Domain Administrators don't have enough rights

sfeaganssfeagans Expensify Customer Posts: 3 Expensify Newcomer

There are a few management tasks that domain admins should be able to do in Expensify but they can't:

  1. Reset other users' passwords
  2. Delete other users' expense reports
  3. Delete other users' expenses

We are a construction company with high turnover and a workforce who don't spend much of their day on the computer. There are a lot of problems that we need to just fix for them as admins, but Expensify prevents us and it's very frustrating.

8 votes

Gathering use cases · Last Updated

Comments

  • Isabela StisserIsabela Stisser Expensify Team Posts: 268 Expensify Team

    Hey @sfeagans, thanks for posting to the Community! Policy/Domain Admins can become Copilots in users' accounts if they need to take actions on their behalf. Please find more information about this here.


    Let me know if you have any other questions!

  • sfeaganssfeagans Expensify Customer Posts: 3 Expensify Newcomer

    I understand that, but it still requires the user to follow the steps of granting the admin copilot access. As a domain admin, that should not be required - they should either automatically be copilots for all of the domain's users, or should at least have the admin rights I mentioned in my first post. The admin doesn't need to be able to process expense reports for the user, they just need to be able to administer the system, and their hands are tied right now.

  • Mark LouisMark Louis Expensify Team Posts: 95 Expensify Team

    Hi @sfeagans - thank you for the additional context. It's an interesting idea to have domain admins have copilot access to users of their domain, but for privacy reasons, we wouldn't be able to grant access automatically. For now, I'd suggest editing the title of your post to specify the action of your idea, e.g. "Give domain admins additional control of domain members' accounts", and be sure to vote for your own idea! If other users agree, they can vote for this idea too and add additional examples/suggestions.

  • cparsonscparsons Expensify Customer Posts: 30 Expensify Newcomer

    Admin should be able to do the same as a user on any account without the need for the user to add admin as a co-pilot, fairly standard on most systems!

  • Rachael HopkinsRachael Hopkins Expensify Success Coach - Admin Posts: 1,030 Expensify Team

    Hi @Julia - I'm just in the process off pushing through some of those more popular suggestions! We review them regularly to see if they fit with our road-map and big-picture for Expensify. Unfortunately the voting can be a little slow. With around 5-6 million active users each month, the votes that we see here only represent a teeeensy portion of users, so we also weigh them up based on common support queries.

    With this particular one, the issue is that it is really tricky in that it does not fit with the philosophy of Expensify being user-lead and users owning their own accounts for life. So while we're well aware of this request, it's difficult to come up with a solution that does not compromise how Expensify is designed to work.

    One possible solution I have been ruminating on (since September!) is a potential ability for users to turn on a setting which pre-approves Copilot requests from their Policy Admins. A little like the Policy joining link. And then removes that access automatically when they are removed from the Policy.

    The thing is how do we allow this, while still keeping complete account ownership and control within the user's grasp?

    So, this one is not on my 'list' right now, because while I can see what everyone wants, I can't work out how to do that with compromising the Expensify philosophy. I also suspect it would be a VERY big project once we get to starting!!

    I really value your insight here, so please do weigh in with your opinion! The key things to keep in mind are:

    • Users 'own' their own accounts and can take them with them to other companies
    • Users may use Expensify for personal expenses e.g. medical expenses
    • Users may use Expensify for non-work expenses e.g. charity work, sports organisations etc
    • Users might be contractors who have expenses from many different companies
    • User accounts may contain historical data from previous employers
    • Companies only 'own' policies and domains
    • Companies can only close user accounts if they do not have a personal email/secondary login
    • Companies can only see expenses on the company's policy or on a corporate credit card - everything else is private

    We are unlikely to change any of these things, so the question is, how do we make it easy for Admins to access user expenses to assist them, without compromising privacy?

    I look forward to hearing your ideas!

  • cparsonscparsons Expensify Customer Posts: 30 Expensify Newcomer

    Maybe if Expensify could share their roadmap with users being able to add items to if for suggestions with a voting function this would be beneficial in one single place. I think the community pages fail here, as the same topics gets mentioned over and over again and voted for in different places, so I can imagine its very difficult for Expensify to keep track of the total number of votes for any product development. So maybe sharing a document would be the way forward. Maybe something to think about how that could work. Maybe a google docs document?

  • Lauren ReidLauren Reid Expensify Team Posts: 40 Expensify Team

    thanks for the suggestion @cparsons, the team is always looking for ways to improve visibility on the Ideas section of the community, so will keep this in mind for the future.

  • JuliaJulia Expensify Customer Posts: 198 Expensify Pro

    Thanks for the thoughtful response @Rachael Hopkins

    My solution is simple- use your existing means by having it tied to the domain and policy rules. If the domain owner restricts policy creation and can also restrict primary login, then there is no risk for anything you have identified which I've copied below. It is really that simple. The company still pays for your services and uses Expensify the way we were told it was intended to. The employee is free to create a log in completely separate from their work email address (the email address and login doesn't belong to the employee anyways, it is owned by the company, and is tied to their Admins domain and policy) for all the other use cases you have described below. If they have an account for personal or other use, it shouldn't be tied to their companies email address anyways. I imagine they may even be able to designate their work email address as a Co-pilot for their personal accounts, and they could fluidly navigate between the different accounts without having to log in and log out each time. Their personal accounts stay separate from the Domain and Policy admin this way.

    • Users 'own' their own accounts and can take them with them to other companies
    • Users may use Expensify for personal expenses e.g. medical expenses
    • Users may use Expensify for non-work expenses e.g. charity work, sports organisations etc
    • Users might be contractors who have expenses from many different companies
    • User accounts may contain historical data from previous employers
    • Companies only 'own' policies and domains
    • Companies can only close user accounts if they do not have a personal email/secondary login
    • Companies can only see expenses on the company's policy or on a corporate credit card - everything else is private


    If a company doesn't have the domain rights to the email handle, then they can't restrict policy creation and primary login restriction. So they would not automatically get admin rights and the integrity of the data remains with the user.

    As it stands, our employees do not 'own' their accounts or historical information. WE DO. We pay for it. If an employee leaves the company and asks for historical access, I will definitely work with them to change around the restrictions to let them change their primary login. At that point, I have ZERO need or use case for being able to administer any historical data anyways, assuming all of their final expenses and credit card transactions have been submitted (which we also struggle with currently).

    If you are truly user lead, then certainly I can hope you understand that as admins, we only want these additional proxy abilities in place to HELP OUR USERS. There's just some things within Expensify that we can easily work around and fix, because we live and breathe in the system and see all the weird stuff, but are nearly impossible to reasonably explain to our employees and expect them to handle regularly.

    Has Expensify completely changed it's model, are you no longer wanting enterprise business accounts? Will you be phasing us out? All of the recent changes within the last 6 months say yes. There has been so much change, I feel like you all are just showing us the door so we can see ourselves out.

  • coltonshaw06coltonshaw06 Expensify Customer Posts: 28 Expensify Newcomer

    @Rachael Hopkins @Julia

    I don't have anything to add except the fact that i completely echo @Julia's statement. If I'm a domain admin, and controlling their account from the domain level. This is a simple ask. We are new and growing with Expensify, but all this is making us desire to change corse.

  • coltonshaw06coltonshaw06 Expensify Customer Posts: 28 Expensify Newcomer

    @Rachael Hopkins , actually thinking about this a bit more I think the answer is simple if we just change some terms used in the problem we uncover a solution that fits, instead of co-pilot let's say policy.

    For any expense posted to a specific policy, the policy admin should have full permissions to delete, modify, and more including modifying an expense report on the company policy. This is currently lacking.

    As far as resetting users passwords, this isn't a need when you get to a larger level. Everyone has the ability to do 'forgot password'.

    This is the exact same 'user centric' model Slack currently has; It's not special. It just needs to be done right. When you're in my slack workspace, I have full control over every aspect of your account, except your password and login. That user can log into many slack accounts with the same email (if they want). If I want your name different in my channel, I'll do it. I'm not sure why Expensify is over complicating this process.

Sign In or Register to comment.