--- title: Managing administrator roles description: Assign built-in or custom roles to users or groups to determine their access in PingOne. component: pingone page_id: pingone:getting_started_with_pingone:p1_manage_admin_roles canonical_url: https://docs.pingidentity.com/pingone/getting_started_with_pingone/p1_manage_admin_roles.html revdate: June 26, 2024 section_ids: managing-roles-individually: Managing roles individually steps: Steps result: Result managing-roles-using-groups: Managing roles using groups managing-group-roles: Managing group roles steps-2: Steps result-2: Result p1-manage-roles-external-groups: Managing administrator roles using external groups before-you-begin: Before you begin about-this-task: About this task steps-3: Steps example: Example: result-3: Result: next-steps: Next steps --- # Managing administrator roles You can assign built-in or custom administrator roles to individual users or to groups. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Learn more about built-in roles and creating and managing custom roles in [Administrator Roles](../directory/p1_roles.html) and [Custom role scenarios](../directory/p1_custom_roles_scenarios_intro.html) before you start assigning roles to administrators. | ## Managing roles individually Use the **Users** page to add roles to a user. ## Steps 1. In the PingOne admin console, go to the **Administrators** environment. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | Older organizations might not have an **Administrators** environment by default. To improve security posture, separate administrators from end users and manage all administrators in their own environment. | 2. Go to **Directory > Users**. 3. Browse or search for an existing user or create a new one. Learn more in [Adding a user](../directory/p1_adduser.html). 4. Click the user entry to open the user details panel. 5. Click the **Roles** > **Administrator Roles** tab. If roles are assigned, they're listed here with information about where those roles apply. For example, in the following image, **BX User** has the **Application Owner** role in two environments. Because the role is assigned at the environment level, they have the role over all of the applications in those environments. In a third environment, they have the role over only two applications. They also have the **Environment Admin** role, and they have that role in three environments. | | | | - | -------------------------------------------------------------------------------------------------------- | | | You can assign administrator roles to users, groups, applications, or PingFederate gateway integrations. | ![A screen capture of the user details for BX User. Roles > Administrator Roles is selected, and shows the assignment of the Application Owner role over 2 environments, and in a third over two applications. Also shows the Environment Admin role in three environments.](../_images/wcj1710180598183.png) | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Click the **Info** icon to view the permissions associated with the role. Click the down arrow on the right to view the list of environments or populations for which the role is assigned. | ![Screen capture of the Environment Admin and Application Owner roles expanded to display detailed information about the environments and applications over which the user is assigned the role.](../_images/xok1710181537536.png) 6. Click **Grant Roles**. The **Available Responsibilities** tab lists the roles that you are allowed to assign and the environments for which you are allowed to assign them. A responsibility is the combination of the role assignment and the level, or scope, at which the role is applied. Depending on the role, it could be assigned at the organization, environment, population, or application level. The **Granted Responsibilities** tab lists any roles that are currently assigned. 7. On the **Available Responsibilities** tab, click the role that you want to assign or change and perform any combination of the following: 1. To assign the role, select the checkboxes next to the applicable environments. | | | | - | ----------------------------------------------------------------------------------------- | | | Click **Select All** or **Remove All** to select or clear all available responsibilities. | 2. To remove a role assignment, clear the checkboxes next to the applicable environments. 3. To grant this access for only a portion of the environment, click the **Reduce Access** icon (![image of reduce access icon](../_images/qge1710506304767.png)), select a subset of the available applications or populations on the **Limit Access** page, and click **Confirm**. ![A screen capture of the Limit Access page showing one population selected out of three populations](../_images/qnh1710778106962.png) | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can grant only roles that are assigned to you or that confer the permissions needed to assign that role to others. For example, if you do not have the Environment Admin role, you cannot assign the Environment Admin role to others (and that role will not be listed under **Available Responsibilities**). However, if you have the Identity Data Admin role, you can assign either the Identity Data Admin role or the Identity Data Read Only role to others.Learn more about the permissions associated with each role in [Roles](https://developer.pingidentity.com/pingone-api/platform/roles.html) in the PingOne API documentation. | 8. Click **Save**. ## Result The role assignments that you selected are listed on the **Granted Responsibilities** tab. ## Managing roles using groups Use the **Groups** page to add roles to a group. Assigning roles to groups allows you to: * Manage roles for multiple users at once. * Apply role changes in bulk. * See users that have a certain role by viewing group members. For security reasons, only static groups can have roles assigned to them. You can't assign roles to dynamic groups, which have members included based on a filter or rule. With a dynamic group, you might inadvertently add users to the group that would inherit role assignments. Learn more in [Static and dynamic groups](../directory/p1_groups_vs_populations.html#p1-static-dynamic-groups). When adding users to groups that have roles assigned, be careful not to inadvertently assign a role to a user by adding them to a group. If a user has a role inadvertently assigned to them because they're added to a group, remove the user from the group to remove the role. If a user has a role assigned to them individually, you can remove the role from the user. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | * You can assign a role to a group you're a member of only if that role is assigned to you directly as an individual user, and is not assigned to you as part of a group that you belong to. * If a built-in role you're assigned allows you to assign a different role, you can also assign that role to a group you are a member of. For example, the Identity Data Admin role has permissions that allow it to assign the Identity Data Admin Read Only role. If you're assigned the Identity Data Admin role, you can assign that role or the Identity Data Admin Read Only role to a group. * An administrator might not have permissions to assign roles but can add or remove users from a group that has role assignments. For example, one administrator can assign roles to a group, and a different administrator can add or remove users from that group, depending on their role assignments. * You can't add or remove yourself from a group that has roles assigned to it. * Roles assigned to a group won't affect roles that are assigned to a user individually. If the role isn't assigned to the user directly, the role is removed when they're removed from the group. * You can assign roles in up to 500 groups. | ### Managing group roles Assign roles to groups of administrators using the **Groups** page. ## Steps 1. In the PingOne admin console, go to the **Administrators** environment. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | Older organizations might not have an **Administrators** environment by default. To improve security posture, separate administrators from end users and manage all administrators in their own environment. | 2. Go to **Directory > Groups**. 3. Browse for an existing group or create a new one. Learn more in [Creating a group](../directory/p1_create_group.html). 4. Click the group entry to open the details panel. 5. Click the **Roles** > **Administrator Roles** tab. If roles are assigned, they're listed here with information about where those roles apply. For example, in the following image, **BX User** has the **Application Owner** role in two environments. Because the role is assigned at the environment level, they have the role over all of the applications in those environments. In a third environment, they have the role over only two applications. They also have the **Environment Admin** role, and they have that role in three environments. | | | | - | -------------------------------------------------------------------------------------------------------- | | | You can assign administrator roles to users, groups, applications, or PingFederate gateway integrations. | ![A screen capture of the user details for BX User. Roles > Administrator Roles is selected, and shows the assignment of the Application Owner role over 2 environments, and in a third over two applications. Also shows the Environment Admin role in three environments.](../_images/wcj1710180598183.png) | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Click the **Info** icon to view the permissions associated with the role. Click the down arrow on the right to view the list of environments or populations for which the role is assigned. | ![Screen capture of the Environment Admin and Application Owner roles expanded to display detailed information about the environments and applications over which the user is assigned the role.](../_images/xok1710181537536.png) 6. Click **Grant Roles**. The **Available Responsibilities** tab lists the roles that you are allowed to assign and the environments for which you are allowed to assign them. A responsibility is the combination of the role assignment and the level, or scope, at which the role is applied. Depending on the role, it could be assigned at the organization, environment, population, or application level. The **Granted Responsibilities** tab lists any roles that are currently assigned. 7. On the **Available Responsibilities** tab, click the role that you want to assign or change and perform any combination of the following: 1. To assign the role, select the checkboxes next to the applicable environments. | | | | - | ----------------------------------------------------------------------------------------- | | | Click **Select All** or **Remove All** to select or clear all available responsibilities. | 2. To remove a role assignment, clear the checkboxes next to the applicable environments. 3. To grant this access for only a portion of the environment, click the **Reduce Access** icon (![image of reduce access icon](../_images/qge1710506304767.png)), select a subset of the available applications or populations on the **Limit Access** page, and click **Confirm**. ![A screen capture of the Limit Access page showing one population selected out of three populations](../_images/qnh1710778106962.png) | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can grant only roles that are assigned to you or that confer the permissions needed to assign that role to others. For example, if you do not have the Environment Admin role, you cannot assign the Environment Admin role to others (and that role will not be listed under **Available Responsibilities**). However, if you have the Identity Data Admin role, you can assign either the Identity Data Admin role or the Identity Data Read Only role to others.Learn more about the permissions associated with each role in [Roles](https://developer.pingidentity.com/pingone-api/platform/roles.html) in the PingOne API documentation. | 8. Click **Save**. ## Result The role assignments that you selected are listed on the **Granted Responsibilities** tab. ## Managing administrator roles using external groups ### Before you begin Ensure that you have one administrator user with direct sign-on access to PingOne. Add this user to the Administrators environment to keep them separate from your end users. | | | | - | ---------------------------------------------------------- | | | This task uses *PingOne Admin User* to refer to this user. | ### About this task You can leverage just-in-time provisioning and use external groups, such as those in an identity store accessed through an external identity provider (IdP) *(tooltip: \
\

A service that manages identity information and provides authentication services to relying clients or SPs within a federated or distributed network.\

\
)*, to manage administrator role assignment in PingOne. For example, you configure PingOne to use an external IdP with Active Directory (AD) *(tooltip: \
\

A directory service for Windows domain networks, included in most Windows Server operation systems.\

\
)* as the identity store. You then create a group in the Active Directory identity store. You add users to this group and provision it to PingOne to ensure that these users have access to PingOne with the appropriate roles. To use an external group to manage administrator roles in PingOne: ### Steps 1. Add a custom [OIDC](../integrations/p1_add_idp_oidc.html) or [SAML](../integrations/p1_add_identity_provider_saml.html) external IdP in PingOne. | | | | - | ------------------------------------------------------------------------------------------------------- | | | Managing roles using external groups is currently supported only for custom OIDC or SAML external IdPs. | When you get to the step for mapping attributes, you must map at least the following PingOne user attributes to the corresponding attributes for the identity provider: * **Username** * **Email Address** * **External Group Names** #### Example: ![Screen capture showing the mapping of the Username, Email Address, and External Group Names attributes in PingOne to the corresponding attributes in an external IdP.](_images/vcs1707858536004.png) The values in the previous image are for example purposes only. The external attribute names will vary depending on the provider. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Set **Update Condition** for the **Email Address** and **External Group Names** attributes to **Always**. This ensures that these attributes are updated in PingOne whenever they are updated in the external IdP and that their access and permissions are always in sync. | Map additional attributes as needed. | | | | - | ------------------------------------------------------------------------------------------------------------------------ | | | When authenticating into PingOne from an external IdP, ensure that you enable MFA as part of your authentication policy. | 2. Create the applicable groups in your external identity store. 3. During the initial group set up, add the *PingOne Admin User* to each external group that you want to provision to PingOne. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can add more users, but at a minimum each group must contain one user with direct access to PingOne before you continue. The process for adding users to groups depends on the external identity store that you are using. Follow the steps in the documentation for your identity store. | 4. Sign on to PingOne as the *PingOne Admin User*. #### Result: The external groups are provisioned to PingOne using just-in-time provisioning. Learn more in [Just-in-time provisioning of external groups](../directory/p1_provision_external_groups.html). 5. Assign the appropriate admin roles to the groups in PingOne. Learn more on the **Using groups** tab in [Managing roles using groups](#managing-roles-using-groups). | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | You must assign at least one role to each group, or the users will be unable to sign on to PingOne.These roles are assigned to all users currently in the group and to any users added to the group in the future. | 6. Add users to the external group in the external identity store as needed to ensure that they can access PingOne with the appropriate role assignments. Similarly, remove users from the external group to remove their access to PingOne or to move them to a group with different role assignments. ### Next steps You should audit the users in your external directory regularly to ensure that their group membership and level of access is correct.