The Dual Role feature allows a user to be both a manager and learner without having to use separate email addresses. Dual Roles are set up by a user with Manage Roles permissions.
Once a user is set up in Thought Industries, they can then be turned into a dual role. The relationship must be manager/learner - we do not support dual roles that are either manager/manager or learner/learner. When the user next logs in they will be able to switch between their manager and learner accounts seamlessly, allowing them to administer their site and take content without the need for two separate accounts.
Dual roles are especially helpful for Panorama. The manager account can be a member of Panorama/sublicense and the learner can be in a different sublicense simultaneously.
Configuring a Dual Role
You can start with a manager role or a learner role when you are creating a dual role. If the user has engaged in content before they are promoted to a dual role, their content progress will be retained on their original role (e.g., courses completed as a learner will remain on the learner transcript).
Note
When you convert a learner to a dual role, the new manager has manager-level access to the same content they had access to as a learner. This is consistent with the behavior when managers are promoted to dual role users (i.e., the learner is enrolled in any content the manager is enrolled in).
From a Manager Role
- From your homepage, go to Users > Managers.
- Click on the Role Name for the role the user is currently attached to or search for the user.
- Once identified, click on the User's Name to access their profile.
Note
If you are promoting a Panorama user to a dual role, you must remove them from the Panorama in the Access tab BEFORE you promote them to a dual role account.
- By default, you will land on the Details tab. If you are not currently on the Details tab, navigate to it and locate the section header Role.
- Click Create learner profile.
From a Learner Role
- From your homepage, go to Users > Learners.
- Click on the User's Name to access their profile.
Note
If you are promoting a Panorama user to a dual role, you must remove them from the Panorama in the Access tab BEFORE you promote them to a dual role account.
- By default, you will land on the Details tab. If you are not currently on the Details tab, navigate to it and locate the section header Role.
- Select a Manager Role and click Create manager profile.
Tip
If you are creating users via the API or you wish to automate this process rather than doing it in the UI then you can also utilize our User Dual Role API endpoint to create a dual role. You can start from either a manager or learner account and create the opposite to make it a dual role.
Please refer to the API documentation for the correct syntax for running this type of a request against this endpoint. You will need to know the Thought Industries User ID (which appears in the URL when in the user profile) to update a user.
Note
Dual Role Learner profiles cannot be impersonated.
Navigating between the manager and learner profile as an Admin
- You can navigate between the learner and manager profile from the Details tab - Role section.
- Users > Managers > Click on User's Name > Detail tab > Role section
- To navigate to the learner profile for example, go to the Detail tab > Role section in the Manager profile and click View and manage the learner profile.
Tip
Currently, there is only one way in the platform interface to check if a manager or learner is a dual role and that is by navigating into a user's profile and checking the Role section on the Details tab. If you need to check for this data point in bulk, you can use the User Details endpoint via API because it provides the Learner ID and the Manager ID.
Note
The information on the Details tab of the learner profile of a dual role is intentionally disabled. Any detail modifications will be made in the management profile and will sync with the learner profile.
Disabling a Learner or Manager Dual Role
There may come a time where a dual role is no longer needed for a user. In this case, you can disable either the learner or manager role - whichever fits your new situation. Any manager role with the permission to Manage Roles will be able to accomplish this task. Keep in mind, any data attached to the role you choose to disable (like completion statuses or certificates) will not automatically transfer to the role you keep.
Tip
Take note of any completion criteria the user has attached to the profile you are removing. In most cases, you can manually add the completion history to whichever profile you are keeping by going to the Access tab and adding the content there, then assigning the correct statuses (started, completed, etc.). Some roles, like the default Admin role, have access to all content, and therefore there is no option to add completion history to that manager profile.
- Navigate to Users > Managers.
- Click into a user's profile.
- On the Details tab, scroll down to the Role section.
Warning
Disabling one of the profiles for a dual role user is an irreversible deletion. You have the option to make the user a dual role again later on, but the original profile no longer exists along with the data attached to it.
- You have the option to disable the learner OR manager profile.
-
Disable Learner Profile: When viewing the manager profile, you have the option to disable the learner profile. To do so, click Disable Learner Profile.
-
Disable Manager Profile: If you would like to remove the manager profile instead, click View and Manage the Learner Profile. Go to the Role section, and click Disable Manager Profile.
-
Disable Learner Profile: When viewing the manager profile, you have the option to disable the learner profile. To do so, click Disable Learner Profile.
- Either way, you'll see a message to confirm you'd like to remove the role. Click Yes.
- The change will take immediate effect. No need to Save.
Tip
You can use API to bulk disable the manager profile of dual roles. A few key things to note about using the Bulk Disable Dual Roles endpoint:
- This endpoint can only be used to disable the manager profiles for dual role users. If you desire to remove the learner profile for a dual role user, you will need to do that in the Admin User Interface.
- This endpoint accepts an array of manager user IDs. The endpoint will delete the manager profile for all of the valid dual role users included in the array. The learner profile will remain in tact.
Using the Dual Role
- Log in using the email address that has been configured as a dual role.
- By default, the dual role user will generally land on the manager side of their dashboard (dashboards can be slightly different for different managers depending on permissions).
- To use the learner account - From the manager dashboard, go to your left navigation menu and click on the User Name, then Switch to Learner.
Note
To gain credit for any content taken on their account, the user must switch to their learner account before taking content.
Actions taken as a learner will be captured in reporting. If the learner role is disabled in a dual role, reporting data for historical learner actions performed as a dual role user will still show in reports after the learner role is disabled.
- To use the manager account - If you've switched to the learner account, you can switch back by clicking Return to Management in the banner at the top of the learner dashboard.
Note
The Return to Management option only displays on learner dashboards currently. If you switch to the learner profile and navigate away from the dashboard, the option to Return to Management will not appear again until you've navigated back to the learner dashboard.
Dual Roles and SSO
Our Dual Role functionality is supported with SAML 2.0, OpenID Connect, and JWT SSO. A company can specify dualRole (boolean) during SSO and specify the role alongside access attributes (purchasedCourses, etc.).
Note
Although the original manager or learner user can be created through SSO, you cannot use SSO to then make that user a dual role. The user must be created as a dual role before they login with SSO for the first time as a dual role user. The dual role can be created one of two ways: from a manager profile manually through the admin interface or from either a manager or learner profile via API. Jump back to the section on Configuring a Dual Role to learn how to do this. The steps to use SSO throughout this process might look like this:
- Create the original manager user via SSO.
- Make the manager user a dual role by manually creating a learner profile through the admin interface.
- The user can now sign in via SSO and be recognized as a dual role.
Why are dual roles different with SSO?
When a user logs in with SSO we automatically assume that the user is a learner. This is the default setup with SSO. Our system can support dual role users logging in through SSO but additional parameters need to be passed for dual role users so that they are correctly recognized by the system and logged in appropriately.
Required Attributes for SSO Payloads
Once the dual role user is created you will need to configure your IdP to send the appropriate information for the user when they login. When a dual role user logs in they must be sent with the role
and dualRole
attributes every time they login.
role
This attribute is the name of the role that a user should be placed in when they login. Learner accounts should always be sent in as role: student
. Manager accounts should be sent in with the slugified version of the role name. An example would be client-admin
rather than Client Admin.
Note
If you have changed the name of a custom role since you originally created it then you should confirm the actual slug of the role before sending it.
dualRole
This attribute is a boolean field that is required to tell the system that the user logging in is a dual role. When a dual role user logs in (regardless of role) the payload should include dualRole:
true
. This does not need to be sent for non-dual role users, only those users that have an active dual role.
Mapping the Attributes
If you are using either SAML 2.0 or OpenID Connect then you will need to map the two fields from your system that you are using to send these two pieces of information. You will find the attribute mappings in the SSO setup section for either your site or Panorama. The field name that you enter should match the field name from your IdP exactly. See the example screenshot below that includes these fields. role
is a string field and dualRole
is a boolean field.