The Primary Account Owner (PAO) is the highest-permission user on a 101domain account. They are responsible for maintaining account security, managing sub-user access, and overseeing global account settings.
Exclusive Responsibilities
The following actions are restricted to the Primary Account Owner to ensure the highest level of security and administrative control over your account.
Sub-user management
The Primary Account Owner maintains full control over all sub-user accounts and permissions. Learn more: Account Access for Multiple Users.
-
Create sub-users: Only the Primary Account Owner can add new sub-users and assign roles (Admin, Tech, or Finance).
-
Disable or remove access: The Primary Account Owner can disable a user's login access or delete a sub-user's profile at any time.
-
Credential & Access Recovery: The Primary Account Owner can restore access for locked-out sub-users by resetting their passwords, clearing Two-Factor Authentication (2FA), or resetting security questions.
Single Sign-On (SSO) configuration and enforcement
Only the Primary Account Owner has the authority to set up account-wide SSO. View the full setup guide here.
Key points:
-
Identity Provider Selection: The Primary Account Owner is responsible for selecting and configuring the account’s Single Sign-On (SSO) provider.
-
Authentication-only (no automatic user provisioning): SSO does not automatically create/sync users from your corporate directory. The Primary Account Owner is responsible for manually adding each sub-user and activating their SSO access within the account dashboard.
-
Per-user enforcement options: The Primary Account Owner must set SSO policy per sub-user. Options include:
-
No SSO (username/password only)
-
SSO Enabled (SSO and username/password both allowed)
-
Require SSO (SSO required; username/password disabled)
-
-
Disconnecting SSO is not automatic for sub-users: Removing SSO from the Primary Account Owner does not automatically remove it from sub-users. The Primary Account Owner must update each sub-user individually.
Managing API Keys & MCP Servers
API and MCP Server management is an exclusive responsibility of the Primary Account Owner. Note that these tools are only accessible when the owner's account is secured with 2FA or Sing Sign-On.
Reference Guides:
-
API and MCP Server Guide: 101domain API and MCP Server Guide
-
Two-factor authentication (2FA): Set up Two-Factor Authentication
-
Single Sign-On (SSO): Single Sign-On
Account & Domain Contact Management
The Primary Account Owner maintains exclusive control over all contact records. This includes managing the 101domain contact information and the individual contact information for each registered domain.
Primary Account Contact Information
Only the Primary Account Owner can redefine the account’s core contact identity, such as changing the entity type between Organization and Individual or updating the primary account address. Maintaining these details ensures that account ownership information remains up to date and accurate.
Reference Guide: Changing Account Contact Information
Domain-Specific Contact Information
In addition to the main account profile, the Primary Account Owner is the only user authorized to modify the contact information (Registrant, Admin, Tech, and Billing) for individual domains. This ensures that domain ownership and management rights are securely controlled at the registry level.
Reference Guide: Updating Domain Contact Information
Domain and Services Cancellation
Requests to cancel or delete any services from your account must be submitted by the Primary Account Owner via a support ticket. This requirement applies to all services, including:
-
Domain names
-
SSL certificates
-
Cloudflare Secure Web Accelerator
-
Other account-related add-ons