What are roles?
Roles are used to define which apps users of a given type use. Unless you are familiar with role-based access control (RBAC), the concept can seem a little abstract so let's try to visualize how it works.
Imagine an organization that has two different departments: sales and support. People in the departments perform very different types of work and typically use very different applications, for example:
- Employee: Google Apps, PBworks
- Salesperson: Salesforce.com, PivotLink
- Support: Zendesk, GetSatisfaction, CoTweet
- Marketing: HubSpot, Google Analytics
The employee apps are used by everyone, but we have different roles for different departments. This setup will allow you to allocate apps to users the following way:
- Amanda: Employee, Marketing - Google Apps, PBworks, HubSpot, Google Analytics
- Peter: Employee, Salesperson - Google Apps, PBworks, Salesforce, PivotLink
- Hannah: Employee, Salesperson - Google Apps, PBworks, Salesforce, PivotLink
- Mark: Employee, Support - Google Apps, PBworks, Zendesk, GetSatisfaction, CoTweet
- Joe: Employee, Support - Google Apps, PBworks, Zendesk, GetSatisfaction, CoTweet
You can even have overlapping roles, i.e. a user can have two roles with the same app. OneLogin will automatically figure out when to grant or revoke the app.
Every configuration should include a Default Role, to which all of the users are mapped. The default role may or may not have apps associated with it. Failure to include this will mean that one will have an issue in un-mapping a user completely from the last role that they have been assigned to.
You can create and manage roles under User -> Roles. A role consists of a name and the apps made available to users of that role. For example, if the Sales role has SugarCRM and WebEx, any user of with the role Sales will have logins for SugarCRM and WebEx. You can view and configure these logins when you edit a user.
Adding and removing apps from roles
Be careful when removing apps from roles. When you remove an app, the users with that role lose their logins for the apps that were removed. But if the user has an app through multiple roles (which can happen because roles can overlap), removing the app has no affect.
To prevent you from inadvertently removing logins, you must alway select commit changes before the changes take affect.