What is the principle of least privilege for administrator accounts?

The principle of least privilege means giving administrator accounts only the minimum permissions required to perform their specific responsibilities. For admin accounts, this is critical because a compromised credential inherits every permission that account holds. Applying least privilege to your admins reduces that exposure by scoping each role to exactly what is needed.

How do I decide which permissions to assign to a custom admin role?

Start by identifying the tasks each administrator needs to perform, then map those tasks to the five permission categories in Duo: Users & Groups, Devices, Features, Applications, and Accounts. Only enable the permissions that directly support their expected tasks. Once configured, use the Assume Role feature to step into the role and verify it matches what the admin needs before assigning it.

What is role-based access control and how does it apply to security administrators?

Role-based access control (RBAC) restricts system access by assigning permissions to defined roles rather than to individual users. For security administrators, RBAC ensures each person managing your security tools has a consistent, auditable set of permissions tied to their function. Custom Admin Roles extends Duo's RBAC support by letting you create, modify, and review the granular permissions of any role.

What is the difference between built-in admin roles and custom admin roles in Duo?

Built-in admin roles are the eight predefined roles in Duo with permissions that cannot be modified. Custom admin roles are roles you create yourself with granular permission control, and you can modify them later as your security needs change. Both types of roles can be assigned in the same ways throughout Duo.

Can I use Custom Admin Roles to manage access for Managed Service Provider subaccounts?

Yes. Any custom admin role you create can be assigned to subaccount administrators using the same methods available for built-in roles. This gives Managed Service Providers (MSPs) granular control over what each client's admins can access and manage.

What happens to administrators when I edit a custom admin role?

Changes to a custom admin role take effect immediately for every administrator assigned to that role. You do not need to reassign the role or notify individual admins. Their permissions update automatically the next time they interact with the Admin Panel.

Do the Assume Role and Compare Roles features work for both custom and built-in admin roles?

Yes. Owner admins can assume any role in Duo and compare any two roles, whether custom or built-in. These features help you verify configurations and audit your admin access model regardless of which role types you use.

Product & Engineering

Your admins have too much privilege

Aamir Yousufzai

May 29, 2026 6 minute read

You apply least privilege to your end users. You verify their devices, scope their access, and monitor what they can reach. But what about the admins managing your security tools every day?

Admin accounts are some of the highest-value targets in any organization. A compromised admin with broad permissions can generate bypass codes, weaken MFA policies, or modify single sign-on (SSO) configurations—quietly undermining the security layer your business depends on. That is why we are bringing the same least privilege discipline to the people managing Duo.

Custom Admin Roles is now generally available for all Duo customers. You can create your own administrator roles with granular permission controls, so every admin on your team gets exactly the access they need and nothing more.

Ready to get started? Log in to the Duo Admin Panel to create your first custom admin role.

Why the principle of least privilege matters for your admins too

You already apply least privilege to your end users. Your admins deserve the same protection.

Depending on the privilege level, a compromised admin account can cause widespread damage across your identity security configuration. Role-based access control (RBAC) reduces that risk by ensuring each admin operates within a clearly defined scope—one that matches their actual job, not a generic role that happens to be close enough.

Duo has long offered eight built-in admin roles with a fixed set of permissions:

Owner
Administrator
Application Manager
User Manager
Help Desk
Billing
Read-only
Integration Manager

These built-in roles give you role-based access control with clear segregation of duties right out of the box. For many teams, they are a good fit. But they are not always a perfect match for how your organization actually operates.

Maybe you want an admin with all the permissions of both User Manager and Application Manager, but without the ability to manage policy that comes with the full Administrator role. Or maybe you have multiple levels of help desk—some who need to see sensitive user attributes, and others who should not.

Until now, you had two options: give admins more privilege than they need, or build manual processes that are hard to maintain and harder to audit. Neither approach supports a strong security posture.

Custom Admin Roles removes that tradeoff. You can now create administrator roles that reflect your organization's actual structure, not a predefined template.

What you can do with Custom Admin Roles

Here is what's now available to any Duo admin with the Owner role:

Create unlimited custom roles tailored to your organization's operational structure
Set granular permissions across five categories: Users & Groups, Devices, Features, Applications, and Accounts
Start from templates by basing a new role on any existing built-in or custom role, then adjust individual permissions up or down
Assign custom roles anywhere you already use existing roles, including subaccount administration for Managed Service Providers (MSPs) and Administrator Sync
Edit roles on the fly – permission changes take effect immediately for every administrator assigned to that role
Assume roles without logging out to verify a role’s configuration before rolling it out to your administrators
Compare roles any time after creation to highlight the differences and get a full understanding of each role’s privileges

Permissions default to the most restrictive setting unless you apply a template, so you're always building up from least privilege by design.

Common ways teams are using Custom Admin Roles

While every organization structures its security team differently, a few patterns come up often:

Tiered help desk: Create a Tier 1 help desk role that can reset MFA devices but cannot view sensitive user attributes, and a Tier 2 role with broader visibility for escalations.
User Identity Manager: Grant full management of users but restrict security-sensitive actions, like putting users into bypass mode.
Subaccount Lifecycle Manager: Create, configure, and decommission child accounts but disallow any modification of users, policies, or security settings on the parent account.

These scenarios were not possible with built-in roles alone. Custom Admin Roles changes that.

Getting started is simple

Creating a custom role takes just a few steps right from the Duo Admin Panel:

Navigate to Users > Administrators > Admin Roles
Click Add custom admin role
Name your role, optionally apply a template from an existing role, and expand each permission category to fine-tune access to match your security goals
Click Add

That's it! Your new role is ready to use immediately. The role can be assigned anywhere standard roles can be assigned – when manually creating an admin, from an admin’s profile, from the role details page, via Admin API or through admin directory sync.

Before rolling a new role out to your team, we recommend using Assume Role to temporarily experience the Admin Panel exactly as that role will. This lets you verify the configuration matches your intent without affecting a real admin account.

Start building your custom roles today

Custom Admin Roles is available now for customers on Duo Essentials, Advantage, and Premier edition. Any admin with the Owner role can start creating custom roles immediately.

To see the feature in action, watch the video below or visit the Custom Admin Roles documentation for a complete walkthrough.

Already a Duo customer? Log in to the Duo Admin Panel to get started.

New to Cisco Duo? Start a free trial to see Custom Admin Roles and the full identity security platform in action.

Resources

Try Cisco Duo free. See Custom Admin Roles, adaptive access policies, and the full identity security platform.
Custom Admin Roles documentation. The complete guide to creating roles, setting permissions, using Assume Role, and assigning roles to administrators.
Privileged access management risks. Learn why over-privileged accounts are one of the most common identity security risks and how to reduce your exposure.
Privileged access management best practices. A guide to managing privileged accounts across your organization, including strategies that extend beyond admin roles.
Zero trust vs least privilege. Least privilege is a core principle of zero trust security. This article explains how they connect and reinforce each other.
Zero trust security. Custom Admin Roles is one part of a broader zero trust approach to users, devices, and applications.
Adaptive access policies. Custom Admin Roles controls what your admins can do. Adaptive access policies control how your users authenticate.
What is Identity and Access Management. Custom Admin Roles is a practical example of IAM applied to your own security team.