PingOne

Group roles

To make permissions management easier, you can assign roles to groups and individual users.

Using group roles, you can:

  • Manage roles for multiple users at once.

  • Apply role changes in bulk.

  • See users that have a certain role by viewing group members.

    You can use roles to manage permissions for groups of administrators. Learn more in Managing administrators.

For security reasons, only static groups can have roles assigned to them. That is, you can’t assign roles to groups that have members included based on a filter or rule. With a dynamic group, you might inadvertently add users to the group that would inherit role assignments. Learn more in Static and dynamic groups.

When adding users to groups that have roles assigned, be careful not to inadvertently assign a role to a user by adding them to a group. If a user has a role from being in a group, remove the user from the group to remove the role. If a user has a role assigned to them individually, you can remove the role from the user.

  • You can assign a role to a group you’re a member of only if that role is assigned to you directly as an individual user, and is not assigned to you as part of a group that you belong to.

  • If a built-in role you’re assigned allows you to assign a different role, you can also assign that role to a group you are a member of. For example, the Identity Data Admin role has permissions that allow it to assign the Identity Data Admin Read Only role. If you’re assigned the Identity Data Admin role, you can assign that role or the Identity Data Admin Read Only role to a group.

  • An administrator might not have permissions to assign roles but can add or remove users from a group that has role assignments. For example, one administrator can assign roles to a group, and a different administrator can add or remove users from that group, depending on their role assignments.

  • You can’t add or remove yourself from a group that has roles assigned to it.

  • Roles assigned to a group won’t affect roles that are assigned to a user individually. If the role isn’t assigned to the user directly, the role is removed when they’re removed from the group.

  • You can assign roles in up to 500 groups.

Learn more in Creating a group and Managing group membership.