This site requires JavaScript to be enabled
External Customer KB > General > Privileges
Article: KB0010391 Published: 07/02/2023 Last modified: 07/02/2023

Privileges can be granted to any user in OneLogin and define what administrative abilities they have access to, such as managing other users, leading specific groups or roles, or editing applications.


Only account owners and super users have the ability to grant privileges to other users.



  1. Go to the user record for the administrator you wish to give privileges. In User Info, go to Privileges and click Add Privilege.

    User Info - Add Privilege
  2. Select the Privilege you want to give the user from the dropdown menu. You may also need to select an App, Group, or Role to give the user administrative access to. Click Continue.

    Privileges - Add Privilege
  3. Click Save User to commit your changes. An event is recorded to show any privileges that were added or revoked. You can also view a list of all currently-privileged users in your reports.

    Privileges - Save User

Types of Privileges


Users with no other privileges assigned receive portal access with the following abilities:

  • Log in to applications
  • View their own user profile
  • Change their password
  • Register secondary authentication factors
  • Create and view secure notes.

Super user

This privilege grants access to almost all of the abilities of account owners, including all user management functionality and app integration configuration, and most account management functionality.

Manage users

This is a powerful privilege that allows the user to perform almost all user management tasks, including the abilities to:

  • Add, suspend, and delete users
  • Edit any user field
  • Import users
  • Approve users in pending provisioning status
  • Perform bulk user operations
  • Assign groups, policies, roles, and applications to users
  • Generate temporary OTP tokens for a user
  • Change user passwords
  • Force logouts
  • Send invitations to users
  • Reapply mappings
  • Revoke user privileges

Assume users

This privilege is an add-on to the Manage users privilege that lets the user view another user's account the way they would see it. When assuming a user's account, you can view the user's personal account settings in order to diagnose improper configurations and troubleshoot issues, but you cannot view passwords for a user's apps that use form-based authentication, nor can you sign in to their apps or view their secure notes. This privilege can be overridden for specific apps.

Assume users (read only)

With this privilege, the user can view and assume any unprivileged user, but cannot edit settings or configurations for the assumed account. This privilege is useful for your support team to diagnose end user issues, especially when the support agent needs to click through to see an app for the end user.

Help Desk

This privilege provides your support team with a subset of the Manage users abilities, including:

  • View user information
  • Unlock users
  • Reset passwords
  • Force logouts
  • Invite users
  • Generate temporary OTP tokens
  • Remove MFA devices
  • Reapply mappings

It does not allow the user to add, delete, or edit user attributes.

Manage application

This privilege allows the user to perform app management tasks for any given app after it's been added to your OneLogin tenant by a super user or account owner. To allow a user to manage multiple applications, reapply this privilege for each app.

Manage devices

This privilege allows the user to view all items in Devices and in OneLogin Desktop and make edits to them, including:

  • Enable and disable OneLogin Desktop
  • Download installers
  • Revoke certificates
  • Remove devices

Manage group

This privilege gives the user administrative abilities over a specific group, allowing them to perform all Manage users tasks for users within that group.

Manage role

This privilege gives the user administrative abilities over a specific role, allowing them to:

  • View users in the role
  • Add users manually to the role and remove them
  • View other role admins for the role

This privilege does not provide the ability to add apps to a role or remove them, or to create or edit mappings that apply to the role.

Manage shared app credentials

This privilege allows the user to edit the credentials of an app that has Credentials are configured by admin and shared by all users enabled in its parameter configuration. Users with this privilege have the option to edit applications when viewing the user portal. When selected, all apps they do not have access to manage will be grayed out. The shared credential admin can then select an available application to update its stored username and password for all users.

Manage accounts

This privilege allows the user to manage subaccounts.

A OneLogin reseller account is required for this privilege. Speak with your account representative for more information.

Manage subscriptions

This privilege allows the user to manage the subscription and pricing level of your reseller account.

A OneLogin reseller account is required for this privilege. Speak with your account representative for more information.

Expand/Collapse Comments
Was this helpful?