--- title: Adding an application role description: Add application roles to group application permissions by function, then control access to application resources by assigning roles to users. component: pingone page_id: pingone:authorization_using_pingone_authorize:p1_az_adding_application_roles canonical_url: https://docs.pingidentity.com/pingone/authorization_using_pingone_authorize/p1_az_adding_application_roles.html revdate: November 20, 2024 section_ids: before-you-begin: Before you begin about-this-task: About this task steps: Steps example: Example: result: Result: next-steps: Next steps --- # Adding an application role Add application roles to group application permissions by function, then control access to application resources by assigning roles to users. ## Before you begin * [Add the application permissions](../applications/p1_add_application_permissions.html) that you want to grant to your roles. * [Add the users](../directory/p1_adduser.html) that you want to assign to roles. ## About this task Roles determine which permissions a user has. A user can perform an action on an application resource if they have a role with the associated permission. | | | | - | -------------------------------------------------------------------- | | | You can add up to 128 application roles in each PingOne environment. | ## Steps 1. Go to **Authorization > Application Roles**. 2. Click the **[icon: plus, set=fa]**icon next to **Application Roles**. 3. Enter a unique **Application Role Name** and an optional **Description**. Click **Next**. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The name can include Unicode letters, marks, numbers, spaces, forward slashes, dots, apostrophes, underscores, and hyphens, with a maximum length of 20 characters. | ### Example: For example, you could add an `Invoicing Processor` role for the BizPro invoicing application to give Invoicing Processors permissions to read, write, pay, and update invoices. ![Screen capture showing the Application Role Name and Description fields in the Add Application Role window.](_images/yis1705003594939.png) 4. Select the permissions that you want to assign to the role. Permission names list the application resource and action separated by a colon. For reference, the PingOne resource associated with the application resource is displayed next to the checkbox. ![Screen capture showing selected permission checkboxes in the Assign Permissions window.](_images/zlm1705003754568.png) 5. Click **Next**. 6. Select the users that you want to assign to the role. ### Result: Selected users will have the permissions that are assigned to the role. ![Screen capture showing selected user checkboxes in the Add User window.](_images/hiw1705003945283.png) 7. Click **Save**. ## Next steps Add additional roles and assign users to grant them the permissions assigned to the roles. For example, in the BizPro invoicing application, Billing Supervisors might need permissions to read and void invoices. Add a `Billing Supervisor` role and assign the `Invoices:Read` and `Invoices:Void` permissions to it.