Create, assign, and manage roles
Roles control the operations that a user can perform in their Identity as a Service account. A role defines a list of system entities and permissions for those entities. System entities identify different Identity as a Service management areas. For example, a user assigned the User Passkey/FIDO2 Token Management entity can view, add, edit, remove, or perform all actions on a Passkey/FIDO2 token, depending on the permissions assigned to that role.
There are five system-defined roles, which cannot be changed. Administrators can also create custom roles. Changes to a role take effect the next time the user logs in. System-defined Identity as a Service roles and roles assigned to user accounts that are synchronized with Active Directory cannot be changed.
System-defined roles include:
- Auditor: This role gives view-only access to the features available on the administrator portal. It has the Manage All Roles permission setting enabled by default.
- Super Administrator: This role provides full access to the features available on the administrator portal. It has the Manage All Roles setting enabled by default.
- Help Desk Administrator: Administrators assigned the Help Desk Administrator role can manage other user accounts with the Auditor and Help Desk Administrator roles and those without a role (end users). They cannot manage users with Super Administrator or custom roles. The Manage All Roles setting cannot be modified for this role.
- SCIM Provisioning: This role allows the SCIM provisioning application to perform resource provisioning using SCIM protocols.
- SIEM Add-on: This role provides full access to all SIEM management functions in view-only mode.
- AD Connector: This role allows the AD Connector application to perform AD Connector directory synchronization.
Working with roles
You can create and manage custom roles, as follows:
- Create a custom role
- Clone a role
- Edit a custom role
- Delete a custom role
- Assign custom role permissions
Create a custom role
-
Click > Members > Roles. The Roles List page appears.
-
Click . The Add Role page appears.
-
Enter a Name for your custom role.
-
Enter a Description for your custom role.
-
Select the Managed Roles, as follows:
- Select the All Roles to allow those assigned this role to manage all users.
- Select the Selected Roles and from the Select Roles to Manage drop-down list, select the roles that you want the users assigned this role to manage. Repeat this procedure to add more roles.
For example, if you want to create a custom role called Super Auditor that allows the role to manage all users assigned the Auditor role, select Auditor from the drop-down list. When you select a role, it appears in the Administrator is allowed to manage these roles list.
-
Select the Managed Groups the role can manage, as follows:
- Select All Groups to allow an administrator with this role to administer all groups.
- Select Own Groups to allow the administrator to administer only the groups to which it belongs.
- Select Selected Groups and from the drop-down list select the groups the administrator with this role can administer. Repeat this procedure to add more groups.
-
Select the Permissions assigned to the role. Permissions are grouped by function.
For example, if you create a custom role called Marketing and want to allow users with the Marketing role to access the Theme page, set Core Administration > Account Branding Customization to All.
-
To confirm the role permissions, after assigning them to the role, toggle Show enabled only to see the list of permissions assigned to the role.
-
Click Add to create the role.
Clone a role
You can create a copy of an existing role.
- Click > Members > Roles. The Roles List page appears.
- Click next to the role you want to clone.
- Click . The Add Role page appears.
- By default, Copy is appended to the name of the role you are cloning.
- Change the role Name, as required.
- Edit the role Description, as required.
- Choose one of the following options:
- Select Manage All Roles to allow those assigned this role to manage all users.
- Do not select Manage All Roles and from the Roles to Manage drop-down list, select the roles that you want users assigned this role to manage.
For example, if you want to create a custom role called Super Auditor that allows the role to manage all users assigned the Auditor role, select Auditor from the drop-down list.
noteYou can select more than one role to manage.
- Select the Managed Groups the role can manage, as follows:
- Select All Groups to allow an administrator with this role to administer all groups.
- Select Own Groups to allow the administrator to administer only the groups to which it belongs.
- Select Selected Groups and from the drop-down list select the groups the administrator with this role can administer. Repeat this procedure to add more groups.
- Permissions define the tasks the role can manage. For example, if you create a custom role called Marketing and want to allow users with the Marketing role to access the Theme page, set Core Administration > Account Branding Customization to All.
- To confirm the role permissions after assigning them to the role, toggle Show enabled only to see the list of permissions assigned to the role.
- Click Add to create the role.
Edit a custom role
- Click > Members > Roles. The Roles List page appears.
- Click the name of the custom role you want to edit. The Edit Role page appears.
- Modify the settings as required.
- Click Save.
Delete a custom role
- Click > Members > Roles. The Role List page appears.
- Click next to the role you want to delete.
- Click Delete on the confirmation prompt.
Role permissions
Permissions define the tasks the role can perform in Identity as a Service. Permissions are organized into functional categories to help you assign appropriate access levels based on administrative responsibilities. The following sections provide details about permissions available in each category.
Core Administration
| System entity | Description |
|---|---|
| Account and Authenticator Settings | Controls the settings of the authenticators available in Identity as a Service; required to access the KBA WordMaps feature. |
| Account Branding Customization | Allows administrators to customize the appearance of their Identity as a Service account and email templates. |
| Account Entitlement Status | Allows administrators to see the number of entitlements assigned to their account. |
| Account Reports | Allows administrators to monitor account activity and generate reports on specific metrics. |
| Archive Management | Allows administrators to view and download archived audits. |
| Email Template Management | Allows administrators to manage custom email templates. |
| Export Reports | Allows users to export user, grid card, and audit reports. |
| Roles Management | Controls the level of access each user has to Identity as a Service features. |
| Scheduled Task Management | Allows administrators to schedule tasks such as report generation. |
| User Grid Card Content Management | Allows administrators to print, export, and view grid cards. |
| User Management | Allows administrators to manage users of their Identity as a Service accounts. |
| User Role Management | Allows administrators to manage user roles. |
User Authenticators
| System entity | Description |
|---|---|
| ActiveSync Device Management | Allows administrators to manage ActiveSync access. |
| Entrust Soft Token Manual Activation Details | Allows administrators to view the activation code for an Entrust Soft Token authenticator. |
| Magic Link Management | Allows administrators to manage Magic Links. |
| Magic Link Content Management | Allows administrators to manage Magic Link content. |
| OTP Management | Allows administrators to create and obtain OTP values for a user using an Admin API. |
| Pass-through Authenticator Management | Allows administrators to manage pass-through authenticators. |
| Phone/Email OTP Verification | Allows administrators to manage phone and email OTPs. |
| User Desktop Management | Allows administrators to view and remove Desktop entities in the user's Devices tab. |
| User Face Biometric Management | Allows administrators to manage Face Biometric authenticators. |
| User Grid Card Management | Allows administrators to assign, delete, view, edit, and enable or disable user grid cards. |
| User Knowledge-based Authenticator Management | Allows administrators to manage KBA authenticators. |
| User Knowledge-based Authenticator View Answers | Allows administrators to view answers entered for a user's KBA from the administrator portal. |
| User Machine ID Authenticator Management | Allows administrators to manage machine authenticators listed on a user's authenticator page. |
| User Passkey/FIDO2 Token Management | Allows administrators to manage user passkey/FIDO2 authenticators. |
| User Password Authenticator Management | Allows administrators to manage user passwords. |
| User Risk-based Authentication Management | Allows administrators to manage user risk-based authenticator settings. |
| User Temporary Access Code Management | Allows administrators to view or create a temporary access code for a user (code value requires View permission). |
| User Temporary Access Code View Value | Allows administrators to view a user's temporary access code value. |
| User Token Authenticator Management | Allows administrators to control hardware and soft token authenticators assigned to other users. |
Directories & Access
| System entity | Description |
|---|---|
| Directories and Directory Sync | Controls which corporate directories synchronize with Identity as a Service. |
| Directory Password | Allows administrators to read the directory account password for AD Connector directories through the API. |
| Enterprise Gateway and Agents Management | Controls gateways and gateway instances such as Directory Synchronization, RADIUS Proxy, Password, and Identity Guard agents. |
| Groups Management | Controls the groups available on an account. |
| Identity Provider Management | Allows administrators to configure and manage identity providers. |
| Organizations | Allows administrators to manage organizations and domain-based identity providers for OIDC applications. |
| User Attribute Management | Allows administrators to manage the information fields available in user profiles. |
| Verify User | Allows administrators to manage user verification. |
Application & Service Providers
| System entity | Description |
|---|---|
| Application Template Management | Allows access to configuration settings needed to add an application to Identity as a Service. |
| Applications Management | Allows administrators to configure applications so they are accessible after authenticating to Identity as a Service. |
| Outbound Provisioning Management | Allows administrators to create and manage provisioners for third-party user provisioning. |
| Resource Rules Management | Allows administrators to define resource rules for application access restrictions. |
Access Management and APIs
| System entity | Description |
|---|---|
| Access Management Roles Management | Allows administrators to manage Role-Based Access Control (RBAC) for protected OAuth resources. |
| APIs/URLs Management | Allows administrators to manage OAuth resource server APIs. |
| Scopes Management | Allows administrators to manage OAuth API/URL scopes. |
| User OAuth Token Management | Allows administrators to view and revoke OAuth tokens. |
| User Smart Credential Signature | Allows users to access APIs that support smart credential push signature. |
| Webhooks Management | Allows administrators to manage webhooks. |
Certificates & Security
| System entity | Description |
|---|---|
| Certificate Authority Management | Allows administrators to access certificate authorities configured on an Identity as a Service account. |
| Digital ID Management for Smart Credentials | Allows administrators to access each digital ID configuration within a configured CA. |
| Domain Controller Certificates | Allows administrators to configure domain controllers. |
| Smart Credential Definition Management | Allows administrators to access smart credential definitions configured in an account. |
| User Smart Credential Authenticator Management | Allows administrators to access Mobile Smart Credentials assigned to each user. |
Issuance and Credentials
| System entity | Description |
|---|---|
| Verifiable Credential Definition Management | Allows administrators to manage verifiable credential definitions. |
| Verifiable Credential Management | Allows administrators to manage verifiable credentials. |
| Verifiable Presentation Definition Management | Allows administrators to manage verifiable credential presentation definitions. |
Bulk Operations
| System entity | Description |
|---|---|
| Bulk Group Operations | Allows administrators to import many groups by using CSV files. |
| Bulk Hardware Token Operations | Allows administrators to bulk import token data files and assign hardware tokens. |
| Bulk IdentityGuard Operations | Allows administrators to bulk import Entrust IdentityGuard authenticators (KBA, Entrust Soft Tokens, Hardware Tokens). |
| Bulk User Operations | Allows administrators to import many users by using CSV files. |