User roles
Roles and their permissions
ConductorOne’s user roles let you assign users permissions tailored to the work they do.
| Permission | Basic User | Access Request Helpdesk | Access Request Admin | Campaign Admin | Connector Admin | Super Admin |
|---|---|---|---|---|---|---|
| View dashboard | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Complete assigned tasks | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Create access requests for any user | ✅ | ✅ | ✅ | |||
| Manage access profiles | ✅ | ✅ | ||||
| Create and manage campaigns | ✅ | ✅ | ||||
| Manage tasks for campaigns | ✅ | ✅ | ||||
| View connectors | ✅ | ✅ | ||||
| Manage connectors | ✅ | ✅ | ||||
| Manage applications | ✅ | |||||
| Create and manage policies | ✅ | |||||
| Reassign tasks* | ✅ | |||||
| Manage users | ✅ | |||||
| View security dashboard | ✅ | |||||
| View access explorer & access graph | ✅ | |||||
| View access conflicts | ✅ |
*Note: Tasks can be reassigned only when doing so is allowed by the policy governing the task.
Basic User
Users with the Basic User role can:
- View the ConductorOne dashboard
- Complete assigned access review tasks
- Request personal access to apps and resources
- (Managers only) request access to apps and resources for their direct reports
- Approve/deny assigned access request tasks
- Complete assigned provisioning/deprovisioning tasks
Access Request Helpdesk
Users with the Access Request Helpdesk role can:
- Do everything listed in the Basic User role
- Request access to apps and resources for any user
Access Request Administrator
Users with the Access Request Administrator role can:
- Do everything listed in the Basic User role
- Request access to apps and resources for any user
- Create and manage access profiles
Campaign Administrator
Users with the Campaign Administrator role can:
- Do everything listed in the Basic User role
- View all campaigns
- Create and manage campaigns
- Manage all campaign tasks
Connector Administrator
Users with the Connector Administrator role can:
- Do everything listed in the Basic User role
- View all connectors
- Create and manage connectors
Super Administrator
Users with the Super Administrator role can:
- Do everything listed in the Basic User role
- Request access to apps and resources for any user
- Reassign any task (when doing so is allowed by the task’s governing policy)
- View, create, and manage all ConductorOne assets:
- Profiles
- Campaigns and their tasks
- Policies
- Connectors
- Applications
- Manage users and change user role assignments
- View the security dashboard
- View and work with access explorer and access graph
- View the access conflicts page and create new access conflicts
Default roles
The person who initially sets ConductorOne up for your company is given the Super Administrator role. After that, all users who sign into ConductorOne for the first time are automatically given the Basic User role. You can keep these roles as-is, or assign new roles depending on what each user needs to get done.
Assign a user a new role
You can change any user’s role assignment on the Users page. Users can have more than one role, and a user is granted all the permissions of every role they’re assigned.
This task requires the Super Administrator role in ConductorOne.
In the navigation panel, open Admin and click Users.
Locate the name of the user whose role you want to change.
From the more actions … menu, select Change role.
Select one or more user roles to assign to the user.
Click Save.
What’s next?
All ConductorOne users can be assigned access request and access review tasks. But some users, such as executives, folks out on extended leave, or contractors, should not be assigned these tasks. Go to Delegate a user’s tasks to set up delegates for users who cannot or should not be assigned ConductorOne tasks.