How-tos

5 mins read

Assigning Roles to Cloudentity Administrators

Learn how Cloudentity implements roles for tenant and workspace administrators and how to assign these roles.

About Roles for Cloudentity Administrators

Cloudentity allows you to assign roles to administrators. This way, administrators only have access to actions in scope of their responsibilities, ranging from administrating the whole tenant to read-only access limited to a specific workspace.

Assign Roles to Tenant Administrators in New Tenant

Go to Tenant Settings » Administrators.
If the list is empty, select Create New to invite a new administrator. Enter the admin’s e-mail, First Name Last Name, and Tenant Role, then select Create.

New admin is created and the User Profile form opens. Invitation e-mail is sent to the admin’s e-mail. Once the admin accepts the invitation, their account becomes active, and they are able to log in and perform actions matching their assigned role.
To assign a new role to existing admin, select the admin from the list to open the User Profile page. Assign a role to the admin in the Tenant Role field.

Assign Roles to Tenant Administrators in Existing Tenant

Only Tenant Admins can perform this action. This flow is valid for tenants existing before roles were implemented.

Go to Tenant Settings » Administrators.

Select Open Admin Workspace as prompted. You are redirected to the Identity Providers page in the Admin workspace.
Select the Built in Admin IDP.
Select Manage Pool from the IDP configuration page. You are redirected to the Identity Pools page where you can see the Cloudentity Administrators Identity Pool. Open this pool and go to Users page.
Select a user to assign a role to. Go to the Roles page and select a tenant role for this user.
Save changes. Affected user should now have permissions matching the assigned role.

Assign Workspace Administrators

Only Tenant or Workspace Administrators can perform this action. All tenant administrators, auditors, and members can be assigned a workspace role.

In the target workspace, go to Manage Access. This page shows a list of users with Admin/Auditor rights in scope of this workspace.
Select Add User and select the user from the form (which shows all tenant admins, auditors, and members).

Field Description

Role Role to be assigned to the user, either Workspace Admin or Workspace Auditor.

User User to be granted a role in this workspace.
Select Add. This user can now perform either administrative or auditorial tasks on this workspace. When the user logs in, they see the administrative UI tailored to their permissions.

Field	Description
Role	Role to be assigned to the user, either Workspace Admin or Workspace Auditor.
User	User to be granted a role in this workspace.

Roles and Permissions in Cloudentity

Cloudentity implements the following set of roles intended for tenant and workspace administrators, granting their assignees specific permissions on a tenant or workspace:

Action	Tenant Admin	Tenant Auditor	Workspace Admin	Workspace Auditor	Tenant Member (None)
Get Tenant	Yes	Yes	No	No	No
Update Tenant	Yes	No	No	No	No
Read Tenant Roles	Yes	Yes	No	No	No
Manage Tenant Roles	Yes	No	No	No	No
Create Workspace	Yes	No	No	No	No
Read Themes	Yes	Yes	No	No	No
Manage Themes	Yes	No	No	No	No
Read MFA Methods	Yes	Yes	No	No	No
Manage MFA Methods	Yes	No	No	No	No
Read Brute Force Protection Settings	Yes	Yes	No	No	No
Manage Brute Force Protection Settings	Yes	No	No	No	No
Read Workspace Theme Binding	Yes	Yes	No	No	No
Manage Workspace Theme Binding	Yes	No	No	No	No
Read Identity Pools	Yes	Yes	No	No	No
Manage Identity Pools	Yes	No	No	No	No
Read Identity Pool Users	Yes	Yes	No	No	No
Manage Identity Pool Users	Yes	No	No	No	No
Read Permission Systems	Yes	Yes	No	No	No
Manage Permission Systems	Yes	No	No	No	No
Get Workspace	Yes	Yes	Yes	Yes	No
Update Workspace	Yes	No	Yes	No	No
Delete Workspace	Yes	No	No	No	No
Read Workspace Roles	Yes	Yes	Yes	Yes	No
Manage Workspace Roles	Yes	No	Yes	No	No
Read Workspace Analytics	Yes	Yes	Yes	Yes	No
Read Services in Workspace	Yes	Yes	Yes	Yes	No
Manage Services in Workspace	Yes	No	Yes	No	No
Read Workspace IDPs	Yes	Yes	Yes	Yes	No
Manage Workspace IDPs	Yes	No	Yes	No	No
Read Workspace Extension Scripts	Yes	Yes	Yes	Yes	No
Manage Workspace Extension Scripts	Yes	No	Yes	No	No
Read Workspace Claims	Yes	Yes	Yes	Yes	No
Manage Workspace Claims	Yes	No	Yes	No	No
Read Workspace Authorizers	Yes	Yes	Yes	Yes	No
Manage Workspace Authorizers	Yes	No	Yes	No	No
Read Workspace APIs	Yes	Yes	Yes	Yes	No
Manage Workspace APIs	Yes	No	Yes	No	No
Read Workspace Policies	Yes	Yes	Yes	Yes	No
Manage Workspace Policies	Yes	No	Yes	No	No
Read Webhooks	Yes	Yes	Yes	Yes	No
Manage Webhooks	Yes	No	Yes	No	No
Read Custom Apps	Yes	Yes	Yes	Yes	No
Manage Custom Apps	Yes	No	Yes	No	No
Read Secrets	Yes	Yes	Yes	Yes	No
Manage Secrets	Yes	No	Yes	No	No
Read Audit Events	Yes	Yes	Yes	Yes	No
Read Clients	Yes	Yes	Yes	Yes	No
Manage Clients	Yes	No	Yes	No	No
Read System Templates (UI components)	Yes	Yes	No	No	Yes
Read System Tenant Services	Yes	Yes	No	No	Yes
Read System Tenant APIs	Yes	Yes	No	No	Yes
Read System Environment (overall state of the tenant)	Yes	Yes	No	No	Yes
Read System Notifications	Yes	Yes	No	No	Yes

This way, you can restrict the privilege level sufficient for specific Cloudentity administrators in accordance with the needs of your organization.

flowchart LR role1[Tenant Admin] role2[Tenant Auditor] role3[Workspace A Admin] role4[Workspace A Auditor] action1[Manage Tenant] action2[Read Tenant] action3[Manage Workspace A Only] action4[Read Workspace A Only] action5[Manage All Workspaces] action6[Read All Workspaces] role1--->action1 role1--->action2 role1--->action3 role1--->action4 role1--->action5 role1--->action6 role2--->action2 role2--->action3 role2--->action4 role2--->action6 role3--->action3 role3--->action4 role4--->action4 action1--->id1[Create Identity Pool] action2--->id2[Check Users in Identity Pool] action3--->id3[Add New Client] action3--->id4[Connect IDP] action3--->id5[Create Extension Scripts and Custom Applications] action4--->id6[Check Connected Clients] action4--->id7[Check Logs]

Updated: Nov 2, 2023