Users & Roles

In this topic:


    Dome9 supports three types of users:

    • Super User - can access and manage any account resource, add new users and change their privileges. There can be multiple Super Users in the system.

    • Account Owner - manages Dome9 Account related issues such as billing and subscription plan and has the same privileges as a Super User. Only a single Account Owner exists per account.

      An Account Owner can assign another user to become an Account Owner. In this case, the Account Owner becomes a Super User.

    • Normal User - can be delegated authority to manage access or create specific new Servers or security groups.

    A Dome9 user is identified by an email address.

    The following table compares the privileges assigned to different types of users:


      Manage Dome9 Account Add users and modify privileges Access and manage any resource Access and manage assigned resources only
    Account Owner  
    Super User    
    Normal User      



    You can define roles, and assign them to users. You assign permissions to a role, When you assign a role to a user, the permissions of the role are granted to the user (so, no need to assign these permissions to the user explicitly).

    You can define any number of roles, to cover all the different types of users you will need for your Dome9 accounts, each with the permissions appropriate for it.



    You can grant the following permissions to users to perform actions on Dome9.



    Applicable Resources

    Dynamic Access

    Create Dynamic Access Leases on AWS services (see Dynamic Access Leasing)

    Dynamic Access Leases (AWS)


    Create Dome9 agents on hosts. This feature is for legacy support of Dome9 agents. Newer accounts do not use agents

    Dome9 agents


    Create, modify, and delete Dome9 account assets

    All Dome9 resources (accounts, users, Security Groups)


    View all system resources, without the ability to change them

    All Dome9 resources



    Actions to manage users and roles are in the Users & Roles menu

    Add a new user

    Super Users and Account Owner users can add new Dome9 users to the account.

    1. In the Users & Roles menu, select Users.

    2. Click.

    3. Enter details for user. The user will be identified by the email address. If the user will use Single Sign-on see Single Sign-On.

    4. Select a Role and Permissions for the user. The permissions associated with the role are automatically granted to the user, so no need to assign these explicitly in the Permissions section. If you do not assign a role, you must assign the permissions for the user explicitly here.

    5. Press CLOSE. An email will be sent to the new user (according to the email address entered for the user). Click on the link in the email to set the password.



    Add a role

    You can define roles with specific permissions, that can be assigned to users. The roles you define are specific to your Dome9 account.

    1. In the Users & Roles menu, select Roles.

    2. Click.

    3. Enter a name for the role, and select permissions for it.

    4. Optionally, select users for the role. These users will be granted the permissions associated with the role.


    Modify a user's role or permissions

    You can modify details for a user, including their permissions.

    1. Click on the user in the list.

    2. Make changes to the role(s) and/or permissions associated with the user, then click CLOSE.

    3. To delete the user, click, and select Delete.

    Configure a user for SSO

    A Super User can configure a user to use Single Sign-On (SSO).

    1. With a super user account, login to the Dome9 console, and navigate to Users & Roles.

    2. Click ADD USER:

    3. Enter details for the user, and then click CREATE. Note that SSO is enabled by default for the user when the account is configured for SSO.

    4. Select a the role and permissions for the user, as described above.

    5. The user will be added to the list of users with SSO designation indicating the the user is an SSO user:

    Disconnect a user from SSO

    1. Click opposite the user, and select Disconnect from SSO

    2. Confirm SSO disconnect in the dialog opened.

    3. The user will receive a mail notification to reset his password in Dome9.

    4. To Connect an existing user to SSO, under the user's action menu, click connect to SSO.

    5. In the dialog opened click Connect:

      The user will receive a mail notification to use the SSO login URL instead of the standard Dome9 login form


    Set user as an Account Owner

    An Account Owner manages Dome9 account related issues such as billing and subscription plan and has the same privileges as a Super User.

    Only a single Account Owner exists per account.

    1. Navigate to Users & Roles

    2. Click opposite the user, and select Set as account owner.

    3. An approval will appear, click on OK

    4. The user will have the following symbol.

    Unlock a user

    Users who enter an incorrect password more than a set number of times, when logging in, will be locked out of their account. Their account can be unlocked by a super user, in the Users page.

    The account for a user who is locked out will appear like this in the Users page:


    To unlock the user, in the Actions menu, select Unlock: