Contents
Many organizations have a variety of IT or security roles assigned to different groups, such as limited administrative rights granted to Help Desk staff. Duo's Administrative Roles feature allows Duo Premier, Duo Advantage, and Duo Essentials plans customers to delegate management of users, applications, billing, and other types of administrative access.
In Duo Free plans, all administrators are effectively "Owners", with no other role assignments available.
Duo Administrative Roles
Only Duo administrators with the Owner role may create and manage other Duo administrator accounts, including assignment of admin roles.
All Duo administrators in paid accounts are assigned one of these management roles:
-
Owner: The Owner role grants full access to all actions, objects, and settings in the Duo Admin Panel. Only admins with the Owner role can create, update, or delete other administrators or configure and run admin directory synchronization. Creating and managing the Admin API and Account API applications requires Owner privileges. Activation of the Duo Single Sign-On (SSO) feature is also restricted to Owners. Only Owners can change the Duo plan edition or cancel a Duo subscription.
-
Administrator: The Administrator has full access to create, update, and delete users, devices, settings, policies, SSO authentication sources, and applications (except for the Admin API and Account API application types). Administrators can activate Passwordless for the account, set and edit Trust Monitor risk profiles and process events and, configure and run user directory synchronization. An Administrator cannot view or update billing information or make purchases, nor can an Administrator create, view, or modify any other Administrators.
-
Application Manager: The Application Manager role can add protected applications, update and remove applications (except for the Admin API and Account API application types), and manage SSO authentication sources. Application managers may also view limited information about users and devices. Application Managers can assign existing custom policies to applications and groups, but cannot create policies or edit policy settings.
-
User Manager: The User Manager can create, update, and delete users, phones, tokens, and bypass codes. The User Manager can also configure and run user directory synchronization. You can restrict User Manager admins' ability to apply bypass status to users in User manager settings. User managers can view the Authentication Log, Telephony Log, Administrator Actions, and Policy Impact reports.
-
Help Desk: Help Desk administrators can create, update, and delete user phones, tokens, and bypass codes; use directory sync to create or update a single end-user; send enrollment emails to users; modify full names, email addresses, and notes; change user status from "Locked Out" to "Active"; and can send Duo Mobile activations to users. Help Desk admins cannot manually create or delete users, modify usernames or user aliases; use bulk enrollment; or run a full directory sync. You can restrict Help Desk admins' ability to create bypass codes for users or send enrollment emails in Help desk settings. Help Desk administrators can view and export the Authentication Log, Telephony Log, Administrator Actions, and Policy Impact reports.
-
Billing: The Billing role can view and update billing information, make hardware tokens and telephony credits purchases, and perform management of sub-accounts. This role may only access the Dashboard and Billing page. This role can not change the Duo plan edition. Note that customers who purchased Duo licenses or telephony credits through Cisco Commerce Workspace (CCW) must log in to CCW to manage billing, download invoices, or purchase additional telephony credits.
-
Read-only: Admins assigned the Read-only role may view (but not modify) basic information about users, groups, phones, tokens, and applications, as well as view Trust Monitor security events and all reports. Read-only administrators may not access the Billing and Directory Sync pages.
If your organization is using Duo's Administrative Units feature, assigned user and group restrictions may affect those administrators' access to certain reports. Learn more about how administrative unit assignments affects reports access.
Admin Role Privileges
| Owner Role | Administrator Role | Application Manager Role | User Manager Role | Help Desk Role | Billing Role | Read-only Role | |
|---|---|---|---|---|---|---|---|
| View reports and download logs | ✅ | ✅ | ✅ | ✅ | ✅* | ✅ | |
| Manage 2FA devices & bypass codes | ✅ | ✅ | ✅ | ✅ | |||
| Manage users & directory sync | ✅ | ✅ | ✅ | ✅* | |||
| Manage groups | ✅ | ✅ | ✅ | ||||
| Manage applications | ✅ | ✅ | ✅ | ||||
| Trust Monitor | ✅ | ✅ | ✅* | ||||
| Create and edit policies | ✅ | ✅ | |||||
| Modify global settings | ✅ | ✅ | |||||
| View and manage billing | ✅ | ✅ | |||||
| Manage other admins & admin directory sync | ✅ | ||||||
| Enable SSO and Passwordless | ✅ |
* denotes limited access; see the role description for details.
Assigning Administrative Roles
When creating a new administrator you'll select the intended permissions role. If you need to change an administrator's role, view the admin user's properties and select the new role, clicking Save Changes when complete.
Assigned roles can't be changed for admin accounts managed by directory sync, except that an admin with the Owner role can upgrade a synced admin to an Owner, preventing any further management of that admin by directory sync.
See Managing Duo Administrators for more detailed instructions.
View Current Role
The currently logged in administrator can view their own account details, including the assigned role, by clicking on their name in the upper-right corner to access the administrator account action menu, and then clicking Edit Profile. All administrators may update their own contact and login information (like names, passwords, and phone numbers), but may not change the assigned role or view attached hardware token information.
Frequently Asked Questions
Can I assign more than one role to an administrator?
Only one role may be assigned to each Duo administrator in the Duo Admin Panel.
Can I edit administrative roles to include or remove rights in the Duo Admin Panel?
The administrative roles include a predefined set of permissions and are not customizable.
While you cannot customize the specific rights of an administrative role, Owners may update the role assigned to other administrators by choosing an option from the pre-defined list. Please note that you cannot change your own role.
Who can use Administrative Roles?
Duo's Duo Premier, Duo Advantage, and Duo Essentials plans include the Administrative Roles feature. The Duo Free plan may not assign different permission to administrators; all administrators have the equivalent of the Owner role (full rights to manage the Duo account).
If Administrative Roles are only available for Duo Premier, Duo Advantage, and Duo Essentials plans what happens if I change to another edition that does not include this feature?
If your account downgrades to the Duo Free plan all your administrator accounts remain in Duo and are all converted to Owner roles with full rights to administer your Duo account. Your previous role delegations are saved, so should you resubscribe to Duo Essentials, Duo Advantage, or Duo Premier the permissions formerly assigned to your administrator accounts are reinstated.
What if your only administrator with the Owner role departs your organization or no administrators with the Owner role can access the Duo Admin Panel?
If your only administrator with the Owner role departs without providing access to their Duo account, determine if it is possible to request the former administrator's help in restoring access. If that is not an option, contact Duo Support to request account recovery.
Due to the security-sensitive nature of Owner access to the Duo Admin Panel, the Duo Support team conducts a thorough account recovery verification process requiring multiple levels of identity verification of the person making the request and the people proposed as new administrator users. This process can take a long time, and Duo cannot guarantee successful identity verification or account recovery.
If you are the only administrator and you need to change your phone number, you also need to work with Duo Support.
Duo recommends having at least two Owners for your account. This ensures redundancy of access when an Owner loses access to their account. Owner role privileges grant full access to all actions, objects, and settings in the Duo Admin Panel. Only the Owner role can create, update, or delete other administrators, create and manage the Admin API and Account API applications, and activate Duo Single Sign-On (SSO) or Duo Passwordless features. Please see Manage Administrators for more information about managing administrators with the Owner role or any other role.
Whenever possible, follow these best practices:
- Assign the Owner role to a team member with an email and mobile number that is not shared with others.
- An Owner should not use an email alias for an email address assigned to another Owner user.
- If your organization does not have the resources to assign the Owner role to another member of your team, then we recommend creating a backup Owner for yourself with a different email address and phone number.
Refer to Best Practices Guide and FAQ to Duo Admin Panel Access Auditing and Ownership for more information.
Duo recommends a regular security audit, including routine confirmation of two or more active Owner roles assigned to known individuals that you trust to manage your Duo account. Regular audits will help you maintain a strong security posture and will help your cyber liability insurance providerset lower premiums.
Troubleshooting
Need some help? Try searching our Knowledge Base articles or Community discussions. For further assistance, contact Support.