Many organizations have a variety of IT or security roles assigned to different groups, such as limited administrative rights granted to Help Desk staff. Duo's Administrative Roles feature allows Duo Beyond, Duo Access, and Duo MFA plans customers to delegate management of users, applications, billing, and other types of administrative access.
Only Duo administrators with the Owner role may create and manage other Duo administrator accounts, including assignment of admin roles.
These management roles may be assigned to Duo admins:
Owner: The Owner role grants full access to all actions, objects, settings, and reports in the Duo Admin Panel. Admins with the Owner role can create new administrator accounts in the Admin Panel, update the password, role, or secondary authentication devices for another administrator, or delete other administrators. Creating and managing the Admin API and Accounts API applications requires Owner privileges.
Administrator: The Administrator has full access to users, settings, applications (except for the Admin API and Account API application types), and reports. An Administrator cannot view or update billing information or purchase hardware tokens and telephony credits. The Administrator role does not permit creation, modification, or deletion of other Duo administrators in the account.
Application Manager: The Application Manager role can add protected applications, update, and remove applications (except for the Admin API and Account API application types). Application managers may also view limited details about user and device objects. In the Duo Beyond and Duo Access plans, Application managers can assign existing custom policies to applications and groups, but cannot create policies or edit policy settings. Application managers can view the Authentication Log, Telephony Log, Administrator Actions, and Policy Impact reports.
User Manager: The User Manager can create, update, and delete users, phones, tokens, and bypass codes. The User Manager can also configure and run directory synchronization. User managers can view the Authentication Log, Telephony Log, Administrator Actions, and Policy Impact reports.
Help Desk: Help Desk administrators can view and update existing phones, tokens, and bypass codes, use directory sync to update a single user, change user status from "Locked Out" to "Active", and can send Duo Mobile activations to users. Help Desk admins cannot create or delete users or modify user names, aliases, or email addresses, run a full directory sync, or export information to a text file. You can restrict Help Desk admins' ability to create bypass codes for users in Help Desk settings. Help Desk administrators can view the Authentication Log, Telephony Log, Administrator Actions, and Policy Impact reports.
Billing: The Billing role allows view and update of billing information, hardware tokens and telephony credits purchases, and management of sub-accounts. This role may only access the Dashboard and Billing page.
Read-only: Admins assigned the Read-only role may view (but not modify) basic information about users, groups, phones, tokens, and applications, as well as view all reports. Read-only administrators may not access the Billing and Directory Sync pages.
If your organization is using Duo's Administrative Units feature, assigned user and group restrictions may affect those administrators' access to certain reports. Learn more about how administrative unit assignments affects reports access.
|Owner Role||Administrator Role||Application Manager Role||User Manager Role||Help Desk Role||Billing Role||Read-only Role|
|View and download logs||✅||✅||✅||✅||✅||✅|
|Manage 2FA devices & bypass codes||✅||✅||✅||✅|
|Manage users and groups||✅||✅||✅|
|Modify global settings||✅||✅|
|View and manage billing||✅||✅|
|Manage other admins||✅|
When creating a new administrator you'll select the intended permissions role. If you need to change an administrator's role, view the admin user's properties and select the new role, clicking Save Changes when complete. See Managing Duo Administrators for more detailed instructions.
The currently logged in administrator can view their own account details, including the assigned role, by clicking Edit Profile in the upper right hand corner of the Duo Admin Panel. All administrators may update their own contact and login information (like names, passwords, and phone numbers), but may not change the assigned role or view attached hardware token information.
Only one role may be assigned to each Duo administrator in the Duo Admin Panel.
The administrative roles include a predefined set of permissions and are not customizable.
While you cannot customize the specific rights of an administrative role, Owners may update the role assigned to other administrators by choosing an option from the pre-defined list. Please note that you cannot change your own role.
Duo's Duo Beyond, Duo Access, and Duo MFA plans include the Administrative Roles feature. The Duo Free and legacy Business editions may not assign different permission to administrators; in those editions all administrators have the equivalent of the Owner role (full rights to manage the Duo account).
If your account downgrades to the Duo Free plan all your administrator accounts remain in Duo and are all converted to Owner roles with full rights to administer your Duo account. Your previous role delegations are saved, so should you resubscribe to Duo MFA, Duo Access, or Duo Beyond the permissions formerly assigned to your administrator accounts are reinstated.
It's a good idea to have more than one administrator with the Owner role. If no Owners are able to log in to Duo, please see Recovering Access to an Administrator Account in the Administration documentation.