Capabilities
Provisioning
AccessOwl creates user accounts with the specified roles/permissions during access requests.
Deprovisioning
AccessOwl archives users from your KnowBe4 account during access revocations.
Prerequisites
- Account Administrator access to your KnowBe4 account, so you can invite the integration account.
Setup
Add KnowBe4 in AccessOwl
Either add a new application or open Applications and click the +-symbol, then continue.
Invite the integration account as Account Administrator
AccessOwl shows you the integration account’s email address. In your KnowBe4 KSAT console:
- Open the Users tab.
- Find or create the user with the integration account’s email address.
- Assign the Account Administrator role to the user.
The integration account requires the Account Administrator role because that level can create, update, and archive users and manage access across the console. Lower permission levels do not have the required user management capabilities.
FAQ
Can I use a custom Security Role instead of Account Administrator?
Can I use a custom Security Role instead of Account Administrator?
Yes. KnowBe4’s Security Roles feature (available on SAT Advanced, Platinum, and Diamond plans) lets you create a scoped admin role with only the permissions AccessOwl needs. To set this up, navigate to the Users tab in your KSAT console and open the Security Roles subtab, then create a new role with permissions to create, update, and archive users, and to grant and revoke access.Assign the custom Security Role to the integration account’s group instead of the full Account Administrator role. Keep in mind that if the custom role is missing any permission AccessOwl relies on, provisioning or deprovisioning actions will fail. When in doubt, start with Account Administrator and switch to a scoped role once you have confirmed the integration is working.