I don't understand what makes a Sandbox account usable. We have OneLogin, which was its own issue, but even after creating a role that doesn't require Single Sign On (and doesn't have that permission), there is no equivalent Sandbox role. Under Setup->Company->Sandbox Accounts, access after sandbox refresh has All Users selected.

@reptar Not exactly clear on what your question is. Sandbox is typically used for development/testing purposes so as not to affect your production account. The screen you are referring to under Setup->Company->Sandbox Accounts is where you go to request a sandbox refresh (which copies all production data, overwriting your sandbox account with it (once you activate it)). The Access After Sandbox Refresh option refers to when you perform that refresh whether you want to copy all roles/permissions over to the sandbox (meaning everyone who had access in production, now has access in sandbox) or whether you want to only have administrators have access upon refresh (meaning you'll have to go in and manually assign any additional access).

I'm trying to offer access to an employee who has taken on a support role.

Are you able to login to your sandbox account?

Yes.

So login to your sandbox and provision access to that user just like you would in production

Right, just occurred to me. I created the role in production so it doesn't exist in the sandbox yet. Thanks

Yep, that would only happen after a refresh. Balancing how often to refresh is a bit of a pain.