This article covers:
- An Important Note About Migrating to Domain Control
- Managing Domain Members
- Managing Domain Admins
- Managing Groups and their User Rules/Permissions
- Descriptions of each Domain Group Rule/Permission
An Important Note About Migrating to Domain Control
If you are a policy admin who has been inviting employees to Expensify, when your company migrates to Domain Control there is a slight change in the permissions you'll need to be able to continue inviting employees. Inviting a user to a policy is actually also creating a user account. Since Domain Control creates additional restrictions on who can create and delete user accounts, you'll need to be a Domain Admin in addition to being a Policy Admin.
If you get the "Insufficient User Permissions" error, this means you are not a Domain Admin:
To be granted Domain Admin rights, an existing Domain Admin will need to add you via Admin > Domain Control > [select domain] > Domain Admins > Add Admin.
If you're unsure of who is a Domain Admin at your company feel free to reach out to our Success Team at firstname.lastname@example.org and we can look this information up for you.
Managing Domain Members
From the Domain Members page you can add and delete user accounts and move users between permission groups.
Please note: Domain Control allows you to centrally manage the process of removing an employee from Expensify (this action is not reversible). Any Approved and Reimbursed reports that they have submitted under that email address will be maintained, but they will no longer be able to access their account in Expensify. Any unsubmitted reports, expenses and receipts, and Processing (not yet approved) reports, expenses and receipts will be deleted.
Managing Domain Admins
The Domain Admins page allows you to designate domain administrators, they do not need to belong to your domain to be added as an admin. Domain administrators have the ability to edit Domain Control settings, and create new users via Domain Control or by inviting them to policies (inviting a user to a policy creates the user account simultaneously, so no need to add them in Domain Control first!).
The Primary Contact will be the point-of-contact for issues within this domain and must be a Domain Admin.
Managing Groups and their User Rules/Permissions
The groups page will allow you to create permission groups and edit current permission group settings. To manage your groups go to Admin > Domain Control > [Select the domain you want to manage] > Groups > Select a group > Edit.
Anything that you enable, disable or change in this edit screen will apply to every employee included in that group. You can see the list of employees for that respective group by clicking the 'Show Members' button.
Descriptions of each Domain Group Rule/Permission
Strictly enforce expense policy rules.
This means that every rule that has been set for the policy will need to be satisfied in order for the report to be able to be submitted for approval. If there is a policy violation on their expense report, the employee will receive a "hard stop" and will be unable to submit the report. Without this feature enabled employees will be able to dismiss policy violation warnings and submit their reports without correcting them.
Strictly enforce expense policy workflows.
Without strict enforcement of policy workflows, intermediary approvers will have the option of final approving a report. With this control enabled, only the final approver in the workflow will have the option of final approving a report. Additionally, users will be unable to submit reports outside the approval workflow set in the policy.
Restrict primary login selection.
A useful feature that allows domain admin to restrict users from being able to make a non-company domain email address their primary email address, thus bypassing permissions set up via Domain Control. Employees will still be allowed to add secondary logins.
Restrict expense policy creation/removal.
This feature prevents users from being able to create new expense policies for the company or remove themselves from an existing policy. Often, this feature is used to prevent people from using Expensify to submit reports for use outside of the company domain when combined with strict policy enforcement.
Restrict primary policy selection.
This feature is useful when you have groups of employees that only need to submit expense reports under one policy. This would allow, for example, an employee to only submit expense reports under Policy A, however that employee could still be an approver in Policy A and Policy B.