Account owners and users with the super user privilege can perform all aspects of user management in OneLogin, but your organization might want to delegate user management to users who don't need all of the access associated with the super user privilege.
User Management Privileges
OneLogin provides the following privileges that let you delegate user management.
Manage users
This is a powerful privilege that allows you to perform almost all user management tasks, including:
- Add, suspend, and delete users
- Edit any user field
- Import users
- Approve users in pending provisioning status
- Perform bulk user operations
- Assign groups, policies, roles, and applications to users
- Generate temporary OTP tokens for a user
- Change user passwords
- Force logouts
- Send invitations to users
- Reapply mappings
Users with the manage users privilege cannot assign privileges to other users, but they can revoke privileges. Adding privileges is a right limited to account owners and super users.
For more information, see Introduction to User Management.
Assume users
This is an add-on to the manage users privilege that lets you "take control" of other users. This means that you can look into the personal account settings of other users in order to diagnose improper configurations and troubleshoot issues.
You cannot view passwords for a user's apps that use form-based authentication, nor can you sign in to their apps or view their secure notes.
For more information, see Assuming Users.
Help Desk
This privilege gives you a subset of the manage users privilege without letting you add, delete, or edit user attributes. This privilege is intended for your internal support team, giving them the ability to:
- View user information
- Unlock users
- Reset passwords
- Force logouts
- Invite users
- Generate temporary OTP tokens
- Remove MFA devices
- Reapply mappings
Help Desk users cannot be granted the assume users privilege.
Manage groups
Users with this privilege, also known as group admins, can perform all user management tasks for the users included in a OneLogin group. They cannot, however, add new users to the group.
For more information, see Groups.
Manage roles
Users with this privilege, also known as role admins, can manage the assignment of users to a OneLogin role. They can do the following:
- View users in the role
- Add users manually to the role and remove them
- View other role admins for the role
For more information, see Roles.
Assigning Privileges to Users
To assign any of these privileges to a user, you must have the super user privilege.
- Log in to OneLogin as an account owner or super user.
- Go to Users > All Users and select the user.
- On the User Info tab, click the + plus sign in the Privileges section.
-
On the Add Privilege dialog, select the privilege from the Privilege dropdown and click Continue.
For the manage group or manage role privileges, you must also select the group or role for which you want to grant the privilege, and click Continue.
- Click Save.