OnDMARC allows you to add additional users to the tool either via Okta/SAML or via the invite feature, for more details please click on the button below.
Permissions are not enabled by default and without explicitly enabling them all invited users have the same access rights, giving them full control of the tool. In a larger organization you may want to have fine-grained access control for your users, which is why we introduced the OnDMARC Permissions feature. It provides access control for the users of the tool so that you can delegate responsibilities among them.
User roles overview
OnDMARC provides access control via user roles. They are of two types:
- Roles with responsibilities across the entire organization, called Super Roles.
- Roles with responsibilities for part of the organization, called Group Roles.
For example, a group contains some domains and a group role can only see those domains, but a user with a super role can see all the domains in the account.
Apart from the account owner there are four other super roles that exist in OnDMARC. As mentioned earlier super roles have access to resources across the entire organisation. Their permissions span across groups and outside of groups as well, respective to the role that they have been assigned.
Super Admins have full control on the account except they are not able to delete the owner account. Super Readers can see all the domains added to the account. Finance users can see the Billing section of the tool and None is for users who have not been assigned a user role yet or they have had their access revoked.
An example of a use case may be: As a CEO you signed up for OnDMARC, invite your CTO to the app and assign her the Super Admin role to be able to add and manage domains. Additionally you invite your CFO and assign him the Finance role with access to the billing section of the app.
Groups are used to logically group one or multiple domains, e.g. a group can contain all domains related to Department A, another group can contain all domains related to Department B. Therefore groups allow you to further segregate access to your domains and assign users to those groups. Two user roles exist within a group: Group Admin and Group Reader. Both user roles can only see the domains that have been added to the group that they are part of. Additionally, Group Admins are allowed to add and remove users from their group.
An example of a use case may be: You are part of a global organisation consisting of multiple sub-companies with different top-level domains and departments. It may be difficult as an Owner or a Super Admin to manage the domains for the entire organisation and you decide to delegate some of them to different users. You may decide to create groups for domains based on the TLD, company or department and assign a Group Admin for each group, who is then responsible for managing the domains in that group and for assigning additional users to the group.
A user of the tool can be part of multiple groups and users can be assigned multiple roles where the higher permission role takes precedence. For example, if a user is a Super Admin and also an Admin of a group, the Super Admin role takes precedence.
Summary of user roles and permissions
A high level overview of the roles is shown below.
As mentioned at the beginning of this guide permissions are not enabled by default, meaning that invited users have ‘Super Admin’ access rights. When enabling permissions:
- All previous users who already joined the account continue to have Super Admin access rights,
- Any newly invited users will be granted the 'None' role, and their permissions can be modified later.
If you would like to delete a user from the account you can click on ‘Remove’ next to their email address. You can also demote a user to the role of ‘None’ by clicking on ‘Revoke Access’ in their user profile.
API keys can also be removed by clicking on ‘Revoke access’ next to each key. The same can be done for API keys assigned to a group.
NOTE: Remember to always save the changes.
If you have any questions please do not hesitate to contact us over the chat or using the button below.