Administrative roles - PingOne for Enterprise

PingOne for Enterprise

bundle

pingoneforenterprise

ft:publication_title

PingOne for Enterprise

Product_Version_ce

PingOne for Enterprise

category

Product

pingone

ContentType_ce

The following table describes the administrative roles available in PingOne for Enterprise accounts.

You can assign administrators to a read-only role, which grants access to the areas of the admin portal normally allowed by that administrative role, but not the ability to change settings.

Note: Administrators can only be assigned one administrative role at a time.

In PingOne SSO for SaaS Apps accounts, the only administrative roles are Audit & Report Administrator and Global Administrator.

For PingOne SSO for SaaS Apps with Managed Accounts, managed accounts have the PingOne for Enterprise administrative roles.

Administrative Role	Description
Application Administrator	Can manage only the specific applications that you assign. After saving the role assignment, you can choose to limit the management permissions. An application administrator has access only to the admin portal pages associated with their assigned management permissions. For more information, see Assign Application Administrator applications.
Audit & Report Administrator	Can manage subscriptions for audit events and run reports. Can only access the following pages: SSO Dashboard PingID Dashboard Reporting
Global Administrator	Has full permissions to manage and configure all aspects of the account and the admin portal, including the ability to manage all group and role assignments. Receives email notifications before and after certificate expiration. For more information, see Certificate management. For the PingOne for Enterprise Directory, assigning a user the global administrator role also assigns the user to the domain administrators group. If you set up the PingOne for Enterprise account, you are automatically assigned the role of global administrator.
Identity Repository Administrator	Manages the configuration of identity repositories. Can only access the following pages: Identity Repository Dock Authentication Policy PingID Certificates Branding User Directory Users by Services Reporting SSO Dashboard PingID Dashboard The identity repository administrator can also view and modify the directory settings when using the PingOne for Enterprise Directory.
PingID Device Administrator	This role can only access Users > Users by Service > PingID. This role can unpair one or more user devices, or assign a device as the user's primary device. Note: PingID Device Administrators have the optional ability to grant temporary MFA bypasses to users. To enable this permission, go to Account > Administrators > Permissions and select Allow Bypass. For more information about managing PingID device settings, see PingID User Life Cycle Management in the PingID documentation.
SaaS Administrator	Manages the Application Catalog and application connections. Receives email notifications before and after certificate expiration. For more information, see Certificate management. Can only access the following pages: My Applications Application Catalog PingID SDK Applications OAuth Settings User Groups Users by Service Authentication Policy PingID Certificates Reporting SSO Dashboard PingID Dashboard
Service User Administrator	Manages the PingOne for Enterprise services a user can use. This role includes the capabilities of the PingID Device Administrator. Can only access the following pages: Users by Service Reporting
Support Administrator	Has Read/Write permissions to the admin portal. Can impersonate and manage subtenants, but cannot make changes in parent account. Available only on PingOne for Enterprise for Managed Service Providers.