Many organizations have a variety of IT or security roles assigned to different groups, such as limited administrative rights granted to Help Desk staff. Duo's Administrative Roles feature allows Duo Beyond, Duo Access, and Duo MFA plans customers to delegate management of users, applications, billing, and other types of administrative access.
Only Duo administrators with the Owner role may create and manage other Duo administrator accounts, including assignment of admin roles.
All Duo administrators are assigned one of these management roles:
Owner: The Owner role grants full access to all actions, objects, and settings in the Duo Admin Panel. Only admins with the Owner role can create, update, or delete other administrators. Creating and managing the Admin API and Account API applications requires Owner privileges. In Duo Free plans, all administrators are Owners.
Administrator: The Administrator has full access to create, update, and delete users, devices, settings, policies, and applications (except for the Admin API and Account API application types). Administrators can set and edit Trust Monitor risk profiles and process events. An Administrator cannot view or update billing information or make purchases, nor can an Administrator create, view, or modify any other Administrators.
Application Manager: The Application Manager role can add protected applications, update, and remove applications (except for the Admin API and Account API application types). Application managers may also view limited information about users and devices. Application Managers can assign existing custom policies to applications and groups, but cannot create policies or edit policy settings.
User Manager: The User Manager can create, update, and delete users, phones, tokens, and bypass codes. The User Manager can also configure and run directory synchronization. User managers can view the Authentication Log, Telephony Log, Administrator Actions, and Policy Impact reports.
Help Desk: Help Desk administrators can create, update, and delete user phones, tokens, and bypass codes, use directory sync to create or update a single user, send enrollment emails to users, modify some user information like full names, aliases, and email addresses, change user status from "Locked Out" to "Active", and can send Duo Mobile activations to users. Help Desk admins cannot manually create or delete users or modify usernames, use bulk enrollment, or run a full directory sync. You can restrict Help Desk admins' ability to create bypass codes for users or send enrollment emails in Help Desk settings. Help Desk administrators can view the Authentication Log, Telephony Log, Administrator Actions, and Policy Impact reports.
Billing: The Billing role allows view and update of billing information, hardware tokens and telephony credits purchases, and management of sub-accounts. This role may only access the Dashboard and Billing page. Note that customers who purchased Duo licenses or telephony credits through Cisco Commerce Workspace (CCW) must log in to CCW to manage billing, download invoices, or purchase additional telephony credits.
Read-only: Admins assigned the Read-only role may view (but not modify) basic information about users, groups, phones, tokens, and applications, as well as view Trust Monitor security events and all reports. Read-only administrators may not access the Billing and Directory Sync pages.
If your organization is using Duo's Administrative Units feature, assigned user and group restrictions may affect those administrators' access to certain reports. Learn more about how administrative unit assignments affects reports access.
|Owner Role||Administrator Role||Application Manager Role||User Manager Role||Help Desk Role||Billing Role||Read-only Role|
|View reports and download logs||✅||✅||✅||✅||✅*||✅|
|Manage 2FA devices & bypass codes||✅||✅||✅||✅|
|Create and edit policies||✅||✅|
|Modify global settings||✅||✅|
|View and manage billing||✅||✅|
|Manage other admins||✅|
* denotes limited access; see the role description for details.
When creating a new administrator you'll select the intended permissions role. If you need to change an administrator's role, view the admin user's properties and select the new role, clicking Save Changes when complete. See Managing Duo Administrators for more detailed instructions.
The currently logged in administrator can view their own account details, including the assigned role, by clicking Edit Profile in the upper right hand corner of the Duo Admin Panel. All administrators may update their own contact and login information (like names, passwords, and phone numbers), but may not change the assigned role or view attached hardware token information.
Only one role may be assigned to each Duo administrator in the Duo Admin Panel.
The administrative roles include a predefined set of permissions and are not customizable.
While you cannot customize the specific rights of an administrative role, Owners may update the role assigned to other administrators by choosing an option from the pre-defined list. Please note that you cannot change your own role.
Duo's Duo Beyond, Duo Access, and Duo MFA plans include the Administrative Roles feature. The Duo Free and legacy Business editions may not assign different permission to administrators; in those editions all administrators have the equivalent of the Owner role (full rights to manage the Duo account).
If your account downgrades to the Duo Free plan all your administrator accounts remain in Duo and are all converted to Owner roles with full rights to administer your Duo account. Your previous role delegations are saved, so should you resubscribe to Duo MFA, Duo Access, or Duo Beyond the permissions formerly assigned to your administrator accounts are reinstated.
It's a good idea to have more than one administrator with the Owner role. If no Owners are able to log in to Duo, please see Recovering Access to an Administrator Account in the Administration documentation.