As mentioned in Introduction to Managing Users, personal apps can only be assigned by the users themselves and the process is straightforward. Company apps are a completely different matter as they have complex sign-in and provisioning capabilities, can be mapped by external directories and most importantly, admins need tight control over apps in order to control access to them.
Company apps can be assigned to users in a number of ways:
- Manually by an admin
- Indirectly via a role
- Automatically by a directory mapping
Which method makes most sense depends on your specific needs and you can mix and match them as you wish. However, there are a few rules to remember regarding which assignment takes precedence.
Assigning apps manually
Apps can be assigned to users one-by-one under the Applications tab while editing a user. The popup shows a list of apps that can be assigned manually. If an app is already assigned to user via a role it cannot also be assigned manually.
Assigning apps via roles
When you have a large number of users it becomes impractical to assign apps one at a time. Roles allow you to logically group apps together and assign them in chunks. You can read more about this topic under Roles.
As an example, you could model your roles after job functions like this.
The Employee role contains the apps that everyone in the company needs and the Sales and Marketing roles contain just the apps that are relevant for those respective functions. Note that the same app can appear in more than one role as OneLogin ensures that an app is not assigned more than once. Once you have configured some roles, you can assign them manually as shown below.
Roles don’t preclude you from assigning apps directly, you can do so using the + button above the app list.
Assigning apps via roles through mappings
If your users are synchronized with an external source such as Active Directory, you might want to use the information in the directory to drive which roles are assigned to which users. For further information about associating users with apps, roles, and groups through mappings, proceed to the article here.