Administrator Roles

An administrator role is a collection of permissions that you can assign to a user, application, or connection. Administrator roles give PingOne admins access to resources in the PingOne admin console and determine the actions they can take in PingOne.

Learn more about assigning admin roles to users in Managing user roles.
Learn more about assigning admin roles to a user group in Group roles.
You can also assign admin roles to worker applications. Learn more in Configuring roles for a worker application.
Learn more about the permissions associated with built-in administrator roles in PingOne Role Permissions.

PingOne roles

PingOne can include some or all of the following administrator roles, depending on your configuration and licensing.

Application Owner: A role for managing specific applications to which they are assigned. Key permissions include assigning application access using groups, editing attributes, and configuring connection details for the application. This role has no other administrator permissions.
Client Application Developer: A role for managing API client applications. The permissions for a client application developer are centered around managing applications and include functions such as creating and deleting client applications and resetting a client secret for an application.
Configuration Read Only: A subset of the Environment Admin role, but with read-only permissions. For example, the Environment Admin role can read, update, and delete environments, but the Configuration Read Only role can read environment data only. Admins with the Environment Admin or Configuration Read Only role can assign the Configuration Read Only role to users.
Environment Admin: A role for managing environments. The permissions for an environment administrator are centered around managing environments and include functions such as editing environments, managing populations, viewing password policies, and assigning certain roles.
Identity Data Admin: A role for managing identities and identity data. The permissions for an identity data administrator are centered around managing user identities, and include functions like creating users and resetting a user’s password.
Identity Data Read Only: A subset of the Identity Data Admin role, but with read-only permissions. For example, the Identity Data Admin role can read, update, and delete users, but the Identity Data Read Only role can read user data only. Admins with the Identity Data Admin or Identity Data Read Only role can assign the Identity Data Read Only role to users.
Organization Admin: A role for managing the entire organization. The permissions for an organization administrator are centered around managing organizations and include functions like creating, editing, and deleting organizations and environments.
PingOne Advanced Identity Cloud Super Admin: A role for managing the PingOne Advanced Identity Cloud tenant with all administrator permissions, including adding administrators.

This role is an early-access preview for a feature that is not yet generally available.

PingOne Advanced Identity Cloud Tenant Admin: A role for managing the PingOne Advanced Identity Cloud tenant with most administrator permissions, except adding administrators.

This role is an early-access preview for a feature that is not yet generally available.

PingFederate roles

For PingOne environments that include single sign-on (SSO) to PingFederate, PingOne includes PingFederate-specific roles. These roles give PingOne admins access to PingFederate and determine their level of access to PingFederate.

PingFederate Administrator: Configure partner connections and most system settings, except the management of local accounts and the handling of local keys and certificates.
PingFederate Auditor: View-only permissions for all administrative functions.

If a user has the PingFederate Auditor role in addition to another PingFederate role, during SSO to PingFederate, the Auditor role is stripped out and only the other role remains. For example, if you have the PingFederate Auditor and PingFederate Administrator roles, when you SSO to PingFederate, the PingFederate Auditor role is removed, and you will have only the PingFederate Administrator role.

PingFederate Crypto Administrator: Manage local keys and certificates.
PingFederate Expression Administrator: Map user attributes by using the OGNL (Object-Graph Navigation Language) expression language.
PingFederate User Administrator: Create users, deactivate users, change or reset passwords, and install replacement license keys.

DaVinci roles

For PingOne environments that include the PingOne DaVinci service, PingOne includes two DaVinci-specific roles. These roles give PingOne admins access to DaVinci and determine their level of access to DaVinci.

The user adding DaVinci to an environment is given the DaVinci Admin role.

DaVinci Admin: A role with full read and write access to the DaVinci console. Create, edit, and delete DaVinci flows, deploy DaVinci flows, create, edit, and delete connections and variables.
DaVinci Admin Read Only: A role with read-only access to the DaVinci console. Read flows, connections, and variables.

Viewing role details

PingOne

Administrator Roles

PingOne roles

PingFederate roles

DaVinci roles

Related links