Assign administrative roles

PingOne for Enterprise has several levels of administrative access that you can assign.

About this task

The administrators of your PingOne for Enterprise account will have access to the admin portal. The people you invite as administrators do not need to be current users of your account. They’ll be added as new users when they accept your email invitation.

You must be a Global Administrator to assign other administrative roles, to disable or delete other administrators, and to access the Dashboard page.

You can enable single sign-on (SSO) for admin authentication to the admin portal. The admin portal is then displayed as one of the applications on the PingOne dock for these administrative users. For instructions, see Configuring SSO to the PingOne for Enterprise admin portal.

Steps

Go to Account → Administrators and click Add Administrator.
In the First Name and Last Name fields, enter the new admin’s name.
In the Email field, enter the email address to send the invitation email to.
In the Role list, choose an administrative role.

For more information about administrative roles and permissions, see Administrative roles.
Optional: Select Read Only to give the administrator the ability to view data and configurations allowed by their role, but not the ability to make system changes.

Optional: Select SSO Admin to create an administrator who can access the admin portal only through single sign-on (SSO).

Selecting this option changes the Email field to Username. Administrators created with this option will not receive an email invitation, and must access the admin portal by SSO into the PingOne dock.

An email-invited administrator email address must be unique across all PingOne for Enterprise accounts. If an admin’s email address is already in use in another account, you can still add them as an admin using the SSO Admin check box. SSO admin usernames must be unique only within your account.

Click Save.

Result

PingOne for Enterprise sends an email invitation to the user you’re inviting. The email invite is valid for 3 days, or until a new invitation is sent.

When the user clicks the link in the email to accept the invitation, they’re prompted to assign a password for their account. If their account doesn’t already exist, the new account is created.

When the new administrator first signs on (SSO) to the admin portal, they are added to the list of administrators located at Account → Administrators.

The administrator is added to the administrators list only if the PingOne for Enterprise connection to your identity repository maps either the PingOne for Enterprise email or SAML_SUBJECT attribute to the email attribute for your identity repository. This is generally the case.