The Dual Role feature allows a user to be both a manager and learner without having to use separate email addresses. Dual Roles are set up by a user with ‘Manage Roles’ permissions through the manager profile.
Once a user is set up in Thought Industries, they can then be turned into a dual role. The relationship must be manager/learner - we do not support dual roles that are either manager/manager or learner/learner. When the user next logs in they will be able to switch between their manager and learner accounts seamlessly, allowing them to administer their site and take content without the need for two separate accounts.
Dual roles are especially helpful for panorama. The manager account can be a member of panorama/sublicense and the learner can be in a different sublicense simultaneously.
Configuring a Dual Role:
- From your homepage, go to Users, then click Managers.
The user has to be in a manager role currently (built in or custom) in order to create a dual role. If you started with a learner role user, you will need to promote the original account and then follow these steps to add a learner.
If you are creating a dual role by promoting a learner to a manager account after the learner engaged in content then the user will lose that content progress when they are promoted to a manager role. You will need to manually re-provision any content that they had access to previously and grant manager completions for those items which they already completed previously. If you are promoting a panorama learner to a manager role, you must remove them from the panorama BEFORE you promote them to a manager account.
- Click on the Role Name for the role the user is currently attached to or search for the user. Once identified, click on the User's Name to access their profile.
- By default, you will land on the Details tab. If you are not currently on the Details tab, navigate to it and locate the section header Role.
- Click Create learner profile.
If you are creating users via the API or you wish to automate this process rather than doing it in the UI then you can also utilize our User Dual Role API endpoint to create a dual role. As opposed to manual creation, you can start from either a manager or learner account and create the opposite to make it a dual role.
Please refer to the API documentation for the correct syntax for running this type of a request against this endpoint. You will need to know the Thought Industries User ID (which appears in the URL when in the user profile) to update a user.
Dual Role Learner profiles cannot be impersonated.
To navigate between the manager and learner profile as an Admin:
- You can navigate between the learner and manager profile from the Details tab - Role section.
- Users > Managers > Click on User's Name > Detail tab > Role section
- To navigate to the learner profile for example, go to the Detail tab > Role section in the Manager profile and click View and manage the learner profile.
Currently, there is only one way in the platform interface to check if a manager or learner is a dual role and that is by navigating into a user's profile and checking the Role section on the Details tab. If you need to check for this data point in bulk, you can use the User Details endpoint via API because it provides the Learner ID and the Manager ID.
The information on the Details tab of the learner profile of a dual role is intentionally disabled. Any detail modifications will be made in the management profile and will sync with the learner profile.
Using the Dual Role:
- Log in using the email address that has been configured as a dual role.
- By default, the dual role user will generally land on the manager side of their dashboard (dashboards can be slightly different for different managers depending on permissions).
- To use the learner account - From the manager dashboard, go to your left navigation menu and click on the Account Menu (three dot icon), then Switch to Learner.
To gain credit for any content taken on their account, the user must switch to their learner account before taking content.
Actions taken as a learner will be captured in reporting. If the learner role is disabled in a dual role, reporting data for historical learner actions performed as a dual role user will still show in reports after the learner role is disabled.
- To use the manager account - If you've switched to the learner account, you can switch back by clicking Return to Management in the banner at the top of the learner dashboard.
The Return to Management option only displays on learner dashboards currently. If you switch to the learner profile and navigate away from the dashboard, the option to Return to Management will not appear again until you've navigated back to the learner dashboard.
Contact Tech Success & Support
If you need to disable either the manager or the learner role from a dual role user, please contact Tech Success & Support for assistance.
Dual Roles and SSO
Our Dual Role functionality is supported with SAML 2.0, OpenID Connect, and JWT SSO. A company can specify dualRole (boolean) during SSO and specify the role alongside access attributes (purchasedCourses, etc.).
Although the original manager or learner user can be created through SSO, you cannot use SSO to then make that user a dual role. The user must be created as a dual role before they login with SSO for the first time as a dual role user. The dual role can be created one of two ways: from a manager profile manually through the admin interface or from either a manager or learner profile via API. Jump back to the section on Configuring a Dual Role to learn how to do this. The steps to use SSO throughout this process might look like this:
- Create the original manager user via SSO.
- Make the manager user a dual role by manually creating a learner profile through the admin interface.
- The user can now sign in via SSO and be recognized as a dual role.
Why are dual roles different with SSO?
When a user logs in with SSO we automatically assume that the user is a learner. This is the default setup with SSO. Our system can support dual role users logging in through SSO but additional parameters need to be passed for dual role users so that they are correctly recognized by the system and logged in appropriately.
Required Attributes for SSO Payloads
Once the dual role user is created you will need to configure your IdP to send the appropriate information for the user when they login. When a dual role user logs in they must be sent with the
dualRole attributes every time they login.
This attribute is the name of the role that a user should be placed in when they login. Learner accounts should always be sent in as
role: student. Manager accounts should be sent in with the slugified version of the role name. An example would be
client-admin rather than Client Admin.
If you have changed the name of a custom role since you originally created it then you should confirm the actual slug of the role before sending it.
This attribute is a boolean field that is required to tell the system that the user logging in is a dual role. When a dual role user logs in (regardless of role) the payload should include
true. This does not need to be sent for non-dual role users, only those users that have an active dual role.
Mapping the Attributes
If you are using either SAML 2.0 or OpenID Connect then you will need to map the two fields from your system that you are using to send these two pieces of information. You will find the attribute mappings in the SSO setup section for either your site or panorama. The field name that you enter should match the field name from your IdP exactly. See the example screenshot below that includes these fields.
role is a string field and
dualRole is a boolean field.