Knowledge Base Help Center
Duo Administration – Duo Administrative Roles
Many organizations have a variety of IT or security roles assigned to different groups, such as limited administrative rights granted to Help Desk staff. Duo’s Administrative Roles feature allows Duo Beyond, Duo Access, and Duo MFA plans customers to delegate management of users, applications, billing, and other types of administrative access.
In Duo Free plans, all administrators are effectively “Owners”, with no other role assignments available.
Duo Administrative Roles
Only Duo administrators with the Owner role may create and manage other Duo administrator accounts, including assignment of admin roles.
All Duo administrators in paid accounts are assigned one of these management roles:
- Owner: The Owner role grants full access to all actions, objects, and settings in the Duo Admin Panel. Only admins with the Owner role can create, update, or delete other administrators. Creating and managing the Admin API and Account API applications requires Owner privileges. Activation of the Duo Single Sign-On (SSO) or Passwordless features is also restricted to Owners. Only Owners can change the Duo plan edition or cancel a Duo subscription.
- Administrator: The Administrator has full access to create, update, and delete users, devices, settings, policies, SSO authentication sources, and applications (except for the Admin API and Account API application types). Administrators can set and edit Trust Monitor risk profiles and process events. An Administrator cannot view or update billing information or make purchases, nor can an Administrator create, view, or modify any other Administrators.
- Application Manager: The Application Manager role can add protected applications, update and remove applications (except for the Admin API and Account API application types), and manage SSO authentication sources. Application managers may also view limited information about users and devices. Application Managers can assign existing custom policies to applications and groups, but cannot create policies or edit policy settings.
- User Manager: The User Manager can create, update, and delete users, phones, tokens, and bypass codes. The User Manager can also configure and run directory synchronization. User managers can view the Authentication Log, Telephony Log, Administrator Actions, and Policy Impact reports.
- Help Desk: Help Desk administrators can create, update, and delete user phones, tokens, and bypass codes; use directory sync to create or update a single user; send enrollment emails to users; modify full names, email addresses, and notes; change user status from “Locked Out” to “Active”; and can send Duo Mobile activations to users. Help Desk admins cannot manually create or delete users, modify usernames or user aliases; use bulk enrollment; or run a full directory sync. You can restrict Help Desk admins’ ability to create bypass codes for users or send enrollment emails in Help Desk settings. Help Desk administrators can view the Authentication Log, Telephony Log, Administrator Actions, and Policy Impact reports.
- Billing: The Billing role allows view and update of billing information, hardware tokens and telephony credits purchases, and management of sub-accounts. This role may only access the Dashboard and Billing page. This role can not change the Duo plan edition. Note that customers who purchased Duo licenses or telephony credits through Cisco Commerce Workspace (CCW) must log in to CCW to manage billing, download invoices, or purchase additional telephony credits.
- Read-only: Admins assigned the Read-only role may view (but not modify) basic information about users, groups, phones, tokens, and applications, as well as view Trust Monitor security events and all reports. Read-only administrators may not access the Billing and Directory Sync pages.
If your organization is using Duo’s Administrative Units feature, assigned user and group restrictions may affect those administrators’ access to certain reports. Learn more about how administrative unit assignments affects reports access.
Admin Role Privileges
| Owner Role | Administrator Role | Application Manager Role | User Manager Role | Help Desk Role | Billing Role | Read-only Role | |
|---|---|---|---|---|---|---|---|
| View reports and download logs | ✅ | ✅ | ✅ | ✅ | ✅* | ✅ | |
| Manage 2FA devices & bypass codes | ✅ | ✅ | ✅ | ✅ | |||
| Manage users | ✅ | ✅ | ✅ | ✅* | |||
| Manage groups | ✅ | ✅ | ✅ | ||||
| Manage applications | ✅ | ✅ | ✅ | ||||
| Trust Monitor | ✅ | ✅ | ✅* | ||||
| Create and edit policies | ✅ | ✅ | |||||
| Modify global settings | ✅ | ✅ | |||||
| View and manage billing | ✅ | ✅ | |||||
| Manage other admins | ✅ | ||||||
| Enable SSO and Passwordless | ✅ |
* denotes limited access; see the role description for details.
Assigning Administrative Roles
When creating a new administrator you’ll select the intended permissions role. If you need to change an administrator’s role, view the admin user’s properties and select the new role, clicking Save Changes when complete. See Managing Duo Administrators for more detailed instructions.
The currently logged in administrator can view their own account details, including the assigned role, by clicking Edit Profile in the upper right hand corner of the Duo Admin Panel. All administrators may update their own contact and login information (like names, passwords, and phone numbers), but may not change the assigned role or view attached hardware token information.
Frequently Asked Questions
Can I assign more than one role to an administrator?
Only one role may be assigned to each Duo administrator in the Duo Admin Panel.
Can I edit administrative roles to include or remove rights in the Duo Admin Panel?
The administrative roles include a predefined set of permissions and are not customizable.
While you cannot customize the specific rights of an administrative role, Owners may update the role assigned to other administrators by choosing an option from the pre-defined list. Please note that you cannot change your own role.
Who can use Administrative Roles?
Duo’s Duo Beyond, Duo Access, and Duo MFA plans include the Administrative Roles feature. The Duo Free and legacy Business editions may not assign different permission to administrators; in those editions all administrators have the equivalent of the Owner role (full rights to manage the Duo account).
If Administrative Roles are only available for Duo Beyond, Duo Access, and Duo MFA plans what happens if I change to another edition that does not include this feature?
If your account downgrades to the Duo Free plan all your administrator accounts remain in Duo and are all converted to Owner roles with full rights to administer your Duo account. Your previous role delegations are saved, so should you resubscribe to Duo MFA, Duo Access, or Duo Beyond the permissions formerly assigned to your administrator accounts are reinstated.
What if the only Owner on a account isn’t able to log in to Duo?
It’s a good idea to have more than one administrator with the Owner role. If no Owners are able to log in to Duo, please see Recovering Access to an Administrator Account in the Administration documentation.
Troubleshooting
Need some help? Try searching our Knowledge Base articles or Community discussions. For further assistance, contact Support.
