For information about assigning roles to users, see Managing user roles.

For information about assigning roles to a user group, see Group roles.

You can also assign roles to Worker applications. See Configuring roles for a worker application.

For details about the permissions associated with default roles, see PingOne Role Permissions.

Organization Admin

A role for managing the entire organization. The permissions for an organization administrator are centered around managing organizations, and include functions like creating, editing, and deleting organizations and environments.

Environment Admin
A role for managing environments. The permissions for an environment administrator are centered around managing environments, and include functions like editing environments, managing populations, viewing password policies, and assigning certain roles.
Identity Data Admin

A role for managing identities and identity data. The permissions for an identity data administrator are centered around managing user identities, and include functions like creating users, and resetting a user's password.

Client Application Developer

A role for managing API client applications. The permissions for a client application developer are centered around managing applications, and include functions like creating and deleting client applications, and resetting a client secret for an application.

Identity Data Read Only

A subset of the Identity Data Admin role, but with read-only permissions. For example, the Identity Data Admin role can read, update, and delete users, but the Identity Data Read Only role can read user data only. Admins with the Identity Data Admin or Identity Data Read Only role can assign the Identity Data Read Only role to users.

Configuration Read Only

A subset of the Environment Admin role, but with read-only permissions. For example, the Environment Admin role can read, update, and delete environments, but the Configuration Read Only role can read environment data only. Admins with the Environment Admin or Configuration Read Only role can assign the Configuration Read Only role to users.

PingFederate Administrator
Configure partner connections and most system settings, except the management of local accounts and the handling of local keys and certificates.
PingFederate Expression Administrator
Map user attributes by using the OGNL (Object-Graph Navigation Language) expression language.
PingFederate Crypto Administrator
Manage local keys and certificates.
PingFederate User Administrator
Create users, deactivate users, change or reset passwords, and install replacement license keys.
PingFederate Auditor
View-only permissions for all administrative functions.
Note:

If a user has the PingFederate Auditor role in addition to another PingFederate role, during SSO to PingFederate, the Auditor role is stripped out and only the other role remains. For example, if you have the PingFederate Auditor and PingFederate Administrator roles, when you SSO to PingFederate, the PingFederate Auditor role is removed and you will have only the PingFederate Administrator role.

DaVinci roles

For PingOne environments that include the PingOne DaVinci service, PingOne includes two DaVinci-specific roles. These roles give PingOne admins access to DaVinci and determine their level of access to DaVinci.

The user adding DaVinci to an environment is given the DaVinci Admin role.

DaVinci Admin
A role with full read and write access to the DaVinci console. Create, edit, and delete DaVinci flows, deploy DaVinci flows, create, edit, and delete connections and variables.
DaVinci Admin Read Only
A role with read-only access to the DaVinci console. Read flows, connections, and variables.