrators have full access, including everything an Operator can do plus:
- Change DirWarden configuration (Settings pages)
- Adjust rate limits and approval thresholds
- Manage the domain connection
- View licence details
Typical use: IT managers, senior sysadmins who own the DirWarden deployment.
How roles are assigned
Roles are embedded in the licence key at purchase or renewal. To check your current role, open Settings → About — the role is shown next to the licence tier.
If you need a different role (e.g. upgrading a help desk account from Auditor to Operator), the licence key must be reissued. Contact support@dirwarden.app.
The safety lock
All write operations are gated behind a safety lock in the action panel. The lock must be disengaged before any AD change can be applied. This applies equally to Operators and Administrators and cannot be disabled. See Unlocking accounts and Resetting passwords for details.