--- title: Group-level role assignment scenarios description: These scenarios provide context and a starting point for you to consider when applying group-level role assignment in your PingOne organization. component: pingone page_id: pingone:directory:p1_group_level_role_scenarios canonical_url: https://docs.pingidentity.com/pingone/directory/p1_group_level_role_scenarios.html revdate: May 22, 2025 section_ids: scenario-1-administering-users-across-multiple-brands-and-help-desks: "Scenario 1: Administering users across multiple brands and Help Desks" before-you-begin: Before you begin steps: Steps result: Result scenario-2-administering-users-for-a-specialized-support-team: "Scenario 2: Administering users for a specialized support team" before-you-begin-2: Before you begin steps-2: Steps result-2: Result --- # Group-level role assignment scenarios Group-level role assignment gives you have more flexibility to model the administration of PingOne resources and simulate the structure of your business. The following scenarios provide context and a starting point for you to consider when applying group-level role assignment in your organization. ## Scenario 1: Administering users across multiple brands and Help Desks In this scenario, a media company called BX Media runs multiple sites and apps for fans of various recording artists, and each artist brand has its own dedicated Advanced Help Desk Admin. However, each fan has a single account that they use to access media for multiple artists. The company wants to ensure that each Advanced Help Desk Admin can manage the users who are fans of their assigned artist brand, but who also might be fans of other artists in their catalog. ### Before you begin For the purposes of this scenario, assume the following: * You have two end users in the **BX Media** environment who are fans of some of your artists: * **Fan1**: A fan of Artist 2 and Artist 3 * **Fan2**: A fan of Artist 1 and Artist 3 ![A screen capture showing Fan1 and Fan2 users in the Users list for the BX Media environment.](_images/p1-roles-group-scope-scenario1-fan-users.png) Learn more about creating users in [Adding a user in PingOne](p1_adduser.html). * You have three groups in the **BX Media** environment, one for fans of each of the artists: * **Artist 1** * **Artist 2** * **Artist 3** ![A screen capture showing the Artist 1](_images/p1-roles-group-scope-scenario1-groups.png) Learn more about creating groups in [Creating a group](p1_create_group.html). * You've added the fans to the applicable groups, based on their interests: * **Fan1** is a member of the **Artist 2** and **Artist 3** groups * **Fan2** is a member of the **Artist 1** and **Artist 3** groups ![A screen capture showing Fan1 and Fan2 as members of the Artist 3 group in the BX Media environment.](_images/p1-roles-group-scope-scenario1-group3-members.png) * You have three administrator users in the **Administrators** environment: * **Artist 1 Help Desk Admin** * **Artist 2 Help Desk Admin** * **Artist 3 Help Desk Admin** Now you'll assign the Advanced Help Desk Admin to each administrator user and scope it to the applicable group for each. ### Steps 1. In the PingOne admin console for the **Administrators** environment, go to **Directory > Users** and browse or search for the **Artist 1 Help Desk Admin** user. 2. Click the user entry to open the details panel, and then click the **Roles** tab. 3. Click **Grant Roles**, click the **Advanced Help Desk Admin** role to expand it, and click the **Reduce access** icon (![image of reduce access icon](../_images/qge1710506304767.png)). ![A screen capture of the Roles tab on the Artist 1 Help Desk Admin user details panel with the Advanced Help Desk Admin role expanded. The reduce access icon is outlined in a red box.](_images/p1-roles-group-scope-scenario1-reduce-access-icon.png) 4. On the **Limit Access** modal, on the **Groups** tab, select the checkbox next to the **Artist 1** group and click **Confirm**. ![A screen capture of the Limit Access modal showing the available groups the Advanced Help Desk Admin role can be scoped over. The Artist 1 group checkbox is selected.](_images/p1-roles-group-scope-scenario1-limit-role-to-group.png) 5. Repeat steps 1 - 4 for the **Artist 2 Help Desk Admin** and **Artist 3 Help Desk Admin** users, assigning the Advanced Help Desk Admin role to each and restricting the role as follows: * **Artist 2 Help Desk Admin**: Restrict to the **Artist 2** group. * **Artist 3 Help Desk Admin**: Restrict to the **Artist 3** group. ### Result By setting these roles at the group level, you give each administrator the ability to assist a user in a group for which they have explicit administrator privileges, even if that user also belongs to a group over which they don't. You maintain a single user identity for each fan, while still giving each support team the access they need. In practice, this means that: * **Artist 3 Help Desk Admin** can assist both **Fan1** and **Fan2**, because both fans belong to the **Artist 3** group. * **Artist 1 Help Desk Admin** can assist only **Fan2** because **Fan1** doesn't belong to the **Artist 1** group or another group over which **Artist 1 Help Desk Admin** has role permissions. * **Artist 2 Help Desk Admin** can assist only **Fan1**, because **Fan2** doesn't belong to both the **Artist 2** group or another group over which **Artist 2 Help Desk Admin** has role permissions. ## Scenario 2: Administering users for a specialized support team In this scenario, BX Media has a small, expert support team that handles high-risk operations, such as managing MFA devices and escalated recovery flows for C-level executives. The executive users are in a group called **C-Suite Execs**. ### Before you begin For the purposes of this scenario, assume the following: * You have eight end users in the **BX Media** environment who belong to the **C-Suite Execs** group. Learn more in [Managing groups](p1_managing_groups.html). ![A screen capture showing the C-Suite Execs group in the Groups list for the BX Media environment.](_images/p1-roles-group-scope-scenario2-csuite-group.png) * You've created a custom role called **C-Suite Support Admin** that has permissions to manage MFA devices and account recovery, along with other essential permissions, but no other user management permissions. This role can be assigned only at the group level. Learn more in [Adding a custom administrator role](p1_custom_role_add.html). ![A screen capture showing the custom C-Suite Support Admin role.](_images/p1-roles-group-scope-scenario2-csuite-support-admin.png) Now you'll assign the **C-Suite Support Admin** role to an administrator user and scope the role to the **C-Suite Execs** group. ### Steps 1. In the PingOne admin console for the **Administrators** environment, go to **Directory > Users** and browse or search for a user to assign the new role. 2. Click the user entry to open the details panel, and then click the **Roles** tab. 3. Click **Grant Roles**, scroll to the **Custom Roles** section, and click it to expand it. Because the role can only be assigned at the group level in the BX Media environment, that is the only environment listed. The **Reduce access** icon (![image of reduce access icon](../_images/qge1710506304767.png)) shows, but there's no checkbox for selecting the entire environment. ![A screen capture of the Custom Roles section in the Roles tab with the C-Suite Support Admin role expanded.](_images/p1-roles-group-scope-scenario2-assign-custom-role.png) 4. Click ![image of reduce access icon](../_images/qge1710506304767.png) to open the **Limit Access** modal. 5. Select the checkbox next to the **C-Suite Execs** group and click **Confirm**. | | | | - | ------------------------------------------------------------------------------------------------------- | | | In this case, there's only the **Groups** tab because the role can only be assigned at the group level. | ![A screen capture of the Limit Access modal showing the available groups the Advanced Help Desk Admin role can be scoped over. The C-Suite Execs group checkbox is selected.](_images/p1-roles-group-scope-scenario2-select-csuite-execs-group.png) ### Result By setting this role at the single group level, you give the administrator the ability to assist only the users in the **C-Suite Execs** group and perform only actions allowed by the **C-Suite Support Admin** custom role.