Entrust Identity as a Service™ Administrator Help
Click here to see this page in full context

Report errors or omissions

  1. Home >
  2. Manage members >
  3. Create, assign, and manage roles

 

Create, assign, and manage roles

Roles control the operations that a user can perform in their Identity as a Service account. A role defines a list of System entitiesSystem entitiesSystem entities are used to identify different Identity as a Service management areas. For example, a user assigned the User a Passkey/FIDO2 Token Management entity can view, add, edit, remove, or perform all actions with a Passkey/FIDO2 token, depending on their assigned role permissions and the permissions for those entities. and the permissions for those entities.

There are five system-defined roles, which cannot be changed. Administrators can also create custom roles. Changes to a role take effect the next time the user logs in. System-defined Identity as a Service roles and roles assigned to user accounts that are synchronized with Active Directory cannot be changed.

System-defined roles include:

AuditorAuditorThis role gives view-only access to the features available on the administrator portal. It has the Manage All Roles permission setting enabled by default.

Super AdministratorSuper AdministratorThis role provides full access to the features available on the administrator portal. It has the Manage All Roles setting enabled by default.

Help Desk AdministratorHelp Desk AdministratorAdministrators assigned the Help Desk Administrator role can manage other user accounts with the Auditor and Help Desk Administrator roles and those without a role (end users). They cannot manage users with Super Administrator or custom roles. The Manage All Roles setting cannot be modified for this role.

SCIM ProvisioningSCIM ProvisioningThis role allows the SCIM provisioning application to perform resource provisioning using SCIM protocols.

SIEM Add-onSIEM Add-onThis role provides full access to all SIEM management functions in view-only mode.

AD ConnectorAD ConnectorThis role allows the AD Connector application to perform AD Connector directory synchronization.

Working with roles

Create a custom roleCreate a custom role

Click > Members > Roles. The Roles List page appears.

Click . The Add Role page appears.                                                                                                     

Enter a Name for your custom role.

Enter a Description for your custom role.

Select the Managed Roles, as follows:

Select the All Roles to allow those assigned this role to manage all users.

Select the Selected Roles and from the Select Roles to Manage drop-down list, select the roles that you want the users assigned this role to manage. Repeat this procedure to add more roles.

For example, if you want to create a custom role called Super Auditor that allows the role to manage all users assigned the Auditor role, select Auditor from the drop-down list. When you select a role, it appears in the Administrator is allowed to manage these roles list.

Select the Managed Groups the role can manage, as follows:

Select All Groups to allow the an administrator with this role to administer all groups.

Select Own Groups to allow the administrator to administer only the groups to which it belongs.

Select Selected Groups and from the drop-down list select the groups the administrator with this role can administer. Repeat this procedure to add more groups.

Select the System Entities and permissions for the custom role.  

The system entities define the functionality the role can access. For example, if you create a custom role called Marketing and want to only allow users with the Marketing role to have access to the Theme page, you would set the Account Branding Customization system entity to All to allow users with the Marketing role access and edit the Theme page.

Click Add to create the role.

Clone a roleClone a role

You can create a copy of an existing role.

Click > Members > Roles. The Roles List page appears.

Click next to the role you want to clone.

Click . The Add Role page appears.                                                                                                     

By default, Copy is appended to the name of the role you are cloning.

Change the role Name, as required.

Edit the role Description, as required.

Choose one of the following options:

Select Manage All Roles to allow those assigned this role to manage all users.

or

Do not select Manage All Roles and from the select Roles to Manage drop-down list, select the roles that you want the users assigned this role to manage.

For example, if you want to create a custom role called Super Auditor that allows the role to manage all users assigned the Auditor role, select Auditor from the drop-down list.

Note: You can select more than one role to manage.

Select the Managed Groups the role can manage, as follows:

Select All Groups to allow the an administrator with this role to administer all groups.

Select Own Groups to allow the administrator to administer only the groups to which it belongs.

Select Selected Groups and from the drop-down list select the groups the administrator with this role can administer. Repeat this procedure to add more groups.

Edit the System Entities, as required.  

The system entities define the functionality the role can access. For example, if you create a custom role called Marketing and want to only allow users with the Marketing role to have access to the Theme page, you would set the Account Branding Customization system entity to All to allow users with the Marketing role access and edit the Theme page.

Click Add to create the role.

Edit a custom roleEdit a custom role

Click > Members > Roles. The Roles List page appears.

Click the name of the custom role you want to edit. The Edit Role page appears.

Modify the settings as required.

Click Save.

Delete a custom roleDelete a custom role

Click > Members > Roles. The Role List page appears.

Click next to the role you want to delete.

Click Delete on the confirmation prompt.

System entities

Click here to view the list of Identity as a Service system entitiesClick here to view the list of Identity as a Service system entities.

A system entity is the functionality available to the assigned role in Identity as a Service. Click the system entity for more details about its function.

System Entity

System Entity

Access Management Roles ManagementAccess Management Roles ManagementAllows administrators to manage Role-Based Access Control (RBAC) for protected OAuth resources.

Phone/Email OTP VerificationPhone/Email OTP VerificationAllows administrators to manage phone and email OTPs.

Account and Authenticator SettingsAccount and Authenticator SettingsControls the settings of the different authenticators available on Identity as a Service. This permission is required to access the KBA WordMaps feature.

 Resource Rules ManagementResource Rules ManagementAllows administrators to define the resource rules for application access restrictions.

Account Branding CustomizationAccount Branding CustomizationAllows administrators to customize the appearance of their Identity as a Service account and email templates.

Roles ManagementRoles ManagementControls the level of access each user has to the features on their Identity as a Service account.

Account Entitlement StatusAccount Entitlement StatusAllows administrators to see the number of entitlements assigned to their account. Account entitlements define how many users can be created within an account.

Scheduled Task ManagementScheduled Task ManagementAllows administrators to schedule tasks, such as report generation.

Account ReportsAccount ReportsAllows administrators to monitor their account activity. Users can generate reports on specific account metrics.

Scopes ManagementScopes ManagementAllows administrators to manage OAuth APIs/URLs scopes.

ActiveSync Device ManagementActiveSync Device ManagementAllows administrators to manage ActiveSync access.

 Smart Credential Definition ManagementSmart Credential Definition ManagementAllows administrators to access to the smart credential definitions configured in an Identity as a Service account. The smart credential definition contains information that a mobile smart credential needs to be properly configured.
APIs/URLs ManagementAPIs/URLs ManagementAllows administrators to manage OAuth resource server APIs. User Attribute ManagementUser Attribute ManagementAllows administrators to manage the information fields available in the user profile information.

Application Template ManagementApplication Template ManagementAllows access to the configuration settings needed to add an application to your Identity as a Service account.

User Desktop ManagementUser Desktop ManagementAllows administrators to view and remove Desktop entities in the users’s Devices tab.

Applications ManagementApplications ManagementAllows administrators to configure their application accounts so that they are accessible after authenticating to Identity as a Service.

 User Face Biometric ManagementUser Face Biometric ManagementAdministrators can manage Face Biometric authenticators.

Archive ManagementArchive ManagementAllows administrators to view and download archived audits.

User Grid Card Content ManagementUser Grid Card Content ManagementAllows administrator to print, export, and view grid cards.

Bulk Group OperationsBulk Group OperationsAllows administrators to add a large number of groups to their account by uploading group information from a CSV file.

 User Grid Card ManagementUser Grid Card ManagementAllows administrators to assign, delete, view, edit, and disable or enable user grid cards.

Bulk Hardware Token OperationsBulk Hardware Token OperationsAllows administrators to bulk import token data files and bulk assign hardware tokens to users.

User Knowledge-based Authenticator ManagementUser Knowledge-based Authenticator ManagementAllows administrators to manage KBA authenticators.

Bulk IdentityGuard OperationsBulk IdentityGuard OperationsAllows administrators to bulk import Entrust IdentityGuard authenticators into Identity as a Service. Supported authenticators are KBA, Entrust Soft Tokens, and Hardware Tokens.

User Knowledge-based Authenticator View AnswersUser Knowledge-based Authenticator View AnswersControls the ability to see the answers entered for the questions included in a user's KBA from the administrator portal. Answers registered for a KBA cannot be viewed from the user portal regardless of a user's role permissions. The answers registered for a user's KBA can be accessed from the administrator portal when Updating a knowledge-based authenticator.

Bulk User OperationsBulk User OperationsAllows administrators to add a large number of users to their account by uploading user account information from a CSV file.

 User Machine ID Authenticator ManagementUser Machine ID Authenticator ManagementAllows administrators to manage the machine authenticators listed on each user's authenticators page.

Certificate Authority ManagementCertificate Authority ManagementAllows administrators to access the certificate authorities configured on an Identity as a Service account. Certificate authorities (CA) contain information needed to configure a mobile smart credential.

User ManagementUser ManagementAllows administrators to manage users of their IDaaS accounts.

Digital ID Management for Smart CredentialsDigital ID Management for Smart CredentialsAllows administrators to access each digital ID configuration within a configured CA.

 User OAuth Token ManagementUser OAuth Token ManagementAllows administrators to view and revoke OAuth tokens.

Directories and Directory SyncDirectories and Directory SyncControls which corporate directories are synchronized with an Identity as a Service account. Synchronizing a directory allows for user or group information on a corporate directory to be auto-populated in an Identity as a Service account. When synchronized, any user or group information altered on the company server is automatically updated in Identity as a Service.

 User Passkey/FIDO2 Token ManagementUser Passkey/FIDO2 Token ManagementAllows administrators to manage user passkey/FIDO2 token authenticators.

Directory PasswordDirectory PasswordAllows a administrators to read the directory account password for AD Connector directories through the API.

User Password Authenticator ManagementUser Password Authenticator ManagementAllows administrators to manage user passwords.

Domain Controller CertificatesDomain Controller CertificatesAllows administrators to configure domain controllers.

 User Risk-based Authentication ManagementUser Risk-based Authentication ManagementAllows administrators to manage user risk-based authenticator settings.

Email Template ManagementEmail Template ManagementAllows a administrators to manage custom email templates.

User Role ManagementUser Role ManagementAllows administrators to manage user roles.

Enterprise Gateway and Agents ManagementEnterprise Gateway and Agents ManagementControls the Gateways and Gateway instances on your account. Each gateway instance contains a Directory Synchronization, RADIUS Proxy, Password, and Identity Guard agent that supports secure access to account features.

 User Smart Credential Authenticator ManagementUser Smart Credential Authenticator ManagementAllows administrators  to access to the Mobile Smart Credentials assigned to each user.
Entrust Soft Token Manual Activation DetailsEntrust Soft Token Manual Activation DetailsAllows administrators to view the activation code for an Entrust Soft Token authenticator. User Smart Credential SignatureUser Smart Credential SignatureAllows users to access APIs that support smart credential push signature.

Export ReportsExport ReportsAllows users to export user, grid card, and audit reports.

User Temporary Access Code ManagementUser Temporary Access Code ManagementAllows administrators to view or create a temporary access code for a user. The temporary access code information can be seen except for the code itself (a character string). Accessing the code value requires a role with View permissions.

Groups ManagementGroups ManagementControls the groups available on an account.

User Temporary Access Code View ValueUser Temporary Access Code View ValueAllows administrators to view a user's Temporary Access Code value (a character string).

Identity Provider ManagementIdentity Provider ManagementType your expanding text here.

User Token Authenticator ManagementUser Token Authenticator ManagementAllows administrators to control the hardware and soft token authenticators assigned to other users in their account.
Magic Link ManagementMagic Link ManagementAllows administrators to manage Magic Links. Verifiable Credential Definition ManagementVerifiable Credential Definition ManagementAllows administrators to manage verifiable credential definitions.
Magic Link Content ManagementMagic Link Content ManagementAllows administrators to manage the content of Magic Links.

Verifiable Credential ManagementVerifiable Credential ManagementAllows administrators to manage verifiable credentials.
OrganizationsOrganizationsAllows administrators to manage organizations and  Domain-Based Identity Providers for OIDC applications.

Verifiable Presentation Definition ManagementVerifiable Presentation Definition ManagementAllows administrators to manage verifiable credential presentation definitions.
OTP ManagementOTP ManagementAllows administrators to create and obtain an OTP value for a user using an Admin API. Verify user Verify user Allows administrators to manage user verification.
Outbound Provisioning ManagementOutbound Provisioning Management Provisioning Management Allows administrators to create and manage provisioners for user provisioning with a third-party service.

Webhooks ManagementWebhooks ManagementAllows administrators to management webhooks.
Pass-through Authenticator ManagementPass-through Authenticator Management Allows administrators to manage pass-through authenticators.