Inside DigitalOcean’s SOX Compliance Playbook

ConductorOne docs

User roles

User roles make sure that ConductorOne users have the correct permissions — and only those permissions — needed to perform their assigned tasks.

Roles and their permissions

ConductorOne’s user roles let you assign users permissions tailored to the work they do.

PermissionBasic UserAccess Request HelpdeskAccess Request AdminCampaign AdminConnector AdminSuper Admin
View dashboard
Complete assigned tasks
Create access requests for any user
Manage access profiles
Create and manage campaigns
Manage tasks for campaigns
View connectors
Manage connectors
Manage applications
Create and manage policies
Reassign tasks*
Manage users
View security dashboard
View access explorer & access graph
View access conflicts

*Note: Tasks can be reassigned only when doing so is allowed by the policy governing the task.

Basic User

Users with the Basic User role can:

  • View the ConductorOne dashboard
  • Complete assigned access review tasks
  • Request personal access to apps and resources
  • (Managers only) request access to apps and resources for their direct reports
  • Approve/deny assigned access request tasks
  • Complete assigned provisioning/deprovisioning tasks

Access Request Helpdesk

Users with the Access Request Helpdesk role can:

  • Do everything listed in the Basic User role
  • Request access to apps and resources for any user

Access Request Administrator

Users with the Access Request Administrator role can:

  • Do everything listed in the Basic User role
  • Request access to apps and resources for any user
  • Create and manage access profiles

Campaign Administrator

Users with the Campaign Administrator role can:

  • Do everything listed in the Basic User role
  • View all campaigns
  • Create and manage campaigns
  • Manage all campaign tasks

Connector Administrator

Users with the Connector Administrator role can:

  • Do everything listed in the Basic User role
  • View all connectors
  • Create and manage connectors

Super Administrator

Users with the Super Administrator role can:

  • Do everything listed in the Basic User role
  • Request access to apps and resources for any user
  • Reassign any task (when doing so is allowed by the task’s governing policy)
  • View, create, and manage all ConductorOne assets:
    • Profiles
    • Campaigns and their tasks
    • Policies
    • Connectors
    • Applications
  • Manage users and change user role assignments
  • View the security dashboard
  • View and work with access explorer and access graph
  • View the access conflicts page and create new access conflicts

Default roles

The person who initially sets ConductorOne up for your company is given the Super Administrator role. After that, all users who sign into ConductorOne for the first time are automatically given the Basic User role. You can keep these roles as-is, or assign new roles depending on what each user needs to get done.

Assign a user a new role

You can change any user’s role assignment on the Users page. Users can have more than one role, and a user is granted all the permissions of every role they’re assigned.

This task requires the Super Administrator role in ConductorOne.

  1. In the navigation panel, open Admin and click Users.

  2. Locate the name of the user whose role you want to change.

  3. From the more actions menu, select Change role.

  4. Select one or more user roles to assign to the user.

  5. Click Save.

What’s next?

All ConductorOne users can be assigned access request and access review tasks. But some users, such as executives, folks out on extended leave, or contractors, should not be assigned these tasks. Go to Delegate a user’s tasks to set up delegates for users who cannot or should not be assigned ConductorOne tasks.