This article covers:

An important note about migrating to Domain Control

If you are a policy admin who has been inviting employees to Expensify, when your company migrates to Domain Control there is a slight change in the permissions you'll need to be able to continue inviting employees. Inviting a user to a policy is actually also creating a user account. Since Domain Control creates additional restrictions on who can create, close and reopen user accounts, you'll need to be a Domain Admin in addition to being a Policy Admin

If you get the "Insufficient User Permissions" error, this means you are not a Domain Admin:

To be granted Domain Admin rights, an existing Domain Admin will need to add you via Settings > Domain Control > [select domain] > Domain Admins and select "Add Admin."

Managing domain members

From the Domain Members page you can add and delete user accounts and move users between permission groups. 

Please note: Domain Control allows you to centrally manage the process of removing an employee from Expensify. Any Approved and Reimbursed reports that they have submitted under that email address will be maintained, but they will no longer be able to access their account in Expensify until it is Reopened. Any unsubmitted reports, expenses and receipts, and Processing (not yet approved) reports, expenses and receipts will be deleted

Managing Domain Admins

The Domain Admins page allows you to designate domain administrators, they do not need to belong to your domain to be added as an admin. Domain administrators have the ability to edit Domain Control settings, and create new users via Domain Control or by inviting them to policies (inviting a user to a policy creates the user account simultaneously, so no need to add them in Domain Control first!). 

The Primary Contact will be the point-of-contact for issues within this domain and must be a Domain Admin.

Managing Groups and their user rules/permissions

Domain Groups allow you to set rules/permissions for groups of employees.  To access go to Settings > Domain Control > [Domain Name] > Groups.

  • Enable and disable rules by clicking Edit
  • Group settings will apply to all members of that group. View group members by clicking Show Members

Descriptions of each Domain Group rule/permission

Strictly enforce expense policy rules

If enabled, every rule that has been set for the policy will need to be satisfied before the report can be submitted for approval. If there is a policy violation on an expense, the employee will see a violation notification and will not be able to submit the report. If this feature is disabled employees will be able to dismiss policy violation notifications and submit their reports without correcting them.

Restrict primary login selection

If enabled, users will not be able to make a non-company domain email address their primary email address (thus bypassing permissions set up via Domain Control). Employees will still be allowed to add secondary logins

Restrict expense policy creation/removal

If enabled, users will be prevented from creating new policies or removing themselves from an existing policy.  If enabling this rule, it is recommended that a separate group is created for admins who need the ability to create new reports with the rule disabled.

Restrict primary policy selection

If enabled, group members will only be able to create and submit reports under the set policy. This is useful when you have employees that are approvers for multiple policies but should only submit their own expenses under a single policy. 

For a live overview of the Policy Admin role, policy management and administration, register for our free Admin Onboarding Webinar!

Still looking for answers? Search our Community for more content on this topic! 

Did this answer your question?