---
title: Setting up your environment in PingOne
description: This topic guides administrators through the process of setting up a new environment for PingOne Privilege.
component: privilege
page_id: privilege:getting-started:setting-up-environment
canonical_url: https://docs.pingidentity.com/privilege/getting-started/setting-up-environment.html
revdate: May 8, 2026
section_ids:
  before-you-begin: Before you begin
  step-1-add-the-pingone-privilege-service: "Step 1: Add the PingOne Privilege service"
  step-2-create-and-configure-an-administrator-group: "Step 2: Create and configure an administrator group"
  step-3-assign-roles-and-add-users-to-the-administrator-group: "Step 3: Assign roles and add users to the administrator group"
---

# Setting up your environment in PingOne

This topic guides administrators through setting up a new environment for PingOne Privilege, which is the first step to enabling secure, centralized privileged access management (PAM) for your organization.

|   |                                                                                                                                                                                                                                                                                   |
| - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | PingOne Privilege is currently part of a controlled release. The application and required roles are feature-flagged for new tenants. If you don't see the PingOne Privilege application or the required roles in your tenant, contact Ping Identity support to have them enabled. |

## Before you begin

* You must have access to the PingOne admin console.

* Your account must have the following administrator roles assigned for the initial setup: **Identity Data Admin**, **PingOne Privilege Administrator**, and **Application Owner**.

* You need a PingOne environment and a solution built with PingOne SSO and PingOne MFA. Learn more in [Building solutions](https://docs.pingidentity.com/pingone/getting_started_with_pingone/p1_building_solutions.html) in the PingOne documentation.

## Step 1: Add the PingOne Privilege service

1. In the PingOne admin console, go to **Overview**.

2. In the **Services** section, click the **[icon: plus, set=fa]**icon.

3. In the **Add a Service** list, select **PingOne Privilege**.

   ![A screenshot showing the Add a Service list with p1privilege selected.](_images/p1p_add_privilege.png)

4. Select the **Authentication Mode**.

   |   |                                                                                                                                                                                                                                                                                                                                 |
   | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | The authentication mode determines how you deploy PingOne Privilege and how users authenticate.- For agentless deployments, users authenticate via PingOne SSO.

   - For agent-based deployments, users authenticate via the PingOne Privilege agent.Learn more in [Choosing a deployment model](choosing-deployment-model.html). |

5. Click **Finish**.

## Step 2: Create and configure an administrator group

1. In the PingOne admin console, go to **Directory > Groups**.

2. Click the **[icon: plus, set=fa]**icon and create a new group for PingOne Privilege administrators, for example, `Privilege Admins`.

3. Go to **Applications > Applications** and click the **PingOne Privilege** application.

4. In the **Access** tab, click the **Pencil** icon.

5. In the **Edit Access** window, add the administrator group you just created. Click **Save**.

## Step 3: Assign roles and add users to the administrator group

1. In the PingOne admin console, go to **Directory > Users**.

2. Select a user to be a PingOne Privilege administrator.

3. In the user's profile, go to the **Groups** tab and add the user to the PingOne Privilege administrator group you created.

4. Go to the **Roles** tab and assign the following roles to the user:

   |   |                                                                                                                                                                                                                                                                                                                                                                    |
   | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
   |   | The following roles are required for the initial setup of PingOne Privilege:- **PingOne Privilege Administrator**: Required to create onboarding links and manage PingOne Privilege resources.

   - **Identity Data Administrator**: Required to manage users and groups in the directory.

   - **Application Owner**: Required to grant application access to groups. |

5. Click **Save**.

6. Repeat these steps for each user who will be a PingOne Privilege administrator.