In order to log in to 1Password SaaS Manager, a person must be given a user role. Roles define the permissions that a user has to different parts of SaaS Manager, such as applications, spend data, people or devices.
SaaS Manager includes a number of built-in user roles. You can also create custom user roles in order to grant different permission levels to different parts of SaaS Manager.
To view your current user roles, enable or disable the HR, IT and Finance roles, and create custom roles, go to Settings > Users and expand the Roles section. Select a role to view a summary of the permissions granted to users with that role.
The built-in user roles have the following permissions:
| Role | Permissions | Designed for |
|---|---|---|
| Admin | Access to all SaaS Manager functionality, including permissions and integrations. | IT staff responsible for configuring SaaS Manager. |
| Read-only | Can view the same information as Admin users (including financial data) but cannot edit records. Can edit reports in order to gain insights from the data. | External auditors. |
| HR |
Read-only access to app overviews. View and edit people. Can also view and manage workflow runs to which the HR role has been granted access. |
Viewing and updating information about employees. Managing onboarding and offboarding workflows. |
| IT |
Read-only access to app overviews and edit access to app reports. View and edit devices. Can also view and manage workflow runs to which the IT role has been granted access. |
Reporting on app spend, usage and security risk. Viewing and editing device data. Managing onboarding and offboarding workflows. |
| Finance |
Access to app spend, usage, access and assessments. View and edit spend data. |
Viewing and editing SaaS spend data. Reporting on app spend and usage. |
| Operator (deprecated) |
Can view and edit apps, including spend, license and usage data. Can view and edit devices and tasks. Read-only access to the People directory, assessments, user list, integrations and settings. Can view and manage workflow runs to which the Operator role has been granted access. |
Administering apps, devices and tasks without granting access to core settings. |
| App management |
Access to apps for which the user has been assigned a role (Owner, IT admin or a custom app role). The level of access to each app depends on the app role. |
Users who need to manage particular apps (e.g. viewing usage data, updating spend or license information, or reviewing access policies) but who should not be able to see usage or financial information about other apps. Note: This role is granted automatically when a person is assigned to an app role (Owner, IT admin or a custom role) and removed automatically when a person is no longer assigned to any app roles. |
| App catalog | Can only access the App catalog, where they can browse and request access to approved apps. No access to app usage data or financial data. |
Employees who only need to access to the App catalog. Employees using the browser extension to send app usage data to SaaS Manager. |
Default user role
If you have enabled SAML-based SSO or account requests, a default user role is assigned to new users. You can change this setting from Settings > Users > Default role. If you add a user manually, you must specify their role.
Regardless of how a person has been given access to SaaS Manager, you can view and change their user role from the People directory: from the context menu select Edit SaaS Manager access. Alternatively, open the person's details and select Edit access.
App management
The App management default role is designed for users that will be assigned roles in relation to particular apps. When you grant a user the Owner or IT admin role (or a custom role with View or above permissions) on a particular app, they are automatically added to the App management role.
Users in the App management role:
- Have access to the apps they manage, as per the app role permissions. For example, Owners have full access to the app, whereas IT admins can view app usage information and manage access, but cannot see spend or contract information.
- Can see basic information about any other apps that are included in the App catalog. Depending on your settings, this might be all managed apps or only a subset of your apps.
You can also assign users in other roles (such as Admin, HR or Finance) to apps. Users are granted the relevant permissions on the apps that are assigned to them, in addition to the permissions associated with their role.
The dashboard highlights apps users own. Spend and renewal data is restricted to spend and renewals for apps that users own.
The App inventory is restricted to apps users own and apps that are included in the App catalog. Users cannot add extra columns or filters, and cannot see financial fields.
For apps users do not own, the app profile is read-only and no details about app accounts, spend or licenses are displayed.
Comments
0 comments
Please sign in to leave a comment.