For information about assigning roles to users, see Assigning a user role. You can also assign roles to Worker applications. See Configuring roles for a worker application.

Organization Admin

A role for managing the entire organization. The permissions for an organization administrator are centered around managing organizations, and include functions like creating, editing, and deleting organizations and environments.

Environment Admin
A role for managing environments. The permissions for an environment administrator are centered around managing environments, and include functions like creating, editing, and deleting environments, managing populations, viewing password policies, and assigning roles.
Identity Data Admin

A role for managing identities and identity data. The permissions for an identity data administrator are centered around managing user identities, and include functions like creating users, and resetting a user's password.

Client Application Developer

A role for managing API client applications. The permissions for a client application developer are centered around managing applications, and include functions like creating and deleting client applications, and resetting a client secret for an application.

Identity Data Read Only

A subset of the Identity Data Admin role, but with read-only permissions. For example, the Identity Data Admin role can read, update, and delete users, but the Identity Data Read Only role can read user data only. Admins with the Identity Data Admin or Identity Data Read Only role can assign the Identity Data Read Only role to users.

Configuration Read Only

A subset of the Environment Admin role, but with read-only permissions. For example, the Environment Admin role can read, update, and delete environments, but the Configuration Read Only role can read environment data only. Admins with the Environment Admin or Configuration Read Only role can assign the Configuration Read Only role to users.

PingFederate Administrator
Configure partner connections and most system settings, except the management of local accounts and the handling of local keys and certificates.
PingFederate Expression Administrator
Map user attributes by using the OGNL (Object-Graph Navigation Language) expression language.
PingFederate Crypto Administrator
Manage local keys and certificates.
PingFederate User Administrator
Create users, deactivate users, change or reset passwords, and install replacement license keys.
PingFederate Auditor
View-only permissions for all administrative functions.
Note:

If a user has the PingFederate Auditor role in addition to another role, during SSO to PingFederate the other role takes priority. For example, if you have the PingFederate Auditor and PingFederate Administrator roles, when you SSO to PingFederate you will be assigned only the PingFederate Administrator role.