How-tos

5 mins read

Assigning Roles to Cloudentity Administrators

Learn how Cloudentity implements roles for tenant and workspace administrators and how to assign these roles.

About Roles for Cloudentity Administrators

Cloudentity allows you to assign roles to administrators. This way, administrators only have access to actions in scope of their responsibilities, ranging from administrating the whole tenant to read-only access limited to a specific workspace.

Assign Roles to Tenant Administrators in New Tenant

  1. Go to Tenant Settings > Administration.

    Tenant settings

  2. If the list is empty, select Create New to invite a new administrator. Enter the admin’s e-mail, First Name Last Name, and Tenant Role, then select Create.

    New admin is created and the User Profile form opens. Invitation e-mail is sent to the admin’s e-mail. Once the admin accepts the invitation, their account becomes active, and they are able to log in and perform actions matching their assigned role.

  3. To assign a new role to existing admin, select the admin from the list to open the User Profile page. Assign a role to the admin in the Tenant Role field.

Assign Roles to Tenant Administrators in Existing Tenant

Only Tenant Admins can perform this action. This flow is valid for tenants existing before roles were implemented.

  1. Go to Tenant Settings > Administration.

    Tenant settings

    Select Open Admin Workspace as prompted. You are redirected to the Identity Providers page in the Admin workspace.

  2. Select the Built in Admin IDP.

  3. Select Manage Pool from the IDP configuration page. You are redirected to the Identity Pools page where you can see the Cloudentity Administrators Identity Pool. Open this pool and go to Users page.

  4. Select a user to assign a role to. Go to the Roles page and select a tenant role for this user.

  5. Save changes. Affected user should now have permissions matching the assigned role.

Assign Workspace Administrators

Only Tenant or Workspace Administrators can perform this action. All tenant administrators, auditors, and members can be assigned a workspace role.

  1. In the target workspace, go to Manage Access. This page shows a list of users with Admin/Auditor rights in scope of this workspace.

  2. Select Add User and select the user from the form (which shows all tenant admins, auditors, and members).

    Field Description
    Role Role to be assigned to the user, either Workspace Admin or Workspace Auditor.
    User User to be granted a role in this workspace.
  3. Select Add. This user can now perform either administrative or auditorial tasks on this workspace. When the user logs in, they see the administrative UI tailored to their permissions.

Roles and Permissions in Cloudentity

Cloudentity implements the following set of roles intended for tenant and workspace administrators, granting their assignees specific permissions on a tenant or workspace:

Action Tenant Admin Tenant Auditor Workspace Admin Workspace Auditor Tenant Member (None)
Get Tenant Yes Yes No No No
Update Tenant Yes No No No No
Read Tenant Roles Yes Yes No No No
Manage Tenant Roles Yes No No No No
Create Workspace Yes No No No No
Read Themes Yes Yes No No No
Manage Themes Yes No No No No
Read MFA Methods Yes Yes No No No
Manage MFA Methods Yes No No No No
Read Brute Force Protection Settings Yes Yes No No No
Manage Brute Force Protection Settings Yes No No No No
Read Workspace Theme Binding Yes Yes No No No
Manage Workspace Theme Binding Yes No No No No
Read Identity Pools Yes Yes No No No
Manage Identity Pools Yes No No No No
Read Identity Pool Users Yes Yes No No No
Manage Identity Pool Users Yes No No No No
Read Permission Systems Yes Yes No No No
Manage Permission Systems Yes No No No No
Get Workspace Yes Yes Yes Yes No
Update Workspace Yes No Yes No No
Delete Workspace Yes No No No No
Read Workspace Roles Yes Yes Yes Yes No
Manage Workspace Roles Yes No Yes No No
Read Workspace Analytics Yes Yes Yes Yes No
Read Services in Workspace Yes Yes Yes Yes No
Manage Services in Workspace Yes No Yes No No
Read Workspace IDPs Yes Yes Yes Yes No
Manage Workspace IDPs Yes No Yes No No
Read Workspace Extension Scripts Yes Yes Yes Yes No
Manage Workspace Extension Scripts Yes No Yes No No
Read Workspace Claims Yes Yes Yes Yes No
Manage Workspace Claims Yes No Yes No No
Read Workspace Authorizers Yes Yes Yes Yes No
Manage Workspace Authorizers Yes No Yes No No
Read Workspace APIs Yes Yes Yes Yes No
Manage Workspace APIs Yes No Yes No No
Read Workspace Policies Yes Yes Yes Yes No
Manage Workspace Policies Yes No Yes No No
Read Webhooks Yes Yes Yes Yes No
Manage Webhooks Yes No Yes No No
Read Custom Apps Yes Yes Yes Yes No
Manage Custom Apps Yes No Yes No No
Read Secrets Yes Yes Yes Yes No
Manage Secrets Yes No Yes No No
Read Audit Events Yes Yes Yes Yes No
Read Clients Yes Yes Yes Yes No
Manage Clients Yes No Yes No No
Read System Templates (UI components) Yes Yes No No Yes
Read System Tenant Services Yes Yes No No Yes
Read System Tenant APIs Yes Yes No No Yes
Read System Environment (overall state of the tenant) Yes Yes No No Yes
Read System Notifications Yes Yes No No Yes

This way, you can restrict the privilege level sufficient for specific Cloudentity administrators in accordance with the needs of your organization.

[mermaid-begin]
flowchart LR role1[Tenant Admin] role2[Tenant Auditor] role3[Workspace A Admin] role4[Workspace A Auditor] action1[Manage Tenant] action2[Read Tenant] action3[Manage Workspace A Only] action4[Read Workspace A Only] action5[Manage All Workspaces] action6[Read All Workspaces] role1--->action1 role1--->action2 role1--->action3 role1--->action4 role1--->action5 role1--->action6 role2--->action2 role2--->action3 role2--->action4 role2--->action6 role3--->action3 role3--->action4 role4--->action4 action1--->id1[Create Identity Pool] action2--->id2[Check Users in Identity Pool] action3--->id3[Add New Client] action3--->id4[Connect IDP] action3--->id5[Create Extension Scripts and Custom Applications] action4--->id6[Check Connected Clients] action4--->id7[Check Logs]
Updated: Aug 24, 2023