--- title: Managing user roles description: Add, remove, or limit the scope of roles for PingOne users on the [.uicontrol]**Users** page. component: pingone page_id: pingone:directory:p1_manage_user_roles canonical_url: https://docs.pingidentity.com/pingone/directory/p1_manage_user_roles.html revdate: May 12, 2025 section_ids: assigning-administrator-roles: Assigning administrator roles steps: Steps result: Result related-links: Related links assigning-application-roles: Assigning application roles steps-2: Steps choose-from: Choose from: result-2: Result: --- # Managing user roles A role is a collection of permissions that you can assign to a user or group. Add, remove, or limit the scope of roles for PingOne users on the **Users** page. You can manage two kinds of roles: * Administrator roles grant access to specific PingOne capabilities. Learn more about the capabilities of each administrator role in [Administrator Roles](p1_roles.html). * Application roles grant access to features and API resources in applications developed by your organization. Learn more in [Application roles](../authorization_using_pingone_authorize/p1_az_application_roles.html). - Administrator roles - Application roles ## Assigning administrator roles Assign administrator roles on the **Users** page in the directory. ## Steps 1. In the PingOne admin console, go to **Directory > Users** and browse or search for the user that you want to edit. 2. Click the user entry to open the user details panel. 3. Click the **Roles** > **Administrator Roles** tab. If roles are assigned, they're listed here with information about where those roles apply. For example, in the following image, **BX User** has the **Application Owner** role in two environments. Because the role is assigned at the environment level, they have the role over all of the applications in those environments. In a third environment, they have the role over only two applications. They also have the **Environment Admin** role, and they have that role in three environments. | | | | - | -------------------------------------------------------------------------------------------------------- | | | You can assign administrator roles to users, groups, applications, or PingFederate gateway integrations. | ![A screen capture of the user details for BX User. Roles > Administrator Roles is selected, and shows the assignment of the Application Owner role over 2 environments, and in a third over two applications. Also shows the Environment Admin role in three environments.](../_images/wcj1710180598183.png) | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Click the **Info** icon to view the permissions associated with the role. Click the down arrow on the right to view the list of environments or populations for which the role is assigned. | ![Screen capture of the Environment Admin and Application Owner roles expanded to display detailed information about the environments and applications over which the user is assigned the role.](../_images/xok1710181537536.png) 4. Click **Grant Roles**. The **Available Responsibilities** tab lists the roles that you are allowed to assign and the environments for which you are allowed to assign them. A responsibility is the combination of the role assignment and the level, or scope, at which the role is applied. Depending on the role, it could be assigned at the organization, environment, population, or application level. The **Granted Responsibilities** tab lists any roles that are currently assigned. 5. On the **Available Responsibilities** tab, click the role that you want to assign or change and perform any combination of the following: 1. To assign the role, select the checkboxes next to the applicable environments. | | | | - | ----------------------------------------------------------------------------------------- | | | Click **Select All** or **Remove All** to select or clear all available responsibilities. | 2. To remove a role assignment, clear the checkboxes next to the applicable environments. 3. To grant this access for only a portion of the environment, click the **Reduce Access** icon (![image of reduce access icon](../_images/qge1710506304767.png)), select a subset of the available applications or populations on the **Limit Access** page, and click **Confirm**. ![A screen capture of the Limit Access page showing one population selected out of three populations](../_images/qnh1710778106962.png) | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can grant only roles that are assigned to you or that confer the permissions needed to assign that role to others. For example, if you do not have the Environment Admin role, you cannot assign the Environment Admin role to others (and that role will not be listed under **Available Responsibilities**). However, if you have the Identity Data Admin role, you can assign either the Identity Data Admin role or the Identity Data Read Only role to others.Learn more about the permissions associated with each role in [Roles](https://developer.pingidentity.com/pingone-api/platform/roles.html) in the PingOne API documentation. | 6. Click **Save**. ## Result The role assignments that you selected are listed on the **Granted Responsibilities** tab. ## Related links * [Administrator Roles](p1_roles.html) ## Assigning application roles Assign application roles on the **Users** page in the directory. Follow these steps to assign application roles to users after you [create application roles](../authorization_using_pingone_authorize/p1_az_adding_application_roles.html). | | | | - | ---------------------------------------------------------------------------- | | | The user assigning application roles must have the Identity Data Admin role. | ### Steps 1. In the PingOne admin console, go to **Directory > Users** and browse or search for the user to whom you want to assign a role. 2. Click the user entry to open the user details panel. 3. Click the **Roles > Application Roles** tab. If the user has assigned roles, they're listed here. For example, the image shows that **Theresa Miller** already has the **Invoicing Processor** role. | | | | - | ---------------------------------------------------------- | | | You can assign application roles at the environment level. | ![Screen capture of the Application roles tab showing the Invoicing Processor role assigned to Theresa Miller.](_images/uar1715187232963.png) 4. Do one of the following. #### Choose from: * If the user has assigned roles, click the **Pencil** icon. * If the user doesn't have assigned roles, click **Grant Application Roles**. #### Result: The **Application Roles** tab lists the roles that you can assign. The **Selected Application Roles** tab lists the roles, if any, that are currently assigned to the user. ![Screen capture of Edit Application Roles showing checkboxes for the Invoicing Processor and Billing Supervisor roles.](_images/uka1715187369551.png) 5. On the **Application Roles** tab, select or clear the relevant checkboxes to assign or unassign roles. For example, you might assign Theresa the Billing Supervisor role while Melissa, the billing supervisor, is on vacation. 6. Click **Save**.