Managing administrators - PingOne - PingOne Cloud Platform

PingOne Cloud Platform
bundle
pingone
ft:publication_title
PingOne Cloud Platform
Product_Version_ce
PingOne
PingOne Cloud Platform
category
Administratorguide
ContentType
Guide
Product
Productdocumentation
p1
p1cloudplatform
ContentType_ce
Guide
Guide > Administrator Guide
Product documentation

If you are an administrator with the appropriate permissions, you can assign roles to other administrators to define their permissions.

You can add roles to users individually or to groups.

Managing roles individually

Use the Users page to add roles to a user.

  1. In PingOne, go to the Administrators environment.
    Note:

    Older organizations might not have an Administrators environment by default. To separate administrators from end users and improve security posture, you should manage all administrators in their own environment.

  2. In the left navigation pane, go to Directory > Users.
  3. Browse for an existing user or create a new one.

    For more information, see Adding a user.

  4. Click the user entry to open the user details panel and then click the Roles tab.
  5. Do one or more of the following.
    OptionDescription

    Add a role

    To add roles, click Grant roles. Select or clear the appropriate responsibilities. To see all responsibilities, click Available responsibilities. To see only the currently assigned responsibilities, click Granted responsibilities. You can assign more than one role to a user. For information on administrator roles, see Roles.

    Tip:

    Click Select all or Remove all to select or clear all available responsibilities.

    Reduce access for a responsibility

    You can choose to grant fewer responsibilities than your current user account has. Use this feature to limit the user's access to a particular environment or population.

    Click the funnel icon, and then select or clear the appropriate environments or populations.

    Remove a role

    Locate the role that you want to remove, and then clear the check box for that role.
  6. Click Save.

Managing roles using groups

Use the Groups page to add roles to a group.

Assigning roles to groups allows you to:

  • Manage roles for multiple users at once.
  • Apply role changes in bulk.
  • See users that have a certain role by viewing group members.

For security reasons, only static groups can have roles assigned to them. That is, you can’t assign roles to groups that have members included based on a filter or rule. With a dynamic group, you might inadvertently add users to the group that would inherit role assignments. For more information, see Static and dynamic groups.

When adding users to groups that have roles assigned, be careful not to inadvertently assign a role to a user by adding them to a group. If a user has a role from being in a group, remove the user from the group to remove the role. If a user has a role assigned to them individually, you can remove the role from the user.

Note:
  • You can assign only roles that are assigned to you, or that are assignable by those roles. For example, the Identity Data Admin role has permissions that allow it to assign the Identity Data Admin Read Only role. Therefore, if you are assigned the Identity Data Admin role, you can assign that role or the Identity Data Admin Read Only role to a group.
  • An admin might not have permissions to assign roles but can add or remove users from a group that has role assignments. In other words, one admin can assign roles to a group, and a different admin can add or remove users from that group.
  • You cannot assign roles to a group that you are a member of.
  • You cannot add or remove yourself from a group that has roles assigned to it.
  • Roles assigned to a group will not affect roles that are assigned to a user individually.
  • You can assign roles in up to 500 groups.

Adding roles to a group

Use the Groups page to add roles to a group.

  1. In PingOne, go to the Administrators environment.
    Note:

    Older organizations might not have an Administrators environment by default. We recommend that you manage all administrators in their own environment to separate administrators from end users and improve security posture.

  2. On the left navigation pane, go to Directory > Groups.
  3. Browse for an existing group, or create a new one. See Creating a group.
  4. Click the group entry to open the details panel.
  5. Click the Roles tab.
  6. Do one or more of the following:
    • Add a role. To add roles to the group, click Grant roles. Select or clear the appropriate responsibilities. To see all responsibilities, click Available responsibilities. To see only the currently assigned responsibilities, click Granted responsibilities. You can assign groups more than one role. For information on administrator roles, see Roles.
      Tip:

      Click Select all or Remove all to select or clear all available responsibilities.

    • Reduce access for a responsibility. You can choose to grant fewer responsibilities than your current user account has. Use this feature to limit the group’s access to a particular environment or population. Click the funnel icon, and then select or clear the appropriate environments or populations.
    • Remove a role. Locate the role you want to remove, and then clear the check box for that role.
  7. Click Save.