External Customer KB > General > Roles
Roles
Article: KB0010606 Published: 02/20/2019 Last modified: 02/19/2019

This article covers the following topics:

About Roles

The most efficient way to control your users' access to apps is through OneLogin roles.

A role in OneLogin is simply a collection of apps. You create a role, assign apps to it, and when you assign users to the role, you grant them access to all of the apps included in the role. This gives you the ability to give or take away a user's access to multiple apps at one stroke.

You should design your roles to reflect groups of users who tend to use the same set of apps. Typically this means creating roles by job function or department (Sales, Finance, Engineering, etc).

Note that you can add any given app to multiple roles.

Some additional best practices include:

  • Create an Employees role for apps that are shared by all employees in your organization.
  • Create default on-boarding and off-boarding roles to give users access to the apps they might need before they start on Day One and after they leave employment (typically HR apps).
  • Only create a role if more than one user will be added to it.

Roles are useful not just for efficient assignment of users to apps. You can also use them to make OneLogin administration easier:

  • Filter by role when you search for users.

  • Filter by role when you perform bulk user updates.

  • Filter by role when you invite users to use OneLogin.

  • Use roles in conditions and actions when you create Mappings and Notifications.

  • View roles assigned to users in user detail reports.

  • Restrict access by role when you configure RADIUS.

You can add users to roles one-by one. It's more efficient, however, to create Mappings that assign users to roles based on selected user atttributes. For example, you can create a mapping that assigns all users with the Department attribute HR to the HR role. Whenever a user is added to the HR department in your user directory, they automatically get added to the HR role and have access to all of the apps included in the role.

Creating roles

  1. Log in to OneLogin as an admin with the Account owner or Super user privilege.

  2. Go to Users > Roles.
  3. Click the New Role button.

    If instead of creating a new role, you want to edit an existing role, simply click the Role name.

  4. Give the role a name and select the applications you want to include in the role.

    When you first set up a role, the Applications tab displays all of the apps in your company catalog. Click an app to select it, and click Save to add the selected apps to the role. 

    On subsequent visits to the Applications tab, the tab displays any apps that you have already added to the role. To add more apps, click the + (Add Apps) button to display all of the apps in your Company Catalog. Click an app to select it, and Save the page to add the apps to the role.

  5. Click Save.

Adding users to roles manually

You can assign roles to a user when you edit a user, and you can also assign users to a role when you edit the role.

Important! When you add a user manually, you are overriding any mappings that might apply to the user. If you change a mapping expecting it to remove a particular user from a role, for example, that user will not be removed from the role if they were added to it manually.

Assign user to a role from the user configuration page

  1. Log in to OneLogin as an admin.

    You must have the Account owner, Super user, or Manage users privilege.

  2. Go to Users > All Users and select the user.
  3. On the Applications tab, select the role from the Roles list on the left.

  4. Click Save Users.

    All of the apps included in the role will be added to the Applications section on the right.

Assign user to role from the role configuration page

  1. Log in to OneLogin as an admin.

    You must be an Account owner or Super user, or have the Manage role privilege for the role.

  2. Go to Users > Roles.
  3. Select the role by clicking the role row.

  4. Go to the Users tab.
  5. Under Add Users to Roles Manually, enter the first and last name of the user you want to add.

    Type the first few letters of the user's first or last name, and the field displays the names of available users. You can add as many users as you want and confirm all additions as a single action before you save.

  6. Click Save.

    The new user will be listed under Users Manually Added to this Role, and the apps included in the role will immediately be added to the user's OneLogin portal (App Home).

    Users added through a mapping are not displayed.

You can delete users manually by selecting the users you want to remove, clicking the X next to the name, and clicking Save.

Assigning users to roles automatically using mappings

The most efficient way to give users access to apps is to create Mappings that assign users to roles based on selected user attributes. For example, you can create a mapping that assigns all users with the Department attribute HR to the HR role. Whenever a user is added to the HR department in your user directory, they automatically get added to the HR role and have access to all of the apps included in the role.

For general information about Mappings, see Mappings.

  1. Log in to OneLogin as an admin.

    The ability to create mappings requires the Account owner or Super user privilege.

  2. Go to Users > Roles and click to the role row to select the role you want to configure.

  3. On the Role configuration page, click the plus + sign to the right of Add Users to Roles Automatically.

    This takes you to the Mappings configuration page, where you can configure a new mapping. Note that you can also go directly to Users > Mappings and click New Mapping to open the Mappings configuration page.

  4. Give the mapping a name.

  5. Set the Condition that should trigger the role assignment.

    In this example, we set Department > equals > Human Resources.

    You can apply multiple conditions to filter your users. Click the plus + sign to add a condition.

  6. Set an Action that assigns users to the role.

    In this example, we assign the users that meet the conditions to the HR role (Set role > HR).

  7. Click Save.

    OneLogin returns you to the Mappings list page.

  8. Go to Users > Roles and select the role again.

    On the Role configuration page, you will see the mapping added under Add Users to Roles Automatically.

  9. (Optional) Test the mapping by checking whether users you expect to be added to the role have indeed been added.

    Under Check Users Who are Currently Members, start typing the first or last name of the user you want to check.

    Select the user from the list of suggested users below the edit box, and click Check.

    If the user is included in the role, the page displays the name with a green Member label and check mark.

    If the user is not included in the role, the page displays the name with a red Not a member label and X.

    Note that users added through a mapping are not displayed under Users Manually Added to this Role.

Delegating role management

You can delegate the management of roles by giving users the Manage role privilege for the role. Users with this privilege, also known as Role admins, can do the following:

  • View users in the role (on the Users tab on the Role configuration page)
  • Add users manually to the role and remove them (on the Users tab on the Role configuration page).
  • View other Role admins for the role (on the Privileges tab on the Role configuration page).

Role admins cannot do the following:

  • Create new roles or delete roles.
  • Add or remove apps from roles.
  • Add, edit, or delete role mappings.
  • Add new Role admins.

Assign the Manage role privilege

  1. Log in to OneLogin as an Account owner or Super user.
  2. Go to Users > All Users and select the user.
  3. On the User Info tab, click the + plus sign in the Privileges section.
  4. On the Add Privilege dialog, select Manage role from the Privilege drop-down and click Continue.

  5. When the Role field appears, select the role for which you want to grant the privilege, and click Continue.

  6. Click Save.

Expand/Collapse Comments
: