Administrator Roles
An administrator role is a collection of permissions that you can assign to a user, application, or connection. Administrator roles give PingOne administrators access to resources in the PingOne admin console and determine the actions they can take in PingOne.
There are two types of administrator roles in PingOne:
-
Built-in roles
PingOne provides several built-in administrator roles, such as Environment Admin, Application Owner, and Organization Admin. These roles provide access to a wide variety of resources at multiple levels within PingOne. You can’t modify built-in administrator roles.
-
Custom roles
You can create custom administrator roles to delegate administration of particular resources in an environment and provide least-privileged access to those resources. These roles are environment-specific and consist of a limited set of permissions that can be edited by administrators who have one of the following roles:
-
Organization Admin
-
Custom Roles Admin
-
A custom role with permissions equivalent to the Custom Roles Admin. Learn more in Adding a custom administrator role.
Like built-in roles, custom roles can be assigned to an individual user, group, worker application, or PingFederate Gateway for a specified level in PingOne. Depending on the environment in which the role is created, a custom role can be assigned at the organization level, environment level, or population level.
If you want users from multiple environments to have access to the same custom administrator role, you must create the role in each of those environments.
-
Roles with the Privileged icon () include permissions that either provide access to sensitive information, such as personal user data, or allow the bearer to perform actions that could significantly impact the organization, such as deleting an environment. These permissions should be assigned sparingly.
Best Practice: Review the permissions associated with the role before you assign the role. |
-
Learn more about assigning admin roles to users in Managing user roles.
-
Learn more about assigning admin roles to a user group in Group roles.
-
You can also assign admin roles to worker applications. Learn more in Configuring roles for a worker application.
-
Learn more about the permissions associated with built-in administrator roles in PingOne Role Permissions.
Built-In Roles tab
PingOne provides the following built-in administrator roles.
Click a role to open the details pane and view additional details about the role, including the levels to which it can be applied, for example, Environment or Application, and the permissions it includes. Built-in roles cannot be modified, but you can clone a built-in role to use it as the basis for a new custom role that you can modify.
PingOne built-in administrator roles
Role | Description |
---|---|
Application Owner |
A role for managing specific applications to which they are assigned. Key permissions include assigning application access using groups, editing attributes, and configuring connection details for the application. This role has no other administrator permissions. |
Client Application Developer |
A role for managing API client applications. The permissions for a client application developer are centered around managing applications and include functions such as creating and deleting client applications and resetting a client secret for an application. |
Configuration Read Only |
A subset of the Environment Admin role with read-only permissions only. For example, the Environment Admin role can read, update, and delete environments, but the Configuration Read Only role can read environment data only. Administrators with the Environment Admin or Configuration Read Only role can assign the Configuration Read Only role to users. |
DaVinci Admin |
(Only applicable for PingOne environments that include the PingOne DaVinci service.) A role that gives PingOne administrators full read and write access to the DaVinci console. Create, edit, and delete DaVinci flows, deploy DaVinci flows, create, edit, and delete connections and variables. The user adding DaVinci to an environment is given the DaVinci Admin role. |
DaVinci Admin Read Only |
(Only applicable for PingOne environments that include the PingOne DaVinci service.) A role that gives PingOne administrators read-only access to the DaVinci console. Read flows, connections, and variables. |
DaVinci Admin |
A role with full read and write access to the DaVinci console. Create, edit, and delete DaVinci flows, deploy DaVinci flows, create, edit, and delete connections and variables. |
Environment Admin |
A role for managing environments. The permissions for an environment administrator are centered around managing environments and include functions such as editing environments, managing populations, viewing password policies, and assigning certain roles. |
Identity Data Admin |
A role for managing identities and identity data. The permissions for an identity data administrator are centered around managing user identities, and include functions like creating users and resetting a user’s password. |
Identity Data Read Only |
A subset of the Identity Data Admin role, but with read-only permissions. For example, the Identity Data Admin role can read, update, and delete users, but the Identity Data Read Only role can read user data only. Admins with the Identity Data Admin or Identity Data Read Only role can assign the Identity Data Read Only role to users. |
Organization Admin |
A role for managing the entire organization. The permissions for an organization administrator are centered around managing organizations and include functions like creating, editing, and deleting organizations and environments. |
PingFederate roles
For PingOne environments that include single sign-on (SSO) to PingFederate, PingOne includes PingFederate-specific roles. These roles give PingOne administrators access to PingFederate and determine their level of access to PingFederate.
Role | Description | ||
---|---|---|---|
PingFederate Administrator |
Configure partner connections and most system settings, except the management of local accounts and the handling of local keys and certificates. |
||
PingFederate Auditor |
View-only permissions for all administrative functions.
|
||
PingFederate Crypto Administrator |
Manage local keys and certificates. |
||
PingFederate Expression Administrator |
Map user attributes by using the OGNL (Object-Graph Navigation Language) expression language. |
||
PingFederate User Administrator |
Create users, deactivate users, change or reset passwords, and install replacement license keys. |
PingOne Advanced Identity Cloud roles
For PingOne environments that include SSO to PingOne Advanced Identity Cloud, PingOne includes PingOne Advanced Identity Cloud-specific roles. These roles give PingOne administrators access to PingOne Advanced Identity Cloud and determine their level of access.
Role | Description |
---|---|
PingOne Advanced Identity Cloud Super Admin |
A role for managing the PingOne Advanced Identity Cloud tenant with all administrator permissions, including adding administrators. |
PingOne Advanced Identity Cloud Tenant Admin |
A role for managing the PingOne Advanced Identity Cloud tenant with most administrator permissions, except adding administrators. |
Custom Roles tab
If there are custom roles in the environment, they are listed on the Custom Roles tab.
Custom administrator role restrictions
Custom administrator roles have certain restrictions that don’t apply to the built-in administrator roles:
-
Custom administrator roles are not currently supported in PingOne DaVinci.
-
Custom administrator roles created in the Administrators environment can be assigned at the organization level to users, groups, applications, and gateways in the Administrators environment.
For the purposes of this documentation, the Administrators environment is the environment in your organization that is assigned the ADMIN license. If you renamed your Administrators environment, or if you assigned your ADMIN license to a different environment, that environment acts as your Administrators environment.
If you have issues with your ADMIN license, contact Ping Identity Support. The ADMIN license is required for access to certain functionality in PingOne, including some aspects of custom roles.
-
Custom roles created in any environment other than the Administrators environment can’t be assigned at the organization level. These roles can only be assigned against resources within the environment in which they were created or over the entire environment.
-
Administrators with the Custom Roles Admin role can create custom roles, but only users with the roles selected in the Assignable by field for each custom role can assign that role.
We are performing ongoing testing to ensure that all combinations of permissions work as expected for all of the pages in the PingOne admin console. However, it is possible that, at release time, certain combinations have not yet been tested. If you create a custom role, assign it, and find that certain pages do not load properly, know that we are continuing to test, and will resolve all issues. Make a note of the page that didn’t load properly, and try again in a few weeks. |
If missing permissions are preventing the page from loading properly, a message similar to the following appears.