and the permissions for those entities.
Roles control the operations that a user can perform
in their Identity as a Service account. A
role defines a list of System
entities
System
entities are used to identify different Identity as a Service management
areas. For example, a user assigned the User a Passkey/FIDO2 Token Management
entity can view, add, edit, remove, or perform all actions with a Passkey/FIDO2
token, depending on their assigned role permissions and the permissions for those entities.
and the permissions for those entities.
There are five system-defined roles, which cannot be changed. Administrators can also create custom roles. Changes to a role take effect the next time the user logs in. System-defined Identity as a Service roles and roles assigned to user accounts that are synchronized with Active Directory cannot be changed.
System-defined roles include:
● AuditorThis
role gives view-only access to the features available on the administrator
portal. It has the Manage
All Roles permission setting enabled by default.
● Super
AdministratorThis role provides full
access to the features available on the administrator portal. It has the
Manage
All Roles setting enabled by default.
● Help
Desk AdministratorAdministrators assigned
the Help Desk Administrator role
can manage other user accounts with the Auditor
and Help Desk Administrator
roles and those without a role (end users). They cannot manage users with
Super Administrator or custom roles. The Manage
All Roles setting cannot be modified for this role.
● SCIM
ProvisioningThis role
allows the SCIM provisioning application to perform resource provisioning
using SCIM protocols.
● SIEM
Add-onThis role provides full access to all SIEM management
functions in view-only mode.
● AD
ConnectorThis role allows the AD Connector application to perform AD
Connector directory synchronization.
Create a custom
role1. Go
to 
>
Members > Roles. The Roles
List page appears.
2. Click
. The Add Role page appears.
3. Enter a Name for your custom role.
4. Enter a Description for your custom role.
5. Select the Managed Roles, as follows:
● Select the All Roles to allow those assigned this role to manage all users.
● Select the Selected Roles and from the Select Roles to Manage drop-down list, select the roles that you want the users assigned this role to manage. Repeat this procedure to add more roles.
For example, if you want to create a custom role called Super Auditor that allows the role to manage all users assigned the Auditor role, select Auditor from the drop-down list. When you select a role, it appears in the Administrator is allowed to manage these roles list.
6. Select the Managed Groups the role can manage, as follows:
● Select All Groups to allow the an administrator with this role to administer all groups.
● Select Own Groups to allow the administrator to administer only the groups to which it belongs.
● Select Selected Groups and from the drop-down list select the groups the administrator with this role can administer. Repeat this procedure to add more groups.
7. Select the System Entities and permissions for the custom role.
The system entities define the functionality the role can access. For example, if you create a custom role called Marketing and want to only allow users with the Marketing role to have access to the Theme page, you would set the Account Branding Customization system entity to All to allow users with the Marketing role access and edit the Theme page.
8. Click Add to create the role.
Clone a
roleYou can create a copy of an existing role.
1. Go
to >
Members > Roles. The Roles
List page appears.
2. Click
next to the role you want to clone.
3. Click
. The Add Role page appears.
4. By default, Copy is appended to the name of the role you are cloning.
5. Change the role Name, as required.
6. Edit the role Description, as required.
7. Choose one of the following options:
● Select Manage All Roles to allow those assigned this role to manage all users.
–or–
● Do not select Manage All Roles and from the select Roles to Manage drop-down list, select the roles that you want the users assigned this role to manage.
For example, if you want to create a custom role called Super Auditor that allows the role to manage all users assigned the Auditor role, select Auditor from the drop-down list.
Note: You can select more than one role to manage.
8. Select the Managed Groups the role can manage, as follows:
● Select All Groups to allow the an administrator with this role to administer all groups.
● Select Own Groups to allow the administrator to administer only the groups to which it belongs.
● Select Selected Groups and from the drop-down list select the groups the administrator with this role can administer. Repeat this procedure to add more groups.
9. Edit the System Entities, as required.
The system entities define the functionality the role can access. For example, if you create a custom role called Marketing and want to only allow users with the Marketing role to have access to the Theme page, you would set the Account Branding Customization system entity to All to allow users with the Marketing role access and edit the Theme page.
10. Click Add to create the role.
Edit a custom
role1. Click
>
Members > Roles. The Roles
List page appears.
2. Click the name of the custom role you want to edit. The Edit Role page appears.
3. Modify the settings as required.
4. Click Save.
Delete a custom
role1. Click
> Members > Roles. The Role List page
appears.
2. Click
next to the role you want to delete.
3. Click Delete on the confirmation prompt.
Click here to
view the list of Identity as a Service system entities.
A system entity is the functionality available to the assigned role in Identity as a Service. Click the system entity for more details about its function.
System Entity |
System Entity |
Access Management Roles Management |
OTP
ManagementAllows
administrators to create and obtain an OTP value for a user
using an Admin API. |
Account and Authenticator Settings |
Outbound Provisioning Management |
Account Branding Customization |
Phone/Email OTP Verification |
Account Entitlement Status |
Resource
Rules ManagementAllows
administrators to define the resource rules for application
access restrictions. |
Account Reports |
Roles Management |
ActiveSync Device Management |
Scheduled Task Management |
| APIs/URLs
ManagementAllows administrators
to manage OAuth resource server APIs. |
Scopes Management |
Application Template Management |
Smart
Credential Definition ManagementAllows
administrators to access to the smart credential definitions
configured in an Identity as a Service
account. The smart credential definition contains information
that a mobile smart credential needs to be properly configured. |
Applications Management |
User
Attribute ManagementAllows
administrators to manage the information fields available
in the user profile information. |
Archive Management |
Allows an administrator to view and remove Desktop entities in the users’s Devices tab. |
Bulk Group Operations |
User
Face Biometric ManagementAdministrators
can manage Face Biometric authenticators. |
Bulk Hardware Token Operations |
User Passkey/FIDO2 Token
Management |
Bulk IdentityGuard Operations |
User
Grid Card Content ManagementAllows
administrator to print, export, and view grid cards. |
Bulk User Operations |
User Grid Card Management |
Certificate Authority Management |
User Knowledge-based
Authenticator Management |
Digital ID Management for Smart
Credentials |
User
Knowledge-based Authenticator View AnswersControls
the ability to see the answers entered for the questions included
in a user's KBA from the administrator portal. Answers registered
for a KBA cannot be viewed from the user portal regardless
of a user's role permissions. The answers registered for a
user's KBA can be accessed from the administrator portal when
Updating
a knowledge-based authenticator. Note: All is the only option available for this system entity because the feature only controls whether a user's answers can be viewed. |
Directories and Directory Sync |
User Machine ID Authenticator
Management |
Directory Password |
User Management |
Domain Controller Certificates |
User
OAuth Token ManagementAllows
administrators to view and revoke OAuth tokens. |
Email Template Management |
User Password Authenticator
Management |
Enterprise Gateway and Agents
Management |
User
Risk-based Authentication ManagementAllows
administrators to manage user risk-based authenticator settings. |
| Entrust
Soft Token Manual Activation DetailsAllows
administrators to view the activation code for an Entrust
Soft Token authenticator. |
User Role Management |
Export Reports |
User
Smart Credential Authenticator ManagementAllows
administrators to access to the Mobile Smart Credentials
assigned to each user. |
Groups Management |
User
Smart Credential SignatureAllows
users to access APIs that support smart credential push signature. |
Identity Provider Management |
User Temporary Access
Code Management |
| Issue
CredentialsAllows administrators
to issue credentials. |
User Temporary Access
Code View Value |
| Magic
Link ManagementAllows
administrators to manage Magic Links. |
User Token Authenticator
Management |
| Magic
Link Content ManagementAllows
administrators to manage the content of Magic Links. |
Webhooks Management |
| OrganizationsAllows
administrators to manage organizations and Domain-Based Identity Providers
for OIDC applications. |