Create, assign, and manage roles

Roles control what users can do in IDaaS. Each role defines which system entities a user can access and which actions they can perform on those entities. System entities represent different IDaaS management areas. For example, a role that includes the User Passkey/FIDO2 Token Management entity allows a user to view, add, edit, or remove Passkey/FIDO2 tokens, depending on the permissions assigned to the role.

IDaaS includes five system‑defined roles that you cannot change. Administrators can also create custom roles. Changes to a role take effect the next time the user logs in. You cannot modify system‑defined roles or roles assigned to user accounts synchronized with Active Directory.

System-defined roles include:

Auditor. Provides view-only access to the features available in the Administrator Portal. IDaaS enables the Manage All Roles permission by default.
Super Administrator. Provides full access to the features available on the Administrator Portal. It has the Manage All Roles setting enabled by default.
Help Desk Administrator. Allows management of other user accounts with the Auditor and Help Desk Administrator roles and those without a role (end users).
- Help Desk Administrators cannot manage Super Administrators or custom roles.
- This role cannot modify the Manage All Roles setting.
SCIM Provisioning. Allows the SCIM provisioning application to perform resource provisioning using SCIM protocols.
SIEM Add-on. Provides full access to all SIEM management functions in view-only mode.
AD Connector. Allows the AD Connector application to perform AD Connector directory synchronization.

Working with roles

You can create and manage custom roles as follows:

Create a custom role
Clone a role
Edit a custom role
Delete a custom role
Assign custom role permissions

Create a custom role

Click > Members > Roles. The Roles List page appears.
Click . The Add Role page appears.
Enter a Name for your custom role.
Enter a Description for your custom role.
Under Managed Roles, select one of the following:
- All Roles to allow users with this role to manage all users.
- Selected Roles to allow users with this role to manage only selected roles.
  
  If you choose Selected Roles, add the applicable role by selecting it from the Select Roles to Manage drop-down list and repeat this step to add more roles. When you select a role, it appears in the Administrator is allowed to manage these roles list.
  
  For example, if you want to create a custom role called Super Auditor that allows the role to manage all users assigned the Auditor role, select Auditor from the drop-down list.
Under Managed Groups, select one of the following:
- All Groups to allow an administrator with this role to administer all groups.
- Own Groups to allow the administrator to administer only the groups to which it belongs.
- Selected Groups and from the drop-down list select the groups the administrator with this role can administer.
  
  If you choose Selected Groups, add the applicable group by selecting it from the Select Groups to Manage drop-down list and repeat this step to add more groups. When you select a group, it appears in the Administrator is allowed to manage these groups list.
Select the Permissions assigned to the role.
- Permissions are grouped by function (for example, Core Administration).
- Permissions include system entities that define specific tasks a user with the role can do.
- System entities allow the role to View, Add, Manage, Remove, or perform All tasks related to the system entity.
  
  For example, if you create a custom role called Marketing and want to allow users with the Marketing role to access the Theme page, set Core Administration > Account Branding Customization to All.
See Role permissions for more detailed information.
1. Click the permission function, for example, Core Administration to see the System Entity list.
2. Select the permissions for the System Entity (view, add, edit, remove, or all).
3. Toggle on Show Enabled Only to see the list of permissions assigned to the role.
Click Add to create the role.

Clone a role

You can create a copy of an existing role.

Click > Members > Roles. The Roles List page appears.
Click next to the role you want to clone.
Click . The Add Role page appears.
By default, Copy is appended to the name of the role you are cloning. For example, Auditor Copy.
Change the role Name, as required.
Edit the role Description, as required.
You cannot edit Managed Roles when cloning a role.
Under Managed Groups, select one of the following:
- All Groups to allow an administrator with this role to administer all groups.
- Own Groups to allow the administrator to administer only the groups to which it belongs.
- Selected Groups and from the drop-down list select the groups the administrator with this role can administer.
  
  If you choose Selected Groups, add the applicable group by selecting it from the Select Groups to Manage drop-down list and repeat this step to add more groups. When you select a group, it appears in the Administrator is allowed to manage these groups list.
Set the Permissions for the role:
1. Toggle on Show Enabled Only to see the list of system entities already assigned to the role.
2. Add more system entity permissions, if required, by doing the following:
  
  i. Toggle off Show enabled only.
  
  ii. Select the additional permissions needed for this role.
Click Add to create the role.

Edit a custom role

Click > Members > Roles. The Roles List page appears.
Click the name of the custom role you want to edit. The Edit Role page appears.
Modify the settings as required.
Click Save.

Delete a custom role

Click > Members > Roles. The Role List page appears.
Click next to the role you want to delete.
Click Delete on the confirmation prompt.

Role permissions

Permissions define what tasks a role can perform in IDaaS. Permissions are grouped into functional categories to help you assign the right level of access based on administrative responsibilities. Each functional category includes system entities that define what the role can manage. The following sections describe the permissions available in each category.

Core Administration

This role allows a user to manage account settings, branding, users and roles, reports, email templates, scheduled tasks, and account audit and entitlement information.

System Entity	Description
Account and Authenticator Settings	Controls the settings of the authenticators available in IDaaS; required to access the KBA WordMaps feature.
Account Branding Customization	Allows administrators to customize the appearance of their IDaaS account and email templates.
Account Entitlement Status	Allows administrators to see the number of entitlements assigned to their account.
Account Reports	Allows administrators to monitor account activity and generate reports on specific metrics.
Archive Management	Allows administrators to view and download archived audits.
Email Template Management	Allows administrators to manage custom email templates.
Export Reports	Allows users to export user, grid card, and audit reports.
Roles Management	Controls the level of access each user has to IDaaS features.
Scheduled Task Management	Allows administrators to schedule tasks such as report generation.
User Grid Card Content Management	Allows administrators to print, export, and view grid cards.
User Management	Allows administrators to manage users of their IDaaS accounts.
User Role Management	Allows administrators to manage user roles.

User Authenticators

This role allows a user to manage user authenticators and authentication methods, including passwords, OTPs, Magic Links, passkeys, biometrics, tokens, devices, and temporary access codes.

System Entity	Description
ActiveSync Device Management	Allows administrators to manage ActiveSync access.
Entrust Soft Token Manual Activation Details	Allows administrators to view the activation code for an Entrust Soft Token authenticator.
Magic Link Management	Allows administrators to manage Magic Links.
Magic Link Content Management	Allows administrators to manage Magic Link content.
OTP Management	Allows administrators to create and obtain OTP values for a user using an Admin API.
Pass-through Authenticator Management	Allows administrators to manage pass-through authenticators.
Phone/Email OTP Verification	Allows administrators to manage phone and email OTPs.
User Desktop Management	Allows administrators to view and remove Desktop entities in the user's Devices tab.
User Face Biometric Management	Allows administrators to manage Face Biometric authenticators.
User Grid Card Management	Allows administrators to assign, delete, view, edit, and enable or disable user grid cards.
User Knowledge-based Authenticator Management	Allows administrators to manage KBA authenticators.
User Knowledge-based Authenticator View Answers	Allows administrators to view answers entered for a user's KBA from the administrator portal.
User Machine ID Authenticator Management	Allows administrators to manage machine authenticators listed on a user's authenticator page.
User Passkey/FIDO2 Token Management	Allows administrators to manage user passkey/FIDO2 authenticators.
User Password Authenticator Management	Allows administrators to manage user passwords.
User Risk-based Authentication Management	Allows administrators to manage user risk-based authenticator settings.
User Temporary Access Code Management	Allows administrators to view or create a temporary access code for a user (code value requires View permission).
User Temporary Access Code View Value	Allows administrators to view a user's temporary access code value.
User Token Authenticator Management	Allows administrators to control hardware and soft token authenticators assigned to other users.

Directories and Access

This role allows a user to manage directories and synchronization, configure gateways and agents, manage groups and user attributes, set up identity providers and organizations, and oversee user verification.

System Entity	Description
Directories and Directory Sync	Controls which corporate directories synchronize with IDaaS.
Directory Password	Allows administrators to read the directory account password for AD Connector directories through the API.
Enterprise Gateway and Agents Management	Controls gateways and gateway instances such as Directory Synchronization, RADIUS Proxy, Password, and Identity Guard agents.
Groups Management	Controls the groups available on an account.
Identity Provider Management	Allows administrators to configure and manage identity providers.
Organizations	Allows administrators to manage organizations and domain-based identity providers for OIDC applications.
User Attribute Management	Allows administrators to manage the information fields available in user profiles.
Verify User	Allows administrators to manage user verification.

Application and Service Providers

This role allows a user to add and configure applications, manage application templates, set up outbound user provisioning to third‑party systems, and define rules that control access to applications.

System Entity	Description
Application Template Management	Allows access to configuration settings needed to add an application to IDaaS.
Applications Management	Allows administrators to configure applications so they are accessible after authenticating to IDaaS.
Outbound Provisioning Management	Allows administrators to create and manage provisioners for third-party user provisioning.
Resource Rules Management	Allows administrators to define resource rules for application access restrictions.

Access Management and APIs

This role allows a user to manage OAuth roles, APIs, and scopes, view and revoke user OAuth tokens, manage webhooks, and access APIs that support smart credential push signatures.

System Entity	Description
Access Management Roles Management	Allows administrators to manage Role-Based Access Control (RBAC) for protected OAuth resources.
APIs/URLs Management	Allows administrators to manage OAuth resource server APIs.
Scopes Management	Allows administrators to manage OAuth API/URL scopes.
User OAuth Token Management	Allows administrators to view and revoke OAuth tokens.
User Smart Credential Signature	Allows users to access APIs that support smart credential push signature.
Webhooks Management	Allows administrators to manage webhooks.

Certificates and Security

This role allows a user to manage certificate authorities, digital IDs, domain controller certificates, smart credential definitions, and user smart credential authenticators.

System Entity	Description
Certificate Authority Management	Allows administrators to access certificate authorities configured on an IDaaS account.
Digital ID Management for Smart Credentials	Allows administrators to access each digital ID configuration within a configured CA.
Domain Controller Certificates	Allows administrators to configure domain controllers.
Smart Credential Definition Management	Allows administrators to access smart credential definitions configured in an account.
User Smart Credential Authenticator Management	Allows administrators to access Mobile Smart Credentials assigned to each user.

Issuance and Credentials

This role allows a user to define and manage verifiable credentials and the presentation definitions used to share those credentials.

System Entity	Description
Verifiable Credential Definition Management	Allows administrators to manage verifiable credential definitions.
Verifiable Credential Management	Allows administrators to manage verifiable credentials.
Verifiable Presentation Definition Management	Allows administrators to manage verifiable credential presentation definitions.

Bulk Operations

This role allows a user to perform bulk imports and updates for users, groups, and authenticators by using CSV files.

System Entity	Description
Bulk Group Operations	Allows administrators to import many groups by using CSV files.
Bulk Hardware Token Operations	Allows administrators to bulk import token data files and assign hardware tokens.
Bulk IdentityGuard Operations	Allows administrators to bulk import Entrust IdentityGuard authenticators (KBA, Entrust Soft Tokens, Hardware Tokens).
Bulk User Operations	Allows administrators to import many users by using CSV files.

Reporting and Monitoring

This role allows a user to monitor account activity, generate and export reports, manage audit archives, and configure webhooks.

System Entity	Description
Account Reports	Allows administrators to view account activity and generate standard reports.
ActiveSync Device Management	Allows administrators to manage ActiveSync device access for users.
Archive Management	Allows administrators to view and download archived audit data.
Enterprise Gateway and Agents Management	Allows administrators to manage gateways and agent services, such as directory synchronization and authentication agents.
Export Reports	Allows administrators to export reports related to users, devices, and audits.
Scheduled Task Management	Allows administrators to schedule automated tasks, such as report generation.
Webhook Management	Allows administrators to create and manage webhooks for event notifications.

Working with roles​

Create a custom role​

Clone a role​

Edit a custom role​

Delete a custom role​

Role permissions​

Core Administration​

User Authenticators​

Directories and Access​

Application and Service Providers​

Access Management and APIs​

Certificates and Security​

Issuance and Credentials​

Bulk Operations​

Reporting and Monitoring​