--- title: Administrative roles description: The following table describes the administrative roles available in PingOne for Enterprise accounts. component: pingoneforenterprise page_id: pingoneforenterprise:pingone_for_enterprise:p14e_administrative_roles canonical_url: https://docs.pingidentity.com/pingoneforenterprise/pingone_for_enterprise/p14e_administrative_roles.html revdate: September 30, 2022 --- # Administrative roles The following table describes the administrative roles available in PingOne for Enterprise accounts. You can assign administrators to a read-only role, which grants access to the areas of the admin portal normally allowed by that administrative role, but not the ability to change settings. | | | | - | ---------------------------------------------------------------------- | | | Administrators can only be assigned one administrative role at a time. | In PingOne SSO for SaaS Apps accounts, the only administrative roles are **Audit & Report Administrator** and **Global Administrator**. For PingOne SSO for SaaS Apps with Managed Accounts, managed accounts have the PingOne for Enterprise administrative roles. | Administrative Role | Description | | ------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Application Administrator** | Can manage only the specific applications that you assign. After saving the role assignment, you can choose to limit the management permissions.An application administrator has access only to the admin portal pages associated with their assigned management permissions.Learn more in [Assign Application Administrator applications](p14e_assign_application_administrator_applications.html). | | **Audit & Report Administrator** | Can manage subscriptions for audit events and run reports.Can only access the following pages:- **SSO Dashboard** - **PingID Dashboard** - **Reporting** | | **Global Administrator** | Has full permissions to manage and configure all aspects of the account and the admin portal, including the ability to manage all group and role assignments.Receives email notifications before and after certificate expiration. For more information, see [Certificate management](p14e_managing_certificates.html).For the PingOne for Enterprise Directory, assigning a user the global administrator role also assigns the user to the domain administrators group.If you set up the PingOne for Enterprise account, you are automatically assigned the role of global administrator. | | **Identity Repository Administrator** | Manages the configuration of identity repositories.Can only access the following pages:- **Identity Repository** - **Dock** - **Authentication Policy** - **PingID** - **Certificates** - **Branding** - **User Directory** - **Users by Services** - **Reporting** - **SSO Dashboard** - **PingID Dashboard**The identity repository administrator can also view and modify the directory settings when using the PingOne for Enterprise Directory. | | **PingID Device Administrator** | This role can only access **Users > Users by Service > PingID**.This role can unpair one or more user devices, or assign a device as the user's primary device. PingID Device Administrators have the optional ability to grant temporary MFA bypasses to users. To enable this permission, go to Account > Administrators > Permissions and select Allow Bypass.For more information about managing PingID device settings, see [PingID User Life Cycle Management](https://docs.pingidentity.com/pingid/pingid_user_life_cycle_management/pid_user_life_cycle_management.html) in the PingID documentation. | | **SaaS Administrator** | Manages the Application Catalog and application connections.Receives email notifications before and after certificate expiration. For more information, see [Certificate management](p14e_managing_certificates.html).Can only access the following pages:- **My Applications** - **Application Catalog** - **PingID SDK Applications** - **OAuth Settings** - **User Groups** - **Users by Service** - **Authentication Policy** - **PingID** - **Certificates** - **Reporting** - **SSO Dashboard** - **PingID Dashboard** | | **Service User Administrator** | Manages the PingOne for Enterprise services a user can use.This role includes the capabilities of the PingID Device Administrator.Can only access the following pages:- **Users by Service** - **Reporting** | | **Support Administrator** | Has Read/Write permissions to the admin portal.Can impersonate and manage subtenants, but can't make changes in parent account.Available only on PingOne for Enterprise for Managed Service Providers. |