MSP Subaccount Roles

Overview

Duo Managed Service Provider (MSP) subaccount roles within role-based access controls (RBAC) allow administrators without the Owner role to be assigned distinct roles at the account and subaccount levels. For example, an administrator can have full Administrator role access to subaccounts but limited read-only access at the account level.

An administrator's subaccount role is distinct and can differ from their account role. Existing administrators or administrators created through directory sync will inherit a subaccount role that defaults to their existing role.

Subaccount Role on the Administrator's Page

The Administrators page shows a column for "Subaccount Role". Subaccount roles are searchable using the search feature associated with the table. From here, click on the name of the administrator you would like to edit the role or subaccount role for to make that change.

For new administrators without the Owner role, the role and subaccount role can be explicitly selected while adding a new administrator. The role defines what actions the administrator can perform on the account level. The subaccount role defines what actions the administrator can perform on any subaccounts where they have access.

Owner administrators at the account level can only have the Owner subaccount role. In addition, Owner administrators at the account level have access to all subaccounts.

Note: It's best practice to have at least two administrators with the Owner role on each account.

Frequently Asked Questions

Does the same subaccount role apply to all subaccounts the admin has access to or is it specific to a single subaccount?

• The subaccount role will apply to all subaccounts that the administrator can access.

Who can edit subaccount roles?

• Administrators with the Owner role at the account level can edit subaccount roles.

What subaccount role will Owner administrators have?

• Owner administrators at the account level can only have the Owner subaccount role.

What subaccount role do admins take on when they are created via directory sync?

• When administrators are created via directory sync, they will inherit the administrator role as the subaccount role. You can change the subaccount role selection on the Administrator page.

Is there an API that I can use to bulk assign subaccount roles to each administrator?

• Yes, The Admin API provides endpoints under /admin/v1/admins to create, read, update, and delete administrators, including their subaccount role. See the Administrators section of the Admin API documentation for more information.

Troubleshooting

Need some help? Take a look at our MSP Knowledge Base articles or Community discussions. For further assistance, contact Support.