You can assign administrator roles to individual users or to groups.
Managing roles individually
Use the Users page to add roles to a user.
The role assignments that you selected are listed on the Granted Responsibilities tab.
Managing roles using groups
Use the Groups page to add roles to a group.
Assigning roles to groups allows you to:
- Manage roles for multiple users at once.
- Apply role changes in bulk.
- See users that have a certain role by viewing group members.
For security reasons, only static groups can have roles assigned to them. That is, you can’t assign roles to groups that have members included based on a filter or rule. With a dynamic group, you might inadvertently add users to the group that would inherit role assignments. For more information, see Static and dynamic groups.
When adding users to groups that have roles assigned, be careful not to inadvertently assign a role to a user by adding them to a group. If a user has a role from being in a group, remove the user from the group to remove the role. If a user has a role assigned to them individually, you can remove the role from the user.
- You can assign only roles that are assigned to you, or that are assignable by those roles. For example, the Identity Data Admin role has permissions that allow it to assign the Identity Data Admin Read Only role. Therefore, if you are assigned the Identity Data Admin role, you can assign that role or the Identity Data Admin Read Only role to a group.
- An admin might not have permissions to assign roles but can add or remove users from a group that has role assignments. In other words, one admin can assign roles to a group, and a different admin can add or remove users from that group.
- You cannot assign roles to a group that you are a member of.
- You cannot add or remove yourself from a group that has roles assigned to it.
- Roles assigned to a group will not affect roles that are assigned to a user individually.
- You can assign roles in up to 500 groups.
Managing group roles
Assign roles to groups of administrators using the Groups page.
The role assignments that you selected are listed on the Granted Responsibilities tab.
Managing administrator roles using external groups
Ensure that you have one administrator user with direct sign-on access to PingOne. Add this user to the Administrators environment to keep them separate from your end users.
This task uses PingOne Admin User to refer to this user.
You can leverage just-in-time provisioning and use external groups, such as those in an identity store accessed through an external identity provider (IdP), to manage administrator role assignment in PingOne.
For example, you configure PingOne to use an external IdP with Active Directory (AD) as the identity store. You then create a group in the Active Directory identity store. You add users to this group and provision it to PingOne to ensure that these users have access to PingOne with the appropriate roles.
To use an external group to manage administrator roles in PingOne:
You should audit the users in your external directory regularly to ensure that their group membership and level of access is correct.