If you have Single Sign-on enabled for your organization, it is possible to configure Ardoq so that user roles are managed either from within Ardoq or exclusively from the identity provider (i.e. Azure Active Directory).
This article explains how to set up Ardoq and Azure Active Directory to manage users in various ways. For example, maybe you want to set up a few administrators and writers, while everyone else in your organization has contributor level access by default? We will see how this can be done.
A Note on Identity Providers (e.g. Azure Active Directory)
Role assignment is currently only supported with the SAML SSO method.
In Azure Active Directory, roles are a first-class concept, and normally the SSO integration will be configured so that Ardoq receives the user's assigned roles any time they log in. To manage roles externally, Ardoq expects roles to be included with the sign-in request.
For other identity providers (i.e. Okta), it may be possible to work around this limitation by making sure the "assignedRoles"-attribute includes one of the expected roles, but this is not officially supported.
The assignedRoles attribute must include at least one of the following for external user management to function correctly:
If these are not provided, the user will keep their current role, or be created with a default role if they don't already have an existing Ardoq-account.
Where to Configure Default Permissions and Default Role
On Ardoq's side, you can modify the Default permissions for new workspaces from the bottom left person button. Organizational settings -> Manage users -> Settings. You will need to reach out to your CSM or our Support team (email@example.com) to to change the default role within your organization.
Role Management Options in Azure Active Directory
In Azure Active Directory, it is possible to manage roles and access in multiple ways.
Assign users or groups to the Ardoq application with a role
Assign users or groups with "default access" (no role)
Set "User assignment required?" to "No", giving all users in Azure Active Directory access to Ardoq with no role (users can still be assigned roles if desired)
When a user has "no role" defined in Azure Active Directory, their role will become whatever the default is in Ardoq if they do not already exist, or they will keep their current role in Ardoq.
Common Scenarios and How to Set Them Up
How do we make sure everyone has access to presentations or surveys?
Users must be granted access to the Ardoq application in Azure Active Directory to be able to log in to Ardoq. If you want to make sure as many people as possible can access Ardoq to submit surveys or view presentations, consider setting the "default role" to "contributor" and set "User assignment required?" to "No" in Azure Active Directory.
If you prefer to control access to Ardoq, set "User assignment required?" to "Yes", but make sure that all the users that should have access belong to a group that is assigned the "contributor"-role.
What role will a new user receive when logging in for the first time?
If the user has no role in Azure AD, the user is granted the default role instead
How do we manage roles exclusively in Azure Active Directory?
To manage roles in Azure Active Directory, set the "user management"-setting to "externally", "User assignment required?" to "Yes" in Azure Active Directory and assign users to the application
How do we manage roles exclusively in Ardoq?
To manage default roles in Ardoq for new users, you will need to reach out to the Support team via the chat or firstname.lastname@example.org. You can manage the roles for Ardoq users from the Organization Settings -> Manage Users and then using the pencil icon next to the user.
Still have questions? Feel free to reach out to us. We're happy to help!