Intro
The instance default role and optional Roles Allowlist give you the governance controls you need to effectively manage user role assignment in Domo. Learn about both of these tools below.Instance Default Role
All Domo users have one (and only one) role. If a role isn’t specified at the time the user is added in Domo—for example, if a user is auto-created via SSO and their role isn’t provided by the identity provider (IdP)—they are assigned the default role for their Domo instance. The default role can be a system or custom role.Note: Depending on the method used and the privileges of the person adding the new user, the new user will receive the Social system role rather than the instance default role.
Access Role Settings
- In Domo, navigate to Admin > Governance > Roles to display the Role management screen.
-
Select Settings.
Set the Default Role
- Access role settings, described above.
-
In the Settings modal, select a role from the dropdown and save your changes.
Note: If the Roles Allowlist is enabled:- The default role is automatically included in the allowlist.
- Changing the default role automatically adds the new default role to the allowlist and adds the previous default role to the configurable portion of the allowlist. You can then choose to remove it from the allowlist.
Roles Allowlist
While Domo admins and other users with the Manage All Roles grant can assign any role to any user, they can delegate some of the responsibility of user management using the Assign Users to a Role grant and the Roles Allowlist. For example, a Domo admin can add the Participant and Editor system roles to the allowlist, giving manager-type users the option to assign these roles. Note that the instance default role and the Social system role are always included in the Roles Allowlist. There are three steps to use these tools:- First, admins must configure the Roles Allowlist and choose which roles non-admin users can assign.
- Then, the admins choose non-admin users to receive the Assign Users to a Role grant. Learn how to assign grants.
- Finally, the non-admin grant holders can assign the roles in the Roles Allowlist to others.
Manage All Roles vs. Assign Users to a Role: The Manage All Roles grant should be carefully governed. It enables holders to assign any role to any user, regardless of how the Roles Allowlist is configured. The Assign Users to a Role grant only permits holders to assign the roles in the Roles Allowlist.
Configure the Roles Allowlist
- Access role settings, described above.
- In the Settings modal, check the box labeled Enable allowlist.
- Add to/remove roles from the configurable portion of the allowlist and save your changes.
Notes:
- The instance default role and the Social system role are always included in the allowlist. This is not configurable.
- Roles that contain the Manage All Roles grant, such as the Admin system role, CANNOT be added to the allowlist, nor can they be used as the instance default role when it is enabled. This is intentional and prevents a user with the Assign Users to a Role grant from elevating their own or others’ role management privileges.
FAQ
Why can't I use any role as the default role?
Why can't I use any role as the default role?
With the Roles Allowlist enabled, you can only use allowlist-eligible roles as the default role. These are roles that do not have the Manage All Roles grant. To use a role that has the Manage All Roles grant as the default role, the Roles Allowlist must be disabled.
I've assigned the Assign Users to a Role grant to a user, but they can't use any role besides the default. Why is that?
I've assigned the Assign Users to a Role grant to a user, but they can't use any role besides the default. Why is that?
Verify that you’ve enabled the Roles Allowlist and added one or more roles. If the allowlist is disabled, the grant has no impact.