PingOne

Group roles

To make permissions management easier, you can assign roles to groups and individual users.

Using group roles, you can:

  • Manage roles for multiple users at once.

  • Apply role changes in bulk.

  • See users that have a certain role by viewing group members.

    You can use roles to manage permissions for groups of administrators. Learn more in Managing administrators.

For security reasons, you can assign roles to static groups but not to dynamic groups. Dynamic groups include members based on a filter or rule. Users could be added to a dynamic group unintentionally and could inherit role assignments you don’t want to give them. Learn more in Static and dynamic groups.

When adding users to static groups that are assigned roles, be careful not to inadvertently assign a role to a user unintentionally when you add them to a group. If a user is assigned a role because they are in a group and you don’t want them to have the role, remove the user from the group.

  • You can assign a role to a group you’re a member of only if that role is assigned to you directly as an individual user, and is not assigned to you as part of a group that you belong to.

  • If a built-in role you’re assigned allows you to assign a different role, you can also assign that role to a group you are a member of. For example, the Identity Data Admin role has permissions that allow it to assign the Identity Data Admin Read Only role. If you’re assigned the Identity Data Admin role, you can assign that role or the Identity Data Admin Read Only role to a group.

  • An administrator might not have permissions to assign roles but can add or remove users from a group that has role assignments. For example, one administrator can assign roles to a group, and a different administrator can add or remove users from that group, depending on their role assignments.

  • You can’t add or remove yourself from a group that has roles assigned to it.

  • Roles assigned to a group won’t affect roles that are assigned to a user individually. If the role isn’t assigned to the user directly, the role is removed when they’re removed from the group.

  • You can assign roles in up to 500 groups.

Learn more in Creating a group and Managing group membership.