Contents
Large organizations may have delegated management responsibilities to regional, functional, or line of business IT teams. Duo's Administrative Units feature lets Duo Premier, Duo Advantage, and Duo Essentials customers perform logical groupings of Duo users and applications and grant management privileges to designated administrators.
Admin Roles and Units
Duo's administrator role permissions and administrative unit assignments define a given administrator's management scope. A Duo administrator's assigned role determines what actions that admin may perform, while a Duo administrator's assigned administrative unit determines which objects that administrator can manage by performing the actions permitted by the admin's role.
Consider a Duo admin who is assigned the "Administrator" role and is also assigned to an administrative unit in the "USA" division of their organization. That admin is able to perform all actions assigned to the "Administrator" role, but only for Duo objects assigned to the "USA" administrative unit.
Only Duo administrators with the Owner role may create administrative units or modify a unit's assigned administrators, user groups, and applications.
Global vs Restricted Admins
Duo administrators not assigned to an administrative unit are "global administrators". Global administrators may perform the management actions included in their assigned roles upon any Duo object.
Assigning a global administrator to an administrative unit revokes any management rights that administrator previously had to manage users, groups, or applications not also assigned to the same administrative unit.
Administrative Unit Examples
Regional Help Desk Rights
Acme Corp has different level one help desk teams supporting geographical regions. The US team only assists users in the United States, and the EU team only assists users in Europe. A global level two help desk team assists users in all regions. No help desk team may manage any applications.
Acme's global Duo owner accomplishes this by doing the following:
- Creating a new administrative unit called "US Help Desk".
- Creating a new administrative unit called "EU Help Desk".
- Creating Duo admin accounts for the US and EU level one team members, assigning each of them the "Help Desk" role
- Assigning each US level one administrator to the "US Help Desk" administrative unit.
- Assigning all groups that contain US-based end users to the "US Help Desk" administrative unit.
- Assigning each EU level one administrator to the "EU Help Desk" administrative unit.
- Assigning all groups that contain EU-based end users to the "EU Help Desk" administrative unit.
- Creating Duo admin accounts for the global level two team members, assigning each of them the "Help Desk" role. These administrators are not assigned to any administrative units.
VPN Management Rights for Network Admins
Acme Corp has a large IT workforce, segmented by function. Acme's networking team needs to manage Duo policy settings for VPN applications, but should not manage any users.
Acme's global Duo owner accomplishes this by doing the following:
- Creating a new administrative unit called "VPN Applications".
- Creating Duo admin accounts for the networking team members, assigning each of them the "Application Manager" role.
- Assigning each networking admin's account to the "VPN Applications" administrative unit.
- Assigning Duo VPN applications to the "VPN Applications" administrative unit.
- Other restricted Duo administrators outside the network group are not assigned to the "VPN Applications" administrative unit.
- No user groups are assigned to the "VPN Applications" administrative unit.
- Any new VPN applications created by the restricted admins in the "VPN Applications" administrative unit are automatically added to that administrative unit.
Creating Administrative Units
-
Log in to the Duo Admin Panel as an Owner and navigate to Administrators → Administrative Units in the left sidebar.
-
Click Create Administrative Unit in the upper right.
-
Enter an Administrative Unit Name and an optional description.
-
In the "Administrators" section you can select each administrator you wish to assign to this new unit. For each administrator selected, you'll see that admin's assigned role and a summary of the permissions granted by that role. You may skip assigning administrators to the new unit during creation, and add the unit administrators later.
-
The "Assignments" section is where you associate applications and user groups with the new administrative unit.
Modifying Administrative Units
-
Log in to the Duo Admin Panel as an Owner and navigate to Administrators → Administrative Units in the left sidebar.
-
Locate the administrative unit you wish to update in the list and click the View and Edit link.
-
Make your desired changes, which could be modifying the name or description, or additions to/deletions from the administrative unit's administrator, application, or user group assignments, and then click Save Administrative Unit.
Deleting Administrative Units
-
Log in to the Duo Admin Panel as an Owner and navigate to Administrators → Administrative Units in the left sidebar.
-
Locate the administrative unit you wish to remove and click the Delete link. Confirm the deletion operation.
Understand the impact deleted administrative units has on restricted admins!
When you delete an administrative unit, any administrators assigned to that unit lose management privileges on any of the applications or user groups that were assigned to the deleted unit, unless these rights are also granted by a remaining unit.
A restricted administrator doesn't automatically revert back to a global administrator when all of that admin's assigned administrator units get deleted. Instead, that admin remains a restricted administrator, but doesn't have any user groups or applications to manage and cannot access any features in the Duo Admin Panel.
You'll need to either assign the restricted administrator to another administrative unit, or convert the restricted administrator to a global administrator by visiting that restricted administrator's properties page in the Duo Admin Panel and changing the "Administrative units" setting to Allow access to all groups and applications.
Assigning Administrators to Administrative Units
You can assign restricted administrators to administrative units from the Administrative Units page or from an individual administrator's properties page. Restricted administrators can manage the applications and groups specified by the administrative unit. Restricted administrators an be assigned to multiple administrative units.
Assigning Administrators to an Administrative Unit
-
Log in to the Duo Admin Panel as an Owner and navigate to Administrators → Administrative Units in the left sidebar.
-
Locate the administrative unit you wish to update in the list and click the View and Edit link.
-
Select the administrator from the list in the "Administrators" section.
-
Click Save Administrative Unit.
Assigning Administrative Units to an Administrator
-
Log in to the Duo Admin Panel as an Owner and click Administrators in the left sidebar.
-
Click on the administrator's name.
-
Scroll down to the "Administrative units" section and select the Restrict access by administrative units option.
-
Click into the text entry field and start typing the name of an administrative unit. Click the unit's name in the list to select it. Repeat this for all administrative units you wish to assign to this administrator.
As you add administrative units to the list, you'll see the number of groups and applications this admin can access change. Click Show details to view the names of each application and user groups this administrator will be able to manage once you save your changes.
-
Click Save.
Assigning Applications to Administrative Units
You can assign applications to administrative units from the Administrative Units page or from an individual application's properties page. Applications may only be assigned to one administrative unit, but an administrative unit can include multiple applications.
Restricted administrators whose assigned role includes the right to create and delete applications can create and delete applications in their assigned administrative unit, as well as manage the applications and groups specified by the administrative unit.
Assigning Applications to an Administrative Unit
-
Log in to the Duo Admin Panel as an Owner and navigate to Administrators → Administrative Units in the left sidebar.
-
Locate the administrative unit you wish to update in the list and click the View and Edit link.
-
Scroll down to the "Assign Applications" section and change the "Administrators in this administrative unit manage" option from "all applications" to specific applications.
-
Choose the application(s) you want to assign to this administrative unit from the list in the "Assign Applications" section.
-
Click Save Administrative Unit.
Assigning an Administrative Unit to an Application
-
Log in to the Duo Admin Panel as an Owner and click Applications in the left sidebar.
-
Click on the application's name (or use the global search bar at the top to find the application you want to change).
-
Scroll down to the "Administrative unit" section.
-
Select the administrative unit to want to manage this application from the drop-down list.
-
Click Save Changes.
Assigning User Groups to Administrative Units
You can assign groups of Duo users to administrative units from the Administrative Units page or from an individual group's properties page. Groups can be assigned to multiple administrative units.
Restricted administrators whose assigned role includes the right to create and delete users can create and delete user groups in their assigned administrative unit, as well as manage the groups and group members specified by the administrative unit.
Assigning Groups to an Administrative Unit
-
Log in to the Duo Admin Panel as an Owner and navigate to Administrators → Administrative Units in the left sidebar.
-
Locate the administrative unit you wish to update in the list and click the View and Edit link.
-
Scroll down to the "Assign Groups" section and change the "Administrators in this administrative unit manage" option from "all users" to specific groups.
-
Choose the group(s) you want to assign to this administrative unit from the list in the "Assign Groups" section.
-
Click Save Administrative Unit.
Assigning Administrative Units to an Group
-
Log in to the Duo Admin Panel as an Owner and click Groups in the left sidebar.
-
Click on the group's name (or use the global search bar at the top to find the group you want to change).
-
Scroll down to the "Administrative units" section.
-
Click into the text entry field and start typing the name of an administrative unit. Click the unit's name in the list to select it. Repeat this for all administrative units you wish to manage this user group.
-
Click Save Changes.
Duo Policies
Administrators restricted by an administrative unit interact with Duo policies as follows:
- The Global Policy is read-only to restricted admins.
- A restricted administrator may clone custom policies associated with applications not associated with that admin's unit. Edits to the cloned policy have no effect on the original source policy. The admin may assign the cloned policy only to their managed applications and groups.
- A restricted administrator can freely edit any custom policy associated with only applications they manage, even if it is a group policy for groups the restricted admin does not manage.
Applications
Administrators restricted by an administrative unit interact with Duo applications as follows:
- Restricted admins may only create applications in their assigned administrative unit.
- An application may only be assigned to one administrative unit. When creating a new application, the restricted admin must select exactly one administrative unit.
- When editing an application, restricted admins may change the associated administrative unit to any other unit they manage. Any restricted admin assigned to the original associated unit but not to the newly associated unit loses management privileges on that application.
- Applications assigned to an administrative unit are not limited to the user groups of the administrative unit by default.
- Restricted admins can modify and delete applications associated with their administrative unit.
User Management
Administrators restricted by an administrative unit interact with Duo users as follows:
- Restricted admins may only list and view users they manage via a group association to their assigned unit.
- When creating a new user, the user must be assigned to a user group that the restricted admin can manage. If no user groups exist that the restricted admin can manage, the admin must create one before attempting to create a new user.
- The restricted admin may only add users to or remove users from groups managed by the admin's assigned unit.
- The "Pending Enrollments" page filters out users not in the restricted admin's assigned administrative units.
- The "Bypass Codes" page lists codes only for users in the restricted admin's assigned administrative units.
Bulk Enrollment
- Restricted admins may not use bulk enrollment.
- Restricted admins can not manage users created via bulk enrollment until a global administrator adds those users to a group that belongs to the one of the restricted admin's assigned units.
User Import
- When importing or updating users via CSV import, user rows with no group specified or that specify a group or groups not assigned to the restricted admin's units will be skipped.
- Restricted admins may not create new groups via CSV import.
Directory Sync
Administrators restricted by an administrative unit interact with Directory Sync as follows:
- Restricted admins cannot create, edit, or delete directories, regardless of assigned role.
- Restricted admins with roles that permit directory sync operations can view and manually sync directories that maintain user membership of groups assigned to the restricted admin's assigned units.
Group Management
Administrators restricted by an administrative unit interact with Duo groups as follows:
- When viewing a group, the restricted admin sees a read-only list of the administrative units to which the group is assigned.
- When creating new groups, restricted admins must associate the new user group with an administrative unit they manage.
- Restricted admins may not change a group's administrative unit after creation.
Device and Endpoint Management
Administrators restricted by an administrative unit interact with Device Insight and Duo endpoints as follows:
- The "Endpoints" page lists endpoint devices for only users that belong to groups assigned to the restricted admin's units.
- The "2FA Devices" page lists secondary authentication devices associated with users the restricted admin can manage, plus all devices unassigned to any user.
- The details page of an endpoint or 2FA device hides any users associated with that endpoint or device that don't belong to the admin's assigned units.
Reporting
- Authentication logs and other reports display events only for users associated with the restricted admin's units.
- Restricted administrators may not access certain reports:
- If application restrictions apply, admins may not view the Administrator Actions or Deployment Progress reports.
- If group restrictions apply, admins may not view the Telephony Log, Administrator Actions, or Deployment Progress reports.
Admin API and Administrative Units
You can manage administrative units via Admin API as well as from the Duo Admin Panel. See the available Admin API endpoints for administrative units.
Troubleshooting
Need some help? Try searching our Knowledge Base articles or Community discussions. For further assistance, contact Support.