This article provides an overview of user privileges in OneLogin. The following topics are included:
- Granting administrative privileges to users
- Troubleshooting privilege assignment
By default, users have access only to the portal ("App Home"), where they can log into applications, view their own user profile, change their password, register secondary authentication factors, and create and view secure notes.
There are many types of administrative privilege, however, that can give users access to additional functionality. An Account owner or Super user can grant any of the following administrative privileges to a user. Apart from the Super user privilege, these are each independent. For example, to manage users and assume users, you must add both the Manage users and Assume users privileges.
|Super user||Has access to all user management functionality, app integration configuration, and most account management functionality. All privileges listed below roll up into the Super user privilege.|
Can perform all user management tasks, including adding, updating, and editing users; managing roles, groups, and application access; unlocking users; changing user passwords; forcing logouts; reapplying mappings, and more.
Note that to assume users, you must add the Assume users privilege.
For more information, see Delegating User Management.
Can assume other users, but cannot alter other user functionality.
This privilege is intended as an addition to the Manage users and Manage group privileges. It can be overridden for specific apps.
For more information, see Assuming Users.
Provides a subset of the Manage users privilege without allowing you to add, delete, or edit user attributes. Intended for your support team, this privilege gives the ability to view user details, unlock users, reset passwords, invite users, force logouts, and more.
For more information, see Delegating User Management.
Can manage an app that has already been added by a Super user or Account owner. This privilege can only be granted to a user one app at a time. It can be assigned both from the User Info tab on the User details page and from the Privileges tab on the app's configuration page.
For more information, see Introduction to App Management, "Delegating application administration."
Same abilities as Manage users, but only for users within a specific group.
For more information, see Groups.
Can assign users to a specific role, and remove them from the role.
Note that this privilege does not provide the ability to add apps to a role or remove them, nor to create or edit mappings that apply to the role.
For more information, see Roles, "Delegating role management."
|Manage shared app credentials||
Can control the application login credentials that will be shared among users.
For more information, see Managing Shared App Credentials.
If you have a OneLogin reseller account, users with this privilege can manage your sub accounts.
If you have a OneLogin reseller account, users with this privilege can manage the subscription and pricing level of the account.
Granting administrative privileges to users
- Go to Users > All Users and select the user.
- On the User Info tab, click the + plus sign in the Privileges section.
On the Add Privilege dialog, select the privilege from the Privileges drop-down and click Continue.
- Click the + plus sign in the Privileges section and repeat for each privilege you want to grant the user.
- Click Save.
Troubleshooting privilege assignment
How can my company switch to a new OneLogin account owner? What if our former account owner is no longer with our company and cannot request the change?
There are a few ways to switch account owners. The method you should use depends on whether or not the previous OneLogin account owner (the person who created the OneLogin admin portal) is still available to grant owner status to another user. The most efficient way to transfer ownership is for the outgoing OneLogin account owner to give the incoming account owner super user status. Otherwise, the outgoing account owner or someone else can email OneLogin or someone else can email OneLogin. Requests to update the account owner from anyone other than the previous account owner require a longer validation process with OneLogin. Below are instructions for each method.
Outgoing OneLogin account owner grants permission
The outgoing OneLogin account owner can grant permission to an incoming account owner by following these steps:
The existing account owner should log into your organization's OneLogin account as admin.
Go to Users > All Users, then click the name of the user who you want to make the new account owner.
The User Info tab appears for the user you selected.
In the Privileges section, click (+) to add a new privilege to the user you selected.
The Add Privilege dialog box appears.
Select Super user from the drop-down list and then click the Continue button.
Click the Save User button.
When you have made a user a super user, OneLogin Customer Support can assign account owner status to that user's account.
Email OneLogin to request to change of account owners
The outgoing account owner for your company's OneLogin account (or someone else) can request that OneLogin switch account owner status from your old account owner to a new one by taking the following steps:
The outgoing account owner should email OneLogin to request the change and must provide a written authorization originating from the owner's email address.
If the request is made by anyone other than the account owner, OneLogin requires that you also send an authorization letter from an Executive or Human Resources (or equivalent level) personnel stating that the change of account owner is approved.
OneLogin will verify the email against our records.
OneLogin will then validate the request through one of the following ways:
OneLogin will conduct a screen-sharing session with your account owner to confirm access, or
You may send OneLogin the last three events in the OneLogin Portal and the last time the account owner logged into OneLogin.
Granting and revoking privileges are logged as events. View these events by navigating to Activity > Events.
Use the standard Privileged users report to view and analyze user privilege assignments. Go to Activity > Reports to view and customize reports.