Managing Custom Roles

Last updated
Save as PDF

Version 22

Note: This feature is available on demand.

To request that this feature be enabled,

Contact Technical Support by using /support in Buzz or by email at support@domo.com.
Reach out to your Domo Customer Success Manager or Technical Consultant.

Depending on the feature, you may be required to complete training before you can use the feature.

Note: This feature is available for enterprise users only.

Intro

Domo has always provided built-in security roles such as "Admin," "Privileged," and "Participant" that are used to restrict access to sensitive Domo features. These roles govern which users in your Domo instance can perform sensitive tasks such as exporting data, inviting users, and changing company settings. These built-in roles have not always provided the flexibility needed to meet the security needs of larger organizations. Now, with the Role Management tool, you can create and manage custom security roles, giving you more flexibility and finer granularity in assigning access to Domo's powerful features.

Using Role Management, you can...

Expand the list of roles beyond the current built-in roles (Admin, Privileged, Editor, Participant, and Social).
Manage the privileges assigned to each new role.
Delete unused roles.
Get easy reporting on the privileges and list of assigned users in each new role.
Use SSO to automatically assign people to appropriate roles through a SAML assertion at each login.

You can create as many custom roles as needed for your organization.

The Role Management tool is available in the Admin Settings in Domo, by selecting > Admin Settings > Roles. You must have an "Admin" default security role or a custom role with "Manage All Roles" enabled to access this tool.

Video - Role Management

Understanding the Role Management Interface

The Role Management area in Admin Settings is made up of three main tabs as well as several other tabs you can access from the main tabs.

Roles Tab

The Roles tab is the initial tab you see when you click Roles in the Admin Settings. The following screenshot shows a typical view of this tab:

This tab lists all of the roles in your Domo, both the default roles (Admin, Privileged, Editor, Participant, and Social) as well as any custom roles you have created. Default roles are referred to in the UI as "Domo roles." Grants for these roles cannot be altered. User-created roles are referred to as "Custom roles." Custom roles can be edited as necessary.

For each role in the list, you can see all of the following:

The description of the role
The number of grants (privileges) available for this role
The number of people in your Domo instance who have been assigned this role
The date when the role was created.

You can search for roles by name or sort the roles in the list using any of a number of sort methods, such as role name, number of grants, etc.

In this tab you can also do the following:

Create a copy of any existing role (Domo or custom) by clicking the New button and choosing the role you want to copy. This opens the Edit view for the role, in which you can select or deselect the privileges available for this role. This subtab is described in more detail in the next section. (You can also open this subtab for an existing role by clicking the role name in the Roles tab.)
Specify the default role for new users in your Domo added either through invitation or SSO.

Role Edit View

When you click on a role in the Roles tab or you click New in that tab to copy an existing role, you are taken to an edit view in which you can select or deselect privileges assigned to the role as well as manage users with that role. This view comprises two distinct subtabs—Grants and People.

The following screenshot shows how the Grants subtab might appear for a typical user:

This subtab lists all of the grants (privileges) available in Domo, with checkboxes for each individual grant. For any custom role (not default Domo roles), you can check or uncheck boxes as desired to assign privileges to Domo users with that role. You can search for any grant by name using the Search grants box.

The following screenshot shows how the People subtab might appear for a typical user:

This subtab lists all users in your Domo who have been granted this role. In You can switch one or more users to a different role by checking the boxes next to their names then selecting the new role in the Change Role menu that appears. You can also search for a particular user in the Search people box or choose a different sort method in the Sort by box.

Both of these subtabs also provide access to the Duplicate Role and Add People options.

Duplicate Role is useful as it allows you to duplicate any role, Domo or custom, by clicking Duplicate Role. This creates a copy of the role and gives it a default name by affixing a number to the original name (such as "Privileged copy2"). You can change the default name and description (which remains unchanged unless you manually change it) by clicking within the name of description and making the changes. Once you have duplicated a role, you can change the grant configuration as desired, even if the original role was a default Domo role.

As an example, you might have a subset of users who should have Participant-level access except you also want them to be able to deploy Appstore apps. In this case you could easily create the new role by duplicating the "Participant" role, checking the box that reads "Use Appstore," and saving. The new role is now available in your Domo and can be granted to new or existing users as necessary.

Add People opens a list of all users in your Domo, which appears similar to the following:

Here you can quickly and easily switch users into the selected role by checking the boxes next to their names and clicking Add People. You can do this for individual or multiple users. You can also search for a particular user in the Search people box or choose a different sort method in the Sort by box.

Grants Tab

You open the Grants tab by clicking Grants in the main view that appears when Roles is selected in the left panel. The following screenshot shows this tab:

This tab lists all grants (privileges) available in Domo. For each grant, you can see the roles (both Domo and custom) to which the grant has been assigned; the number of roles out of the total roles that have the role assigned to them; the associated Domo feature, and the number of users with the grant bestowed. You can search for a specific grant using the Search grants field.

Grant Edit View

When you click on a grant in the Grants tab, you are taken to an edit view in which you can select or deselect the roles with access to the grant. You can also see the number of grants for the role out of the total number of grants in Domo, as well as the number of users of your Domo instance with the role applied.

The following screenshot shows this view for the "Manage All Roles" grant.

You can select or deselect grants for a selected role by checking/unchecking the boxes on the left. You cannot select or deselect default Domo roles (indicated by a lock icon) in this view.

People Tab

You open the People tab by clicking People in the main view that appears when Roles is selected in the left panel. The following screenshot shows this tab:

This tab lists all users of your Domo instance, together with their email addresses, roles, departments, and titles. Similar to the Add People listing that appears when you click the Add People button in the Roles edit view, you can switch select users into a different role by checking the boxes next to their names and clicking Add People. You can do this for individual or multiple users. You can also search for a particular user in the Search people box or choose a different sort method in the Sort by box.

Performing Role Management Tasks

This section lays out the steps for performing the most common role management tasks, including creating and deleting new custom roles, switching users to a different role, and so on.

Creating Custom Roles

In Domo, you create new roles not by building them from scratch, but by using existing roles as templates. This is not only faster than building from the bottom up but also gives you the benefit of a foundation to work from; for example, you might decide you want to create a new role that is similar in most respects to the "Privileged" role but includes some additional capabilities not natively available to "Privileged" users.

To create a custom role,

Click > Admin Settings > Roles.
Do one of the following:
- Click New in the top right corner of the Roles tab then select the existing role (either Domo or custom) that you want to base the new role off of.
- In the Roles tab, navigate in the list to the role you want to base your new role off of and click that role. Then, in the edit view for the role, click Duplicate Role.
  
  Whichever method you choose, the end result is the same—a copy of the new role is created, with the edit view open so you can choose the grants that will be available for users with this role assigned. By default the new role takes the name "New Role (copy)."
(Optional) If desired, give the new role a more descriptive name and description by clicking on the name/description and entering the new name/description in the field.
In the grants list, check the boxes for privileges users with this role should have, and uncheck the boxes for privileges they should not have.
Click the orange Save button to save your new grant configuration.

The new role is now available to be assigned to users in your Domo, together with all of its associated privileges and limitations. For more information about assigning a security role, see Assigning a Security Role to a User.

Modifying Custom Roles

You can modify the grant configuration for custom roles by clicking on them in the Roles tab and making your changes. You can only modify custom roles, i.e. those that have been created by you or other users in your Domo. You cannot modify any of the default Domo roles (Admin, Privileged, Editor, Participant, or Social).

To modify a custom role,

Click > Admin Settings > Roles.
In the list in the Roles tab, locate and click on the custom role you want to modify.
Make changes to the grants available for users with this role as desired.
Click the orange Save button to save your new grant configuration.

Deleting Custom Roles

You can delete custom roles by clicking on them in the Roles tab and clicking the trash can icon . You can only delete custom roles, i.e. those that have been created by you or other users in your Domo. You cannot delete any of the default Domo roles (Admin, Privileged, Editor, Participant, or Social).

To modify a custom role,

Click > Admin Settings > Roles.
In the list in the Roles tab, locate and click on the custom role you want to delete.
Click the icon in the top right corner of the edit view.
Click OK.

Assigning or Removing Roles to/from a Grant

In addition to assigning/removing grants to/from a role as explained above, you can also do the opposite—assigning roles to a grant or removing them if need be. For example, maybe you have built two custom roles called "Privileged2" and "Editor2," and you want both groups to be able to manage alerts. Instead of having to open up and edit the grant configuration for both groups individually, you could simply locate and open the "Manage All Alerts" grant in the Grants tab then check the "Privileged2" and "Editor2" boxes. As with most other role management tasks, this is only possible with custom roles; you cannot manipulate the grant configuration for default Domo roles.

To assign or remove a custom role to/from a grant,

Click > Admin Settings > Roles.
Click the Grants tab.
In the list of grants, locate and click on the grant you want to reassign.
This opens the edit view for the grant.
In the list of roles, check the boxes for all custom roles that should have access to the grant, and/or uncheck the boxes for those roles that should not have access.
Click OK.
Click Save Changes.

Switching Users to a Different Role

You can bulk-change users to a different role in Domo. You can assign users to default Domo or custom roles. There are several different ways to do this, all with the same end result:

You can choose a role and add users to that role.
You can open a list of all users in Domo and select users in the list to be added to a different role.
You can choose a role and change users who currently have that role to a different role.

With all of these options, you can switch users to a different role either individually (one at a time) or in bulk.

To add users to a selected role,

Click > Admin Settings > Roles.
Do one of the following:
- To add users to a role from the Roles tab,
  1. In the list of roles, locate and click the role you want to add users to.
    The edit view for the role opens.
  2. Click the Add People button.
    A list of all users in your Domo instance appears.
  3. Check the boxes for all users you want to add to the selected role.
  4. Click Add People.
  5. Click OK to confirm.
- To add users to a role from the People tab,
  1. Click the People tab.
    A list of all users in your Domo instance appears.
  2. Check the boxes for all users you want to switch to a different role.
  3. In the Change Role menu, select the role you want to switch the selected users to.
  4. Click OK to confirm.

The users you chose are now reassigned to the role you selected.

To change users with a specific role to a different role,

Click > Admin Settings > Roles.
In the list of roles, locate and click the role you want to switch users from.
The edit view for the role opens.
Click People to open the People subtab.
A list of all users in your Domo instance with the given role appears.
Check the boxes for all users you want to switch to a different role.
In the Change Role menu, select the role you want to switch the selected users to.
Click OK to confirm.

The users you chose are now reassigned to the role you selected.

Changing the Default Role for New Users

When you add users to Domo individually via the Admin Settings as explained in Adding Users to Domo, you assign their security roles as part of the setup process. However, when users are added to your Domo instance either through SSO or invitation, they are given a default role, which is initially set to "Privileged." In Admin Settings > Roles, you can change this default security role to any role you want, either a default Domo role or a custom role you've created.

To change the default role for new users in your Domo,

Click > Admin Settings > Roles.
Select the new default role for new users in the Default role menu.

Grants List

The following table lists all of the grants that may be assigned to users along with the specific privileges available for each:

Grant	Privileges
Use Alerts	Create alerts Edit your own alerts Share alerts you have access to Delete your own alerts
Manage All Alerts	This grant bestows all of the same privileges as "Use Alerts" plus... View any alerts Edit any alerts Delete any alerts This grant bestows these privileges regardless of access to underlying cards and DataSets. Note that while this grant doesn't bestow access to Cards or DataSets, these users will be able to see computed information as part of the alert values and/or alert history.
View Appstore	Access the Appstore Sort, filter, and rate content in the Appstore
Use Appstore	This grant bestows all of the same privileges as "View Appstore" plus... Deploy Appstore apps Power up Business in a Box dashboards with live data
Manage Appstore	This grant bestows all of the same privileges as "View Appstore" and "Use Appstore" plus... Access the Store Manager in Appstore See pending, live, and denied apps Approve or deny apps Uninstall apps
Embed Cards	Embed cards using Domo Everywhere (both publicly and privately) Manage embedded cards using the Domo Everywhere tab in Admin Settings
Edit Cards	Open Analyzer for any card you have access to Edit any Sumo card you have access to Edit any notebook card you have access to Upload new versions of a document card you have access to Edit any poll card you have access to Assign card creation Add new cards to Domo Add existing cards to a page Share cards with other users Use scheduled reports Edit scheduled reports you have access to Submit cards for certification Remove cards from pages Move or copy cards Duplicate cards Edit the drill path for any card you have access to Update the data for any card you have access to Edit Beast Mode calculations for any card you have access to Link related cards Add date annotations
Edit Pages	Change the owner of pages you own Access the Manage Pages dialog Delete pages you own Add pages and subpages Rename pages and subpages Reorder pages and subpages Hide and show pages Add and edit collections Set page filters Share pages you have access to
Export from Domo	Create Scheduled Reports Create slideshows Manage slideshows using the Publications tab in Admin Settings Export KPI cards Export Sumo data Print KPI cards Connect to a server using the Domo Excel plugin (must be used in conjunction with "View Domo Apps," "Edit DataSets," and "Manage All Access Tokens" grants)
Manage All Cards and Pages	This grant bestows all of the same privileges as "Edit Cards," "Edit Pages," and "Export from Domo" plus... Lock and unlock all pages Perform bulk actions on cards and pages Restrict edit capability for a card Change page owners on any page Delete any card Delete any page Edit any card Add Business in a Box dashboards Link to card pages from Business in a Box Add custom charts in Analyzer Edit Beast Mode calculations for all cards Change the page hierarchy in Admin Settings Share any card or page View the history of an individual scheduled report Edit the schedule and content for any scheduled report Disable any scheduled report Delete any scheduled report Use the Send Now option to send scheduled reports immediately
Manage All Roles	Set and manage custom roles in the Roles tab in Admin Settings Assign invited users to any role (when combined with "Add New Users")
View Activity Logs	View activity logs in the Activity Logs tab in Admin Settings
Manage All Company Settings	Access the Security tab in Admin Settings, in which you can... Manage access tokens Configure password requirements Disable username autocomplete Configure multifactor authentication Specify authorized domains Specify a "bounce page" for embedding users Disable Excel formulas Manage easy links Configure SSO Whitelist specific URLs Access the Company tab in Admin Settings, in which you can... Set the name and logo for your company Set your company language Change week display formatting Change your company time zone Specify the topmost position in your org chart Set company pages Create achievements and specify who can award them Specify worklog settings Add custom charts Manage licenses in the Licenses tab in Admin Settings Manage scheduled reports in the Report Scheduler tab in Admin Settings Log into Domo using manual login when SSO is enabled
Manage All Access Tokens	Access the Access Tokens, Embed Settings, and Manage Easy Links subtabs in the Security tab in Admin Settings Connect to a server using the Domo Excel plugin (must be used in conjunction with "View Domo Apps," "Export from Domo," and "Edit DataSets")
Edit DataSets	Access the Data Center Access the Data Warehouse Access the Accounts tab Delete your own DataSets Edit your own DataSets Edit your own PDP policies Access the DataSets tab in Data Center Change the owner of DataSets you own Export any DataSet Connect cards to a different DataSet Execute your own DataSets Access DataSets that have been shared with you Edit your own DataFusions Change the name and description for your own DataSets Manage notifications for your own DataSets Set color rules for your own DataSets Connect to a server using the Domo Excel plugin (must be used in conjunction with "View DomoApps," "Export from Domo," and "Manage All Access Tokens")
Manage DataSets	This grant bestows all of the same privileges as "Edit DataSets" plus... Access all DataSets Delete any DataSet Edit any PDP policy Transfer ownership of multiple DataSets in the Accounts tab Change the connection account for multiple DataSets in the Accounts tab Change the owner of any DataSet Take bulk actions on DataSets Execute any DataSet Edit any DataFusion Change the name and description for any DataSet Manage notifications for any DataSet Set color rules for any DataSet
Edit DataFlows	Access the DataFlows tab in Data Center Create DataFlows Edit your own DataFlows Delete your own DataFlows Note: Users with this grant enabled must also have "Edit DataSets" or "Manage DataSets" enabled. Otherwise they cannot access the Data Center.
Manage DataFlows	This grant bestows all of the same privileges as "Edit DataFlows" plus... Edit any DataFlow (including restricted DataFlows) Delete any DataFlow Note: Users with this grant enabled must also have "Edit DataSets" or "Manage DataSets" enabled. Otherwise they cannot access the Data Center.
View DomoApps	Open DomoApps you have access to Connect to a server using the Domo Excel plugin (must be used in conjunction with "Edit DataSets," "Export from Domo," and "Manage All Access Tokens")
Create DomoApps	This grant bestows all of the same privileges as "View DomoApps" plus... Access the Asset Library Create and edit DomoApps in the Asset Library
Manage Publication Groups	Configure and manage Publication Groups in the Publication Groups tab in Admin Settings
Edit Conversations and Messages	Delete a message in any Buzz conversation Change a private thread to a public one Configure Buzz settings in the Buzz tab in Admin Settings
Edit Users	Change user information for any user in the People tab in Admin Settings Reset any user's password Access the Manage Easy Links, Embed Settings, and Trusted Attributes subtabs in the Security tab in Admin Settings Edit any user's Profile page information Edit any user's Profile photo Edit your company org chart Remove users from Domo
Add New People	Invite new users to Domo Add new users in Admin Settings Specify any role for newly added users (only when used in conjunction with "Manage All Roles") Add users to Domo in bulk by uploading a CSV file
Edit Groups	Create groups Edit groups you have access to Delete groups you have access to Add and remove people from groups you have access to
Manage All Groups	This grant bestows all of the same privileges as "Edit Groups" plus... View all of the groups in your Domo instance Edit any group Add and remove users from any group Delete any group
Assign Achievements	Create, edit, delete, and assign achievements in Company Settings > Achievements in Admin Settings
Manage All Projects and Tasks	Edit any project or task Delete any project or task Create and assign tasks in any project Archive tasks and lists in any project
Manage Certified Content	Access the Certified Content tab in Admin Settings, in which you can... View all pending or certified pending content Add a department-level certification process Edit certification processes Expire certifications for edited content Cancel or remove certifications
Request Certification	Request certification for content in Domo