Back to top

Manage admins and roles for Knox services

Last updated April 9th, 2025

To streamline the admin management process, the Knox Admin Portal offers a consolidated Administrators & Roles page that allows you to invite and manage admins for multiple services.

In the left sidebar of the Knox Admin Portal, click Administrators & Roles to view a list of admins for all supported Knox services.

Only admins with the Invite and manage administrators or Manage roles permission can access the consolidated Administrators & Roles page.

Administrators

You can invite admins to manage one or more Knox cloud services. To allow an admin to manage features across services, such as managing common tags and deleting devices deletion, you must assign to them a role with Common permissions.

The Administrators tab displays a list of all admins registered for Knox services. The list contains the following information:

Column Description
NAME The name of the admin. The super admin, who created the enterprise’s tenant, is marked with a crown next to their name. Click an admin’s name to view or edit their details, including services they have access to and roles they have been assigned.
EMAIL The work email address of the admin.

Additionally, all currently supported Knox services are included as columns in the list. If an admin has permission to manage a service, their role and admin status is shown in the service column. The COMMON column shows the role and status of admins with permissions to manage feature across services.

In order to view the admin list for a service, a user must have a role with the Invite and manage administrators or Manage roles permission for that service.

Knox Admin Portal administrators and roles permissions

An admin with either the Invite and manage administrators or Manage roles permission can only grant another admin permissions that are less than or equal to the granting admin’s available permissions for the corresponding Knox service.

Invite an admin

Click INVITE ADMINISTRATOR to add a new admin. An Invite administrator page opens, where you’re prompted to enter the first name, last name, email address, and service permissions for the new admin. Similar to other Knox services, you can also bulk invite admins by uploading a CSV file containing their first names, last names, and email addresses.

Invite administrator screen

Edit an admin

This feature is only available if your admin user has the Invite and manage administrators or Manage roles permission.

Once you’ve invited an admin, click their name in the admin list to edit their details. On the Edit administrator page, you can modify the admin’s first and last names, as well as their roles for each service they’re invited to.

If you want to invite an admin to other available services, click MORE ACTIONS > Invite to more services and select services and roles for that admin.

Edit administrator screen

In case of Knox Manage, use the Knox Manage console to add super admins and edit other admin types.

Deactivate an admin

If you want to prevent an admin from managing certain Knox services your company uses, you can choose to deactivate their account. Only active admins can be deactivated.

To deactivate a Knox admin:

  1. In Administrators & Roles, click the name of the admin you want to deactivate.
  2. Click MORE ACTIONS, then Deactivate account.
  3. Select the Knox services you don’t want the admin to manage anymore, then click DEACTIVATE.

The admin then won’t be able to access the Knox services you selected, but can still manage any services you unselected.

Delete an admin

If an admin no longer needs to manage any Knox services for your company, you can delete them from your admin list. Make sure you have the Invite and manage administrators or Manage roles permission for the same Knox services as the admin you’re deleting, or the Delete account option is disabled.

If you delete an admin with permission to manage Knox Guard from the Knox Admin Portal, they can still access the Knox Guard console afterward. Note that they also need to be deleted from the Knox Guard console to ensure their access to Knox cloud services is fully revoked. To do so, submit a support ticket.

To delete a Knox admin:

  1. In Administrators & Roles, click the name of the admin you want to delete.
  2. Click MORE ACTIONS, then Delete account.
  3. (Optional) Enter a reason for the admin deletion.
  4. Click DELETE.

The admin is then deleted from your company’s account and can no longer access your Knox services and data. Note that this action also deletes their Samsung Knox account.

Roles

On the ROLES tab, you can define roles with custom permissions for admins who manage one or more services. You can also define roles with common permissions to access cross-service features from the common device list.

The Roles tab lists all the roles in your tenant. You can use the search bar lets to search for roles by name.

The roles list contains the following information:

Column Description
SERVICE The Knox service, or services, the role applies to.
ROLE NAME

Either Super admin or the name of a custom role, both of which you can click on. Depending on whether you click a super admin role or a custom role, the resulting pop up shows:

  • Super admin. The role details, along with a dropdown that lets you switch between services to view the permissions for each. The super admin is marked with a crown next to their name.
  • Custom role. The role details, its permissions, and the number of admins assigned to it.

    Important

    Custom roles for Knox Manage must be defined through the Knox Manage console instead. In the Knox Admin Portal roles list, custom Knox Manage roles are listed as Sub Admin.

DESCRIPTION A short phrase describing the organizational purpose of the role.
ADMINISTRATORS The number of admins assigned to the role. Click a number to see a full list of the admins and their information.

Create a role

To create a role with custom permissions:

  1. Click CREATE ROLE to the right of the search bar. The Create role page displays.

    Create role screen

  2. Select a Service for which to create the role.

    • Select Common to create a role with common permissions for select features across services. This role applies to the common device list only.
  3. Enter a Role name and Description (optional).

  4. Select the required Permissions. Note that permissions are shown based on the service you select.

  5. (Optional) Set the following permissions to create a Common role:

    • Common tags: Allows admins to manage common tags for the common device list on the Devices page.
    • Delete devices: With this permission, admins can delete devices from the common device list, which also removes devices across all services.
    • Invite and manage administrators: Allows admins to invite other admins and assign them the common role.
    • Manage roles: Allows admins to manage all permissions for a common role, including the permissions not assigned to them.

    For information about creating roles for other services, see each service’s documentation.

  6. Click SAVE.

While admins can create roles with any permissions, they can only assign roles that contain permissions that they have themselves.

Edit a role

To edit an existing role, click its ROLE NAME. Similar to the Create role page, you can enter a new role name, description, and permissions for the service. However, you can’t reassign the role to another service.

Edit role screen

Once you’re finished editing, click SAVE to record your changes.

Alternatively, you can choose to delete the role. Click DELETE at the bottom of the page to remove the role from the list and remove the associated permissions for all admins who are assigned to the role. Note that this action can’t be undone.

Is this page helpful?