Managing user roles
A role is a collection of permissions that you can assign to a user or group. Add, remove, or limit the scope of roles for PingOne users on the Users page.
You can manage two kinds of roles:
-
Administrator roles, which grant access to specific PingOne capabilities. Learn more about the capabilities of each administrator role in Administrator Roles.
-
Application roles, which grant access to features and API resources in applications developed by your organization. Learn more in Application roles.
Assigning administrator roles
Assign administrator roles on the Users page in the directory.
|
You can also assign administrator roles to groups, worker applications, or PingFederate gateway integrations. The process of assigning roles is similar for all types of administrator role assignment. However, you can only assign a role at the group level for users and groups. You can’t assign roles at the group level for applications or gateways. |
Steps
-
In the PingOne admin console, go to Directory > Users and browse or search for the user that you want to edit.
-
Click the user entry to open the user details panel.
-
Click the Roles > Administrator Roles tab.
If there aren’t any application roles available in the environment, the settings are on the Roles tab.
If roles are assigned to the user, they’re listed here with information about where those roles apply. For example, in the following image, BX User is assigned the following administrator roles:
-
Advanced Help Desk Admin: They have this role over one group in one environment.
-
Application Owner: They have this role at the environment level in two environments. Because the role is assigned at the environment level, they have the role over all of the applications in both of those environments. In a third environment, they have the role over only one application. That is the only application they can manage in that environment.
-
Environment Admin: They have this role for one environment.
-
Identity Data Admin: They have this role over one population in one environment.
Click the Info icon to view the permissions associated with the role. Click the down arrow on the right to view the list of environments, populations, applications, or groups for which the role is assigned. The levels at which a role can be assigned depends on the role. For example, only certain roles can be assigned at the group or application levels.
-
-
Click Grant Roles.
The Available Responsibilities tab lists the roles that you’re allowed to assign and the environments for which you’re allowed to assign them. A responsibility is the combination of the role assignment and the level, or scope, at which the role is applied. Depending on the role, it could be assigned at the organization, environment, population, group, or application level.
The Granted Responsibilities tab lists any roles that are currently assigned.
-
On the Available Responsibilities tab, click the role that you want to assign or change and perform any combination of the following:
-
To assign the role, select the checkboxes next to the applicable environments for which you want the user to have the role.
Click Select All or Remove All to select or clear all available responsibilities.
-
To remove a role assignment, clear the checkboxes next to the applicable environments.
-
To grant this access for only a portion of the environment, click the Reduce Access icon (
), select a subset of the available applications, populations, or groups on the Limit Access page, and click Confirm.
You can grant only roles that are assigned to you or that grant the permissions needed to assign that role to others. For example, if you don’t have the Environment Admin role, you can’t assign the Environment Admin role to others (and that role won’t be listed under Available Responsibilities). However, even if you have only the Identity Data Admin role, you can assign either the Identity Data Admin role or the Identity Data Read Only role to others. The permissions for the Identity Data Admin role allow the bearer to assign both of these roles to others.
Learn more about the permissions associated with each role in Roles in the PingOne API documentation.
-
-
Click Save.
Result
The role assignments that you selected are listed on the Granted Responsibilities tab.
Related links
Assigning application roles
Assign application roles on the Users page in the directory.
Follow these steps to assign application roles to users after you create application roles.
|
The user assigning application roles must have the Identity Data Admin role. |
Steps
-
In the PingOne admin console, go to Directory > Users and browse or search for the user to whom you want to assign a role.
-
Click the user entry to open the user details panel.
-
Click the Roles > Application Roles tab.
If the user has assigned roles, they’re listed here. For example, the image shows that Theresa Miller already has the Invoicing Processor role.
You can assign application roles at the environment level.
-
Do one of the following.
Choose from:
-
If the user has assigned roles, click the Pencil icon.
-
If the user doesn’t have assigned roles, click Grant Application Roles.
Result:
The Application Roles tab lists the roles that you can assign. The Selected Application Roles tab lists the roles, if any, that are currently assigned to the user.
-
-
On the Application Roles tab, select or clear the relevant checkboxes to assign or unassign roles.
For example, you might assign Theresa the Billing Supervisor role while Melissa, the billing supervisor, is on vacation.
-
Click Save.