Understanding Administrator Roles

Learn about administrator roles and the privileges associated with each role so that you can delegate administrative tasks to other users, as needed.

In your organization, you might want administrators to have different levels of access to various tasks and resources. For example, the identity domain administrator has superuser privileges for an identity domain. This administrator may want to delegate some of their responsibilities to other users to carry out the tasks associated with these responsibilities, such as managing system configuration and security settings, applications, users, groups, group memberships, and so on. To do this, the administrator assigns these users to other administrator roles. Users who are assigned to these roles will be able to perform specific tasks that are associated with the roles.

The following table lists the administrator roles and summarizes the privileges for each role.

Administrator role Privileges
Identity domain administrator

Has superuser privileges for an identity domain in IAM

Identity domain administrators can:

  • Manage users, groups, applications, system configuration, and security settings

  • Perform delegated administration by assigning users to different administrative roles

  • Enable and disable Multi-Factor Authentication (MFA), configure MFA settings, and configure authentication factors

  • Create self-registration profiles to manage different sets of users, approval policies, and applications

Security administrator

Manage IAM system configuration and security settings for an identity domain.

Security administrators can customize the interface, default settings, notifications, and the password policies, configure Multi-Factor Authentication (MFA), and manage the Microsoft Active Directory (AD) Bridge, Provisioning Bridge, identity providers, and trusted partner certificates.

Application administrator Manage applications. Application administrators can create, update, activate, deactivate, and delete applications. Application administrators can also grant and revoke access to applications for groups and users.
User administrator Manage users, groups, and group memberships for an identity domain.
User manager Manage all users or users of selected groups in an identity domain. User managers can update, activate, deactivate, remove, and unlock user accounts. User managers can also reset passwords, reset authentication factors, and generate bypass codes for user accounts.
Help desk administrator Manage all users or users of selected groups in an identity domain. Help desk administrators can view the details of a user and unlock a user account. Help desk administrators can also reset passwords, reset authentication factors, and generate bypass codes for user accounts.
Audit administrator Run reports for an identity domain.

Using the Console

Use the Console to add users to or remove users from roles.

Adding Users to Roles

Use the Console to add users to administrator roles to grant them access to various tasks and resources.

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Select the identity domain you want to work in and click Security and then Administrators.
  3. Expand roles by clicking the arrow next to the name of the role that you want to add a user to, and then click Add users.
  4. Click the text box and enter at least three characters to search for a user, or use the left and right arrows at the end of the user list to navigate to a new page of users.
    When you find the user you want to add to the role, select the check box next to the user's display name.
  5. When you have selected all the users you want to add to the role, click Add users.
Removing Users from Roles

Use the Console to remove users from administrator roles when you want to remove their access to various tasks and resources.

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Select the identity domain you want to work in and click Security and then Administrators.
  3. Expand roles by clicking the arrow next to the name of the role that you want to remove a user from.
  4. In the list of users currently assigned to the role, find the user that you want to remove, and then click the Actions menu (three dots) for the user.
  5. Click Remove.
  6. To confirm, click Remove user.