What are roles?

Roles are used to define which apps users of a given type use. Unless you are familiar with role-based access control, the concept can seem a little abstract so let's try to visualize how it works.

Imagine an organization that has two different departments: sales and engineering. People in those two department perform very different types of work and usually also use very different applications, for example:

• Employee: Google Apps, PBworks
• Salesperson: Salesforce.com, PivotLink
• Support: Zendesk, GetSatisfaction, CoTweet
• Marketing: HubSpot, Google Analytics

The employee apps are used by everyone, but we have different roles for different departments. This setup will allow you to allocate apps to users the following way:

• Amanda: Employee, Marketing - Google Apps, PBworks, HubSpot, Google Analytics
• Peter: Employee, Salesperson - Google Apps, PBworks, Salesforce, PivotLink
• Hannah: Employee, Salesperson - Google Apps, PBworks, Salesforce, PivotLink
• Mark: Employee, Support - Google Apps, PBworks, Zendesk, GetSatisfaction, CoTweet
• Joe: Employee, Support - Google Apps, PBworks, Zendesk, GetSatisfaction, CoTweet

You can even have overlapping roles, i.e. a user can have two roles with the same app. OneLogin will automatically figure out when to grant or revoke the app.

Managing roles

You can create and manage roles under People -> Roles. A role consists of a name and the apps made available to users of that role. For example, if the Sales role has SugarCRM and WebEx, any user of with the role Sales will have logins for SugarCRM and WebEx. You can view and configure these logins when you edit a user. 

Adding and removing apps from roles

Be careful when removing apps from roles. When you remove an app, the users with that role will typically lose their logins for the apps that were removed. But if the user has an app via more than one role (which can happen since roles can overlap), removing the app will have no affect.

I prevent you from inadvertently removing logins, you must alway check the commit changes checkbox before the changes will take affect.