---
title: Administrative accounts
description: PingFederate supports five authentication schemes for administrative accounts.
component: pingfederate
version: 13.1
page_id: pingfederate:administrators_reference_guide:help_administrativeaccountstasklet_administrativeaccountsstate
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/help_administrativeaccountstasklet_administrativeaccountsstate.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: September 19, 2023
section_ids:
  related-links: Related links
---

# Administrative accounts

PingFederate supports five authentication schemes for administrative accounts.

The authentication schemes are:

* Native authentication

* LDAP authentication

* RADIUS authentication

* Certificate-based authentication

* OIDC-based authentication

For role-based access control, PingFederate provides two account types and four administrative roles, as shown in the following table.

**PingFederate User Access Control**

| Account type | Administrative role   | Access privileges                                                                                                                                                                                    |
| ------------ | --------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Admin        | User Admin            | Create users, deactivate users, change or reset passwords, and install replacement license keys.                                                                                                     |
| Admin        | Admin                 | Configure partner connections and most system settings, except the management of local accounts and the handling of local keys and certificates.                                                     |
| Admin        | Expression Admin      | Map user attributes by using the Object-Graph Navigation Language (OGNL) expression language.                                                                                                        |
| Admin        | Crypto Admin          | Manage local keys and certificates.                                                                                                                                                                  |
| Admin        | Data Collection Admin | Collects support data using the [Collect Support Data](pf_collecting_support_data_admin_console.html) menu.Administrators must have Admin, User Admin, and Crypto Admin roles to be given this role. |
| Auditor      | Not applicable        | View-only permissions for all administrative functions. When the **Auditor** role is assigned, no other administrative roles can be set.                                                             |

For native authentication, access and authorization are controlled by the local accounts defined on the **Administrative Accounts** window.

As needed, you can switch from native authentication to an alternative console authentication. Access and authorization are defined in the respective configuration file.

An administrative user can sign on from more than one browser or location, and multiple administrative users can sign on to the PingFederate administrative console at a time. You can optionally restrict the administrative console to one administrative user at a time by modifying the `pf.console.login.mode` property in the `<pf_install>/pingfederate/bin/run.properties` file. Regardless of the property configuration, any number of auditors can sign on at any time.

|   |                                                                                                                                                                                                                                                                     |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | For security, after three failed sign-on attempts from the same location within a short time period, the administrative console and the administrative API will temporarily lock out further attempts by the same user. The user must wait one minute to try again. |

Local accounts defined on the **Administrative Accounts** window are shared between the administrative console and the administrative API if they are both configured to use native authentication, the default. If the administrative console is configured to use an alternative console authentication, the **Administrative Accounts** window appears only if the administrative API is left to use native authentication, and vice versa.

|   |                                                                                                                                                        |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
|   | If you have connected PingFederate to PingOne for Enterprise, you can also single sign-on from the PingOne admin portal to the administrative console. |

## Related links

* [Alternative console authentication](pf_alt_console_auth.html)