PingOne

Custom role scenarios

Your organization wants you to create two custom roles for Support personnel. You are assigned the Custom Roles Admin role, and you have that role at the Organization level. This means that you can create custom roles in all of the environments in the organization. These roles will be assigned and used in different ways in the three scenarios that follow.

The first role, Support Level 2, is an advanced role for help desk employees. We’ll create this role first, because we want it to exist when we create the Support Level 1 role. This role includes all of the permissions we will include in the Support Level 1 role, but also includes permissions for creating, reading, updating, and deleting users, locking user accounts, resetting user passwords, and assigning administrator roles to users. This role can be assigned by users with the Identity Data Admin role.

Without a custom role, you would need to assign, at a minimum, the built-in Identity Data Admin role to give a user the permissions they need to perform these tasks. That role contains a total of 160 permissions, many of which you might not need or want a support user in this capacity to have.

The second role, Support Level 1, is an entry-level role for help desk employees and users with the role should only be able to read user records, and reset user passwords. This role can be assigned by users with the Identity Data Admin or the Support Level 2 roles.

Again, without custom roles, this user would require the built-in Identity Data Admin role at a minimum, because that is the role with the fewest permissions that includes the Reset User Password permission.

You create these roles in the Administrators environment, because that’s the environment in which administrator identities should be created. You select to include the essential permissions. There are currently four essential permissions, so the number of selected permissions is four plus the number of permissions you select manually. For example, you add seven permissions to the Support Level 2 role, so that role now has 11 total permissions assigned.

New roles created

Support Level 2 role summary

A screenshot of the Support Level 2 role summary.

Support Level 1 role summary

A screenshot of the Support Level 1 role summary.

New roles displayed on Custom Roles tab of Administrator Roles page

A screenshot of the Custom Roles tab of the Administrator Roles page showing the Support Level 1 and Support Level 2 roles.

The following scenarios show administrators assigning custom roles to users, but you can also assign custom roles to groups, worker applications, or PingFederate gateways, just like built-in roles.

Scenario 1: Custom role assignment within a single environment

The goal of this scenario is for a user in an environment to assign a custom role to another user in the same environment.

If two users exist in the same environment, and you create a custom role in that environment, a user with the applicable Assignable by role can assign the custom role to another user in the same environment.

In this scenario:

  • User A has the Support Level 2 role in the CompanyA_Support environment.

  • User B is also in the CompanyA_Support environment.

  • Administrators with the Support Level 2 role can assign the Support Level 1 role.

  • User A assigns the Support Level 1 role to User B.

    Because this is not the Administrators environment, User A can’t assign the role at the organization level or to any environment resource outside of the CompanyA_Support environment.

    A diagram showing User A assigning the custom Support Level 1 role to User B in the same environment.

Scenario 2: Custom role assignment from the Administrators environment

The goal of this scenario is to assign custom roles to two administrators and allow them to manage different environments in the organization.

To assign the Support Level 1 or Support Level 2 roles to users over multiple environments or the entire organization, the roles must be created in the Administrators environment. The general role assignment rules apply, which means:

  • The user who is going to assign the custom role must exist in the Administrators environment.

  • This user must have a role that can assign the new custom role.

  • This user must have that role scoped over the environments in which you want them to be able to assign users to manage with the new custom role.

In this scenario:

  • User C exists in the Administrators environment. They are assigned the Identity Data Admin role for all environments in the organization. The Identity Data Admin role can assign both the Support Level 1 and Support Level 2 roles.

  • Because User C has the Identity Data Admin role for all of the environments in the organization, they can assign the Support Level 1 and Support Level 2 roles to users over any environment in the organization.

  • User D and User E also exist in the Administrators environment.

  • User C assigns the Support Level 1 role to User D and the Support Level 2 role to User E. Both are scoped to the CompanyA_Support environment.

    A diagram outlining the scenario as documented.

Scenario 3: Custom role assignment for delegated administration of another environment

The goal of this scenario is for an administrator with a built-in role to assign custom support roles to users that are in a different environment.

In this scenario:

  • User C exists in the Administrators environment. They are assigned the Identity Data Admin role for all environments in the organization.

  • User F and User G exist in the CompanyA_Support environment.

  • Both the Support Level 1 and Support Level 2 roles are created in the CompanyA_Support environment. These roles are assignable by the Identity Data Administrator role.

  • Because User C has the Identity Data Admin role for all of the environments in the organization, they can assign the Support Level 2 role to User F in the CompanyA_Support environment.

  • User F can then assign the Support Level 1 role to User G because Support Level 1 role is assignable by either the Identity Data Admin or the Support Level 2 role, and the users both exist in the CompanyA_Support environment.

    A diagram showing outlining the scenario as documented.