Many organizations have a variety of IT or security roles assigned to different groups, such as limited administrative rights granted to Help Desk staff. Duo's Administrative Roles feature allows Duo Beyond, Duo Access, and Duo MFA plans customers to delegate management of users, applications, billing, and other types of administrative access.
These management roles may be assigned:
Owner: The Owner role grants full access to all actions and settings in the Duo Admin Panel. Only admins with the Owner role can create, update, or delete other administrators.
Administrator: The Administrator has full access to users, settings, and applications (except for the Admin API and Account API application types). An Administrator cannot view or update billing information, nor can an Administrator create, view, or modify any other Administrators.
Application Manager: The Application Manager role can add protected applications, update, and remove applications (except for the Admin API and Account API application types). Application managers may also view limited information about users and devices. In the Duo Beyond and Duo Access plans, Application Managers can assign custom policies to applications and groups, but cannot create or edit policy settings.
User Manager: The User Manager can create, update, and delete users, phones, tokens, and bypass codes. The User Manager can also configure and run directory synchronization.
Help Desk: Help Desk administrators can view and update users, phones, tokens, and bypass codes; and can send Duo Mobile activations to users. Help Desk admins cannot create or delete users or export information to a text file. You can restrict help desk admins' ability to create bypass codes for users in Help Desk settings.
Billing: The Billing role allows view and update of billing information and management of sub-accounts. This role may only access the Billing page.
Read-only: Admins assigned the Read-only role may view (but not modify) basic information about users, groups, phones, tokens, and applications, as well as view reports. Read-only administrators may not access the Billing and Directory Sync pages.
When creating a new administrator you'll select the intended permissions role. If you need to change an administrator's role, view the admin user's properties and select the new role, clicking Save Changes when complete. See Managing Administrators for more detailed instructions.
The currently logged in administrator can view his or her own account details, including the assigned role, by clicking Edit Profile in the upper right hand corner of the Duo Admin Panel. All administrators may update their own contact and login information (like names, passwords, and phone numbers), but may not change the assigned role or view attached hardware token information.
Only one role may be assigned to each Duo administrator in the Duo Admin Panel.
The administrative roles include a predefined set of permissions and are not customizable.
While you cannot customize the specific rights of an administrative role, Owners may update the role assigned to other administrators by choosing an option from the pre-defined list. Please note that you cannot change your own role.
Duo's Duo Beyond, Duo Access, and Duo MFA plans include the Administrative Roles feature. The Duo Free and legacy Business editions may not assign different permission to administrators; in those editions all administrators have the equivalent of the Owner role (full rights to manage the Duo account).
If your account downgrades to the Duo Free plan all your administrator accounts remain in Duo and are all converted to Owner roles with full rights to administer your Duo account. Your previous role delegations are saved, so should you resubscribe to the Duo MFA, Duo Access, or Duo Beyond plans edition the permissions formerly assigned to your administrator accounts are reinstated.
It's a good idea to have more than one administrator with the Owner role. If no Owners are able to log in to Duo, please see Recovering Access to an Administrator Account in the Administration documentation.