User roles
Default user roles
The person who initially sets ConductorOne up for your company is given the Super Administrator role. After that, all users who sign into ConductorOne for the first time are automatically given the Basic User role. Read more about these and the other available user roles below.
You can keep these roles as-is, or assign new roles depending on what each user needs to get done. Users can have more than one role, and a user is granted all the permissions of every role they’re assigned.
Assign a new user role to a user
You can change any user’s role assignment on the Users page. Users can have more than one role, and a user is granted all the permissions of every role they’re assigned.
This task requires the Super Administrator role in ConductorOne.
Navigate to Admin > Directory > Users.
Locate the name of the user whose role you want to change.
From the … (more actions) menu, select Change role.
Select one or more user roles to assign to the user.
Click Save.
End-user user roles
ConductorOne has two user roles tailored to end users and scoped to the work they do.
Basic User
Users with this role can:
- View the ConductorOne home page
- Complete assigned access review tasks
- Request personal access to apps and resources
- (Managers only) request access to apps and resources for direct reports
- Approve/deny assigned access request tasks
- Complete assigned provisioning/deprovisioning tasks
Access Request Helpdesk
Users with this role can:
- Do everything listed in the Basic User role
- Request access to apps and resources for any user
Administrator user roles
Users with an administrator-level user role can also access the Admin section of ConductorOne.
| Access Request Admin | Application Admin | Campaign Admin | Connector Admin | Read-Only Super Admin | Super Admin | |
|---|---|---|---|---|---|---|
| Dashboard | View | View | View | View | View | View |
| Explore | View | View | ||||
| Campaigns | View, create, manage | View | View, create, manage | |||
| Applications | View, create, manage* | View | View, create, manage | |||
| Access conflicts | View | View, create, manage | ||||
| Access profiles | View, create, manage | View | View, create, manage | |||
| Connectors | View, manage* | View, create, manage | View | View, create, manage | ||
| Groups | View | View, create, manage | ||||
| Policies | View | View, create, manage | ||||
| Task log | View | View, manage | ||||
| Users | View | View, manage | ||||
| Settings | View | View, create, manage |
*See the Application Admin section for details on which apps and connectors users with this role can view and manage.
Access Request Administrator
Users with this role can:
- Do everything listed in the Basic User role
- Request access to apps and resources for any user
- Create and manage access profiles
- Manage access profile enrollment, including manually enrolling users and setting membership controls
Application Administrator
Users with this role can:
- Do everything listed in the Basic User role
- View and manage the applications that they own
- Set the standard audience on applications that they own
- Create new applications
- Create and download application reports
- View and manage the connectors that they own
- View and manage connectors that are ownerless and associated with an application the user owns
Campaign Administrator
Users with this role can:
- Do everything listed in the Basic User role
- View all campaigns
- Create and manage campaigns
- Create and download campaign reports
Connector Administrator
Users with this role can:
- Do everything listed in the Basic User role
- View all connectors
- Create and manage connectors
Read-Only Administrator
This is a special role, intended for auditors or other individuals who need visibility into ConductorOne without the ability to make changes.
Users with this role can:
- View all ConductorOne assets:
- Campaigns
- Applications
- Conflict monitors
- Access profiles
- Connectors
- Groups
- Policies
- View task log
- View users
- View and work with access explorer and access graph
- Create and download reports
Users assigned only this role cannot complete tasks, request access, or perform the other functions included in the Basic User user role.
Super Administrator
Users with this role can:
- Do everything listed in the Basic User role
- Request access to apps and resources for any user
- View, create, and manage all ConductorOne assets:
- Campaigns
- Applications
- Conflict monitors
- Access profiles
- Connectors
- Groups
- Policies
- View and manage tasks, reassign any task (when doing so is allowed by the task’s governing policy)
- View and manage users, including changing user role assignments
- View and work with access explorer and access graph
- Create and download reports
- View, create, and manage all ConductorOne settings