Default
|
Users with no other privileges assigned receive portal access with the following abilities:
- Log in to applications
- View their own user profile
- Change their password
- Register secondary authentication factors
- Create and view secure notes.
|
Super user
|
This privilege grants access to almost all of the abilities of account owners, including all user management functionality and app integration configuration, and most account management functionality.
|
Manage users
|
This is a powerful privilege that allows the user to perform almost all user management tasks, including the abilities to:
- Add, suspend, and delete users
- Edit any user field
- Import users
- Approve users in pending provisioning status
- Perform bulk user operations
- Assign groups, policies, roles, and applications to users
- Generate temporary OTP tokens for a user
- Change user passwords
- Force logouts
- Send invitations to users
- Reapply mappings
- Revoke user privileges
|
Assume users
|
This privilege is an add-on to the Manage users privilege that lets the user view another user's account the way they would see it. When assuming a user's account, you can view the user's personal account settings in order to diagnose improper configurations and troubleshoot issues, but you cannot view passwords for a user's apps that use form-based authentication, nor can you sign in to their apps or view their secure notes. This privilege can be overridden for specific apps.
|
Assume users (read only)
|
With this privilege, the user can view and assume any unprivileged user, but cannot edit settings or configurations for the assumed account. This privilege is useful for your support team to diagnose end user issues, especially when the support agent needs to click through to see an app for the end user.
|
Help Desk
|
This privilege provides your support team with a subset of the Manage users abilities, including:
- View user information
- Unlock users
- Reset passwords
- Force logouts
- Invite users
- Generate temporary OTP tokens
- Remove MFA devices
- Reapply mappings
It does not allow the user to add, delete, or edit user attributes.
|
Manage application
|
This privilege allows the user to perform app management tasks for any given app after it's been added to your OneLogin tenant by a super user or account owner. To allow a user to manage multiple applications, reapply this privilege for each app.
|
Manage devices
|
This privilege allows the user to view all items in Devices and in OneLogin Desktop and make edits to them, including:
- Enable and disable OneLogin Desktop
- Download installers
- Revoke certificates
- Remove devices
|
Manage group
|
This privilege gives the user administrative abilities over a specific group, allowing them to perform all Manage users tasks for users within that group.
|
Manage role
|
This privilege gives the user administrative abilities over a specific role, allowing them to:
- View users in the role
- Add users manually to the role and remove them
- View other role admins for the role
This privilege does not provide the ability to add apps to a role or remove them, or to create or edit mappings that apply to the role.
|
Manage shared app credentials
|
This privilege allows the user to edit the credentials of an app that has Credentials are configured by admin and shared by all users enabled in its parameter configuration. Users with this privilege have the option to edit applications when viewing the user portal. When selected, all apps they do not have access to manage will be grayed out. The shared credential admin can then select an available application to update its stored username and password for all users.
|
Manage accounts
|
This privilege allows the user to manage subaccounts.
|
Manage subscriptions
|
This privilege allows the user to manage the subscription and pricing level of your reseller account.
|