User roles
Default user roles
The person who initially sets ConductorOne up for your company is given the Super Administrator role. After that, all users who sign into ConductorOne for the first time are automatically given the Basic User role. Read more about these and the other available user roles below.
You can keep these roles as-is, or assign new roles depending on what each user needs to get done. Users can have more than one role, and a user is granted all the permissions of every role they’re assigned.
Assign a new user role to a user
You can change any user’s role assignment on the Users page. Users can have more than one role, and a user is granted all the permissions of every role they’re assigned.
This task requires the Super Administrator role in ConductorOne.
Navigate to Admin > Users.
Locate the name of the user whose role you want to change.
From the … (more actions) menu, select Change role.
Select one or more user roles to assign to the user.
Click Save.
End-user user roles
ConductorOne has two user roles tailored to end users and scoped to the work they do.
Basic User
Users with this role can:
- View the ConductorOne home page
- Complete assigned access review tasks
- Request personal access to apps and resources
- (Managers only) request access to apps and resources for direct reports
- Approve/deny assigned access request tasks
- Complete assigned provisioning/deprovisioning tasks
Access Request Helpdesk
Users with this role can:
- Do everything listed in the Basic User role
- Request access to apps and resources for any user
Administrator user roles
Users with an administrator-level user role can also access the Admin section of ConductorOne.
| Access Request Admin | Campaign Admin | Connector Admin | Read-Only Admin | Super Admin | |
|---|---|---|---|---|---|
| Dashboard | View | View | View | View | View |
| Explore | View | View | |||
| Campaigns | View, create, manage | View | View, create, manage | ||
| Applications | View | View, create, manage | |||
| Access conflicts | View | View, create, manage | |||
| Access profiles | View, create, manage | View | View, create, manage | ||
| Connectors | View, create, manage | View | View, create, manage | ||
| Groups | View | View, create, manage | |||
| Policies | View | View, create, manage | |||
| Task log | View | View, manage | |||
| Users | View | View, manage | |||
| Settings | View | View, create, manage |
Access Request Administrator
Users with this role can:
- Do everything listed in the Basic User role
- Request access to apps and resources for any user
- Create and manage access profiles
Campaign Administrator
Users with this role can:
- Do everything listed in the Basic User role
- View all campaigns
- Create and manage campaigns
- Create and download campaign reports
Connector Administrator
Users with this role can:
- Do everything listed in the Basic User role
- View all connectors
- Create and manage connectors
Read-Only Administrator
This is a special role, intended for auditors or other individuals who need visibility into ConductorOne without the ability to make changes.
Users with this role can:
- View all ConductorOne assets:
- Campaigns
- Applications
- Conflict monitors
- Access profiles
- Connectors
- Groups
- Policies
- View task log
- View users
- View and work with access explorer and access graph
- Create and download reports
Users assigned only this role cannot complete tasks, request access, or perform the other functions included in the Basic User user role.
Super Administrator
Users with this role can:
- Do everything listed in the Basic User role
- Request access to apps and resources for any user
- View, create, and manage all ConductorOne assets:
- Campaigns
- Applications
- Conflict monitors
- Access profiles
- Connectors
- Groups
- Policies
- View and manage tasks, reassign any task (when doing so is allowed by the task’s governing policy)
- View and manage users, including changing user role assignments
- View and work with access explorer and access graph
- Create and download reports
- View, create, and manage all ConductorOne settings