PingOne

Managing administrator roles

You can assign administrator roles to individual users or to groups.

Managing roles individually

About this task

Use the Users page to add roles to a user.

Steps

  1. In PingOne, go to the Administrators environment.

    Older organizations might not have an Administrators environment by default. To separate administrators from end users and improve security posture, you should manage all administrators in their own environment.

  2. Go to Directory → Users and browse or search for the user that you want to edit.

  3. Browse for an existing user or create a new one.

    Learn more in Adding a user.

  4. Click the user entry to open the user details panel.

  5. Click the Roles → Administrator Roles tab.

    If roles are assigned, they’re listed here with information about where those roles apply. For example, in the following image, BX User has the Application Owner role in two environments. Because the role is assigned at the environment level, they have the role over all of the applications in those environments. In a third environment, they have the role over only two applications. They also have the Environment Admin role, and they have that role in three environments.

    You can assign administrator roles to users, groups, applications, or PingFederate gateway integrations.
    A screen capture of the user details for BX User. Roles > Administrator Roles is selected, and shows the assignment of the Application Owner role over 2 environments, and in a third over two applications. Also shows the Environment Admin role in three environments.

    Click the Info icon to view the permissions associated with the role. Click the down arrow on the right to view the list of environments or populations for which the role is assigned.
    Screen capture of the Environment Admin and Application Owner roles expanded to display detailed information about the environments and applications over which the user is assigned the role.

  6. Click Grant Roles.

    The Available Responsibilities tab lists the roles that you are allowed to assign and the environments for which you are allowed to assign them. A responsibility is the combination of the role assignment and the level, or scope, at which the role is applied. Depending on the role, it could be assigned at the organization, environment, population, or application level.

    The Granted Responsibilities tab lists any roles that are currently assigned.

  7. On the Available Responsibilities tab, click the role that you want to assign or change and perform any combination of the following:

    1. To assign the role, select the checkboxes next to the applicable environments.

      Click Select All or Remove All to select or clear all available responsibilities.

    2. To remove a role assignment, clear the checkboxes next to the applicable environments.

    3. To grant this access for only a portion of the environment, click the Reduce Access icon (image of reduce access icon), select a subset of the available applications or populations on the Limit Access page, and click Confirm.

      A screen capture of the Limit Access page showing one population selected out of three populations

      You can grant only roles that are assigned to you or that confer the permissions needed to assign that role to others. For example, if you do not have the Environment Admin role, you cannot assign the Environment Admin role to others (and that role will not be listed under Available Responsibilities). However, if you have the Identity Data Admin role, you can assign either the Identity Data Admin role or the Identity Data Read Only role to others.

      Learn more about the permissions associated with each role in Roles.

  8. Click Save.

Result

The role assignments that you selected are listed on the Granted Responsibilities tab.

Managing roles using groups

Use the Groups page to add roles to a group.

Assigning roles to groups allows you to:

  • Manage roles for multiple users at once.

  • Apply role changes in bulk.

  • See users that have a certain role by viewing group members.

For security reasons, only static groups can have roles assigned to them. That is, you can’t assign roles to groups that have members included based on a filter or rule. With a dynamic group, you might inadvertently add users to the group that would inherit role assignments. For more information, see Static and dynamic groups.

When adding users to groups that have roles assigned, be careful not to inadvertently assign a role to a user by adding them to a group. If a user has a role from being in a group, remove the user from the group to remove the role. If a user has a role assigned to them individually, you can remove the role from the user.

  • You can assign only roles that are assigned to you, or that are assignable by those roles. For example, the Identity Data Admin role has permissions that allow it to assign the Identity Data Admin Read Only role. Therefore, if you are assigned the Identity Data Admin role, you can assign that role or the Identity Data Admin Read Only role to a group.

  • An admin might not have permissions to assign roles but can add or remove users from a group that has role assignments. In other words, one admin can assign roles to a group, and a different admin can add or remove users from that group.

  • You cannot assign roles to a group that you are a member of.

  • You cannot add or remove yourself from a group that has roles assigned to it.

  • Roles assigned to a group will not affect roles that are assigned to a user individually.

  • You can assign roles in up to 500 groups.

Managing group roles

About this task

Assign roles to groups of administrators using the Groups page.

Steps

  1. In PingOne, go to the Administrators environment.

    Older organizations might not have an Administrators environment by default. We recommend that you manage all administrators in their own environment to separate administrators from end users and improve security posture.

  2. Go to Directory → Groups.

  3. Browse for an existing group or create a new one. Learn more in Creating a group.

  4. Click the group entry to open the details panel.

  5. Click the Roles → Administrator Roles tab.

    If roles are assigned, they’re listed here with information about where those roles apply. For example, in the following image, BX User has the Application Owner role in two environments. Because the role is assigned at the environment level, they have the role over all of the applications in those environments. In a third environment, they have the role over only two applications. They also have the Environment Admin role, and they have that role in three environments.

    You can assign administrator roles to users, groups, applications, or PingFederate gateway integrations.
    A screen capture of the user details for BX User. Roles > Administrator Roles is selected, and shows the assignment of the Application Owner role over 2 environments, and in a third over two applications. Also shows the Environment Admin role in three environments.

    Click the Info icon to view the permissions associated with the role. Click the down arrow on the right to view the list of environments or populations for which the role is assigned.
    Screen capture of the Environment Admin and Application Owner roles expanded to display detailed information about the environments and applications over which the user is assigned the role.

  6. Click Grant Roles.

    The Available Responsibilities tab lists the roles that you are allowed to assign and the environments for which you are allowed to assign them. A responsibility is the combination of the role assignment and the level, or scope, at which the role is applied. Depending on the role, it could be assigned at the organization, environment, population, or application level.

    The Granted Responsibilities tab lists any roles that are currently assigned.

  7. On the Available Responsibilities tab, click the role that you want to assign or change and perform any combination of the following:

    1. To assign the role, select the checkboxes next to the applicable environments.

      Click Select All or Remove All to select or clear all available responsibilities.

    2. To remove a role assignment, clear the checkboxes next to the applicable environments.

    3. To grant this access for only a portion of the environment, click the Reduce Access icon (image of reduce access icon), select a subset of the available applications or populations on the Limit Access page, and click Confirm.

      A screen capture of the Limit Access page showing one population selected out of three populations

      You can grant only roles that are assigned to you or that confer the permissions needed to assign that role to others. For example, if you do not have the Environment Admin role, you cannot assign the Environment Admin role to others (and that role will not be listed under Available Responsibilities). However, if you have the Identity Data Admin role, you can assign either the Identity Data Admin role or the Identity Data Read Only role to others.

      Learn more about the permissions associated with each role in Roles.

  8. Click Save.

Result

The role assignments that you selected are listed on the Granted Responsibilities tab.

Managing administrator roles using external groups

Before you begin

Ensure that you have one administrator user with direct sign-on access to PingOne. Add this user to the Administrators environment to keep them separate from your end users.

This task uses PingOne Admin User to refer to this user.

About this task

You can leverage just-in-time provisioning and use external groups, such as those in an identity store accessed through an external identity provider (IdP), to manage administrator role assignment in PingOne.

For example, you configure PingOne to use an external IdP with Active Directory (AD) as the identity store. You then create a group in the Active Directory identity store. You add users to this group and provision it to PingOne to ensure that these users have access to PingOne with the appropriate roles.

To use an external group to manage administrator roles in PingOne:

Steps

  1. Add a custom OIDC or SAML external IdP in PingOne.

    Managing roles using external groups is currently supported only for custom OIDC or SAML external IdPs.

    When you get to the step for mapping attributes, you must map at least the following PingOne user attributes to the corresponding attributes for the identity provider:

    • Username

    • Email Address

    • External Group Names

      Example:

      Screen capture showing the mapping of the Username, Email Address, and External Group Names attributes in PingOne to the corresponding attributes in an external IdP.

      The values in the previous image are for example purposes only. The external attribute names will vary depending on the provider.

      Set Update Condition for the Email Address and External Group Names attributes to Always. This ensures that these attributes are updated in PingOne whenever they are updated in the external IdP and that their access and permissions are always in sync.

      Map additional attributes as needed.

    When authenticating into PingOne from an external IdP, ensure that you enable MFA as part of your authentication policy.

  2. Create the applicable groups in your external identity store.

  3. During the initial group set up, add the PingOne Admin User to each external group that you want to provision to PingOne.

    You can add more users, but at a minimum each group must contain one user with direct access to PingOne before you continue. The process for adding users to groups depends on the external identity store that you are using. Follow the steps in the documentation for your identity store.

  4. Sign on to PingOne as the PingOne Admin User.

    Result:

    The external groups are provisioned to PingOne using just-in-time provisioning.

    Learn more in Just-in-time provisioning of external groups.

  5. Assign the appropriate admin roles to the groups in PingOne.

    Learn more on the Using groups tab in Managing roles using groups.

    You must assign at least one role to each group, or the users will be unable to sign on to PingOne.

    These roles are assigned to all users currently in the group and to any users added to the group in the future.

  6. Add users to the external group in the external identity store as needed to ensure that they can access PingOne with the appropriate role assignments.

    Similarly, remove users from the external group to remove their access to PingOne or to move them to a group with different role assignments.

Next steps

You should audit the users in your external directory regularly to ensure that their group membership and level of access is correct.