Managing Custom Roles
Note: This feature is available on demand.
To request that this feature be enabled,
-
Contact Technical Support by using /support in Buzz or by email at support@domo.com.
-
Reach out to your Domo Customer Success Manager or Technical Consultant.
Depending on the feature, you may be required to complete training before you can use the feature.
Intro
Domo has always provided built-in security roles such as "Admin," "Privileged," and "Participant" that are used to restrict access to sensitive Domo features. These roles govern which users in your Domo instance can perform sensitive tasks such as exporting data, inviting users, and changing company settings. These built-in roles have not always provided the flexibility needed to meet the security needs of larger organizations. Now, with the Role Management tool, you can create and manage custom security roles, giving you more flexibility and finer granularity in assigning access to Domo's powerful features.
Using Role Management, you can...
-
Expand the list of roles beyond the current built-in roles (Admin, Privileged, Editor, Participant, and Social).
-
Manage the privileges assigned to each new role.
-
Delete unused roles.
-
Get easy reporting on the privileges and list of assigned users in each new role.
-
Use SSO to automatically assign people to appropriate roles through a SAML assertion at each login.
You can create as many custom roles as needed for your organization.
The Role Management tool is available in the Admin Settings in Domo, by selecting > Admin Settings > Roles. You must have an "Admin" default security role or a custom role with "Manage All Roles" enabled to access this tool.
Video - Role Management
Understanding the Role Management Interface
The Role Management area in Admin Settings is made up of three main tabs as well as several other tabs you can access from the main tabs.
Roles Tab
The Roles tab is the initial tab you see when you click Roles in the Admin Settings. The following screenshot shows a typical view of this tab:
This tab lists all of the roles in your Domo, both the default roles (Admin, Privileged, Editor, Participant, and Social) as well as any custom roles you have created. Default roles are referred to in the UI as "Domo roles." Grants for these roles cannot be altered. User-created roles are referred to as "Custom roles." Custom roles can be edited as necessary.
For each role in the list, you can see all of the following:
-
The description of the role
-
The number of grants (privileges) available for this role
-
The number of people in your Domo instance who have been assigned this role
-
The date when the role was created.
You can search for roles by name or sort the roles in the list using any of a number of sort methods, such as role name, number of grants, etc.
In this tab you can also do the following:
-
Create a copy of any existing role (Domo or custom) by clicking the New button and choosing the role you want to copy. This opens the Edit view for the role, in which you can select or deselect the privileges available for this role. This subtab is described in more detail in the next section. (You can also open this subtab for an existing role by clicking the role name in the Roles tab.)
-
Specify the default role for new users in your Domo added either through invitation or SSO.
Role Edit View
When you click on a role in the Roles tab or you click New in that tab to copy an existing role, you are taken to an edit view in which you can select or deselect privileges assigned to the role as well as manage users with that role. This view comprises two distinct subtabs—Grants and People.
The following screenshot shows how the Grants subtab might appear for a typical user:
This subtab lists all of the grants (privileges) available in Domo, with checkboxes for each individual grant. For any custom role (not default Domo roles), you can check or uncheck boxes as desired to assign privileges to Domo users with that role. You can search for any grant by name using the Search grants box.
The following screenshot shows how the People subtab might appear for a typical user:
This subtab lists all users in your Domo who have been granted this role. In You can switch one or more users to a different role by checking the boxes next to their names then selecting the new role in the Change Role menu that appears. You can also search for a particular user in the Search people box or choose a different sort method in the Sort by box.
Both of these subtabs also provide access to the Duplicate Role and Add People options.
Duplicate Role is useful as it allows you to duplicate any role, Domo or custom, by clicking Duplicate Role. This creates a copy of the role and gives it a default name by affixing a number to the original name (such as "Privileged copy2"). You can change the default name and description (which remains unchanged unless you manually change it) by clicking within the name of description and making the changes. Once you have duplicated a role, you can change the grant configuration as desired, even if the original role was a default Domo role.
As an example, you might have a subset of users who should have Participant-level access except you also want them to be able to deploy Appstore apps. In this case you could easily create the new role by duplicating the "Participant" role, checking the box that reads "Use Appstore," and saving. The new role is now available in your Domo and can be granted to new or existing users as necessary.
Add People opens a list of all users in your Domo, which appears similar to the following:
Here you can quickly and easily switch users into the selected role by checking the boxes next to their names and clicking Add People. You can do this for individual or multiple users. You can also search for a particular user in the Search people box or choose a different sort method in the Sort by box.
Grants Tab
You open the Grants tab by clicking Grants in the main view that appears when Roles is selected in the left panel. The following screenshot shows this tab:
This tab lists all grants (privileges) available in Domo. For each grant, you can see the roles (both Domo and custom) to which the grant has been assigned; the number of roles out of the total roles that have the role assigned to them; the associated Domo feature, and the number of users with the grant bestowed. You can search for a specific grant using the Search grants field.
Grant Edit View
When you click on a grant in the Grants tab, you are taken to an edit view in which you can select or deselect the roles with access to the grant. You can also see the number of grants for the role out of the total number of grants in Domo, as well as the number of users of your Domo instance with the role applied.
The following screenshot shows this view for the "Manage All Roles" grant.
You can select or deselect grants for a selected role by checking/unchecking the boxes on the left. You cannot select or deselect default Domo roles (indicated by a lock icon) in this view.
People Tab
You open the People tab by clicking People in the main view that appears when Roles is selected in the left panel. The following screenshot shows this tab:
This tab lists all users of your Domo instance, together with their email addresses, roles, departments, and titles. Similar to the Add People listing that appears when you click the Add People button in the Roles edit view, you can switch select users into a different role by checking the boxes next to their names and clicking Add People. You can do this for individual or multiple users. You can also search for a particular user in the Search people box or choose a different sort method in the Sort by box.
Performing Role Management Tasks
This section lays out the steps for performing the most common role management tasks, including creating and deleting new custom roles, switching users to a different role, and so on.
Creating Custom Roles
In Domo, you create new roles not by building them from scratch, but by using existing roles as templates. This is not only faster than building from the bottom up but also gives you the benefit of a foundation to work from; for example, you might decide you want to create a new role that is similar in most respects to the "Privileged" role but includes some additional capabilities not natively available to "Privileged" users.
To create a custom role,
-
Click
> Admin Settings > Roles.
-
Do one of the following:
-
Click New in the top right corner of the Roles tab then select the existing role (either Domo or custom) that you want to base the new role off of.
-
In the Roles tab, navigate in the list to the role you want to base your new role off of and click that role. Then, in the edit view for the role, click Duplicate Role.
Whichever method you choose, the end result is the same—a copy of the new role is created, with the edit view open so you can choose the grants that will be available for users with this role assigned. By default the new role takes the name "New Role (copy)."
-
-
(Optional) If desired, give the new role a more descriptive name and description by clicking on the name/description and entering the new name/description in the field.
-
In the grants list, check the boxes for privileges users with this role should have, and uncheck the boxes for privileges they should not have.
-
Click the orange Save button to save your new grant configuration.
The new role is now available to be assigned to users in your Domo, together with all of its associated privileges and limitations. For more information about assigning a security role, see Assigning a Security Role to a User.
Modifying Custom Roles
You can modify the grant configuration for custom roles by clicking on them in the Roles tab and making your changes. You can only modify custom roles, i.e. those that have been created by you or other users in your Domo. You cannot modify any of the default Domo roles (Admin, Privileged, Editor, Participant, or Social).
To modify a custom role,
-
Click
> Admin Settings > Roles.
-
In the list in the Roles tab, locate and click on the custom role you want to modify.
-
Make changes to the grants available for users with this role as desired.
-
Click the orange Save button to save your new grant configuration.
Deleting Custom Roles
You can delete custom roles by clicking on them in the Roles tab and clicking the trash can icon . You can only delete custom roles, i.e. those that have been created by you or other users in your Domo. You cannot delete any of the default Domo roles (Admin, Privileged, Editor, Participant, or Social).
To modify a custom role,
-
Click
> Admin Settings > Roles.
-
In the list in the Roles tab, locate and click on the custom role you want to delete.
-
Click the
icon in the top right corner of the edit view.
-
Click OK.
Assigning or Removing Roles to/from a Grant
In addition to assigning/removing grants to/from a role as explained above, you can also do the opposite—assigning roles to a grant or removing them if need be. For example, maybe you have built two custom roles called "Privileged2" and "Editor2," and you want both groups to be able to manage alerts. Instead of having to open up and edit the grant configuration for both groups individually, you could simply locate and open the "Manage All Alerts" grant in the Grants tab then check the "Privileged2" and "Editor2" boxes. As with most other role management tasks, this is only possible with custom roles; you cannot manipulate the grant configuration for default Domo roles.
To assign or remove a custom role to/from a grant,
-
Click
> Admin Settings > Roles.
-
Click the Grants tab.
-
In the list of grants, locate and click on the grant you want to reassign.
This opens the edit view for the grant. -
In the list of roles, check the boxes for all custom roles that should have access to the grant, and/or uncheck the boxes for those roles that should not have access.
-
Click OK.
-
Click Save Changes.
Switching Users to a Different Role
You can bulk-change users to a different role in Domo. You can assign users to default Domo or custom roles. There are several different ways to do this, all with the same end result:
-
You can choose a role and add users to that role.
-
You can open a list of all users in Domo and select users in the list to be added to a different role.
-
You can choose a role and change users who currently have that role to a different role.
With all of these options, you can switch users to a different role either individually (one at a time) or in bulk.
To add users to a selected role,
-
Click
> Admin Settings > Roles.
-
Do one of the following:
-
To add users to a role from the Roles tab,
-
In the list of roles, locate and click the role you want to add users to.
The edit view for the role opens. -
Click the Add People button.
A list of all users in your Domo instance appears. -
Check the boxes for all users you want to add to the selected role.
-
Click Add People.
-
Click OK to confirm.
-
-
To add users to a role from the People tab,
-
Click the People tab.
A list of all users in your Domo instance appears. -
Check the boxes for all users you want to switch to a different role.
-
In the Change Role menu, select the role you want to switch the selected users to.
-
Click OK to confirm.
-
-
The users you chose are now reassigned to the role you selected.
To change users with a specific role to a different role,
-
Click
> Admin Settings > Roles.
-
In the list of roles, locate and click the role you want to switch users from.
The edit view for the role opens. -
Click People to open the People subtab.
A list of all users in your Domo instance with the given role appears. -
Check the boxes for all users you want to switch to a different role.
-
In the Change Role menu, select the role you want to switch the selected users to.
-
Click OK to confirm.
The users you chose are now reassigned to the role you selected.
Changing the Default Role for New Users
When you add users to Domo individually via the Admin Settings as explained in Adding Users to Domo, you assign their security roles as part of the setup process. However, when users are added to your Domo instance either through SSO or invitation, they are given a default role, which is initially set to "Privileged." In Admin Settings > Roles, you can change this default security role to any role you want, either a default Domo role or a custom role you've created.
To change the default role for new users in your Domo,
-
Click
> Admin Settings > Roles.
-
Select the new default role for new users in the Default role menu.
Grants List
The following table lists all of the grants that may be assigned to users along with the specific privileges available for each:
Grant |
Privileges |
---|---|
Use Alerts |
|
Manage All Alerts |
This grant bestows all of the same privileges as "Use Alerts" plus...
This grant bestows these privileges regardless of access to underlying cards and DataSets. Note that while this grant doesn't bestow access to Cards or DataSets, these users will be able to see computed information as part of the alert values and/or alert history. |
View Appstore |
|
Use Appstore |
This grant bestows all of the same privileges as "View Appstore" plus...
|
Manage Appstore |
This grant bestows all of the same privileges as "View Appstore" and "Use Appstore" plus...
|
Embed Cards |
|
Edit Cards |
|
Edit Pages |
|
Export from Domo |
|
Manage All Cards and Pages |
This grant bestows all of the same privileges as "Edit Cards," "Edit Pages," and "Export from Domo" plus...
|
Manage All Roles |
|
View Activity Logs |
|
Manage All Company Settings |
|
Manage All Access Tokens |
|
Edit DataSets |
|
Manage DataSets |
This grant bestows all of the same privileges as "Edit DataSets" plus...
|
Edit DataFlows |
Note: Users with this grant enabled must also have "Edit DataSets" or "Manage DataSets" enabled. Otherwise they cannot access the Data Center.
|
Manage DataFlows |
This grant bestows all of the same privileges as "Edit DataFlows" plus...
Note: Users with this grant enabled must also have "Edit DataSets" or "Manage DataSets" enabled. Otherwise they cannot access the Data Center.
|
View DomoApps |
|
Create DomoApps |
This grant bestows all of the same privileges as "View DomoApps" plus...
|
Manage Publication Groups |
|
Edit Conversations and Messages |
|
Edit Users |
|
Add New People |
|
Edit Groups |
|
Manage All Groups |
This grant bestows all of the same privileges as "Edit Groups" plus...
|
Assign Achievements |
|
Manage All Projects and Tasks |
|
Manage Certified Content |
|
Request Certification |
|