This article covers:
- An Important Note About Migrating to Domain Control
- Managing Domain Members
- Managing Domain Admins
- Managing Groups and their User Rules/Permissions
- Descriptions of each Domain Group Rule/Permission
An Important Note About Migrating to Domain Control
If you are a policy admin who has been inviting employees to Expensify, when your company migrates to Domain Control there is a slight change in the permissions you'll need to be able to continue inviting employees. Inviting a user to a policy is actually also creating a user account. Since Domain Control creates additional restrictions on who can create and delete user accounts, you'll need to be a Domain Admin in addition to being a Policy Admin.
If you get the "Insufficient User Permissions" error, this means you are not a Domain Admin:
To be granted Domain Admin rights, an existing Domain Admin will need to add you via Admin > Domain Control > [select domain] > Domain Admins > Add Admin.
If you're unsure of who is a Domain Admin at your company feel free to reach out to our Success Team at firstname.lastname@example.org and we can look this information up for you.
Managing Domain Members
From the Domain Members page you can add and delete user accounts and move users between permission groups.
Please note: Domain Control allows you to centrally manage the process of removing an employee from Expensify (this action is not reversible). Any Approved and Reimbursed reports that they have submitted under that email address will be maintained, but they will no longer be able to access their account in Expensify. Any unsubmitted reports, expenses and receipts, and Processing (not yet approved) reports, expenses and receipts will be deleted.
Managing Domain Admins
The Domain Admins page allows you to designate domain administrators, they do not need to belong to your domain to be added as an admin. Domain administrators have the ability to edit Domain Control settings, and create new users via Domain Control or by inviting them to policies (inviting a user to a policy creates the user account simultaneously, so no need to add them in Domain Control first!).
The Primary Contact will be the point-of-contact for issues within this domain and must be a Domain Admin.
Managing Groups and their User Rules/Permissions
Domain Groups allow you to set rules/permissions for groups of employees. To access go to Admin > Domain Control > [Select the domain you want to manage] > Groups.
- Enable and disable rules by clicking Edit
- Group settings will apply to all members of that group. View group members by clicking Show Members.
Descriptions of each Domain Group Rule/Permission
Strictly enforce expense policy rules.
If enabled, every rule that has been set for the policy will need to be satisfied before the report can be submitted for approval. If there is a policy violation on an expense, the employee will see a violation notification and will not be able to submit the report. If this feature is disabled employees will be able to dismiss policy violation notifications and submit their reports without correcting them.
Restrict primary login selection.
If enabled, users will not be able to make a non-company domain email address their primary email address (thus bypassing permissions set up via Domain Control). Employees will still be allowed to add secondary logins.
Restrict expense policy creation/removal.
If enabled, users will be prevented from creating new policies or removing themselves from an existing policy. If enabling this rule, it is recommended that a separate group is created for admins who need the ability to create new reports with the rule disabled.
Restrict primary policy selection.
If enabled, group members will only be able to create and submit reports under the set policy. This is useful when you have employees that are approvers for multiple policies but should only submit their own expenses under a single policy.