PingOne

Administrator roles and permissions

An administrator role is a collection of permissions that can be assigned to a user, application, or connection, and then applied to a level, or scope, within PingOne. The combination of the role permissions and the level at which the role is applied determines what an administrator can do (permissions) and where they can do it (level or scope).

In PingOne, roles can be applied to the organization, environment, population, or application level, although not all roles can be applied at all levels.

PingOne includes a number of built-in administrator roles. These roles are not hierarchical, and there is no super admin role that has permissions to perform every action at every level in PingOne. The roles available to your organization depend on your configuration and licensing.

Add all of your PingOne administrators to the Administrators environment to separate administrators from end users and to make managing external identity providers and to prevent privilege escalation. Administrators do not have to belong to an environment to have administrator permissions over that environment. Learn more in Environments.

PingOne administrators can have multiple administrator identities across multiple environments in a single organization, a single administrator identity over multiple environments, or a combination of both. They can also have different roles that apply in those different contexts.

A diagram showing an administrator with access to three environments: Administrators, Test, and Production. The Administrators environment is the source environment.

For some complex use cases, you might need multiple administrator identities to configure multiple organizations. An example use case is a contractor working with more than one company to configure environments. In this scenario, the contractor would need an administrator identity in each company’s organization. Similarly, if a company has organizations in multiple geographic regions, an administrator who needs to manage all of those organizations needs an identity in each organization.

You can’t have more than one instance of the same identity in a single environment. For these complex use cases, you must create those identities in multiple environments.

If you have multiple administrator identities associated with the same email address, you can select which organization you want to authenticate to after signing on. You’ll need to choose the identity with the right permissions based on the actions you intend to take.

A diagram showing an administrator with two PingOne identities and the environments in each organization.

Learn more about administrator roles in: