Skip to main content

Assigning Roles to Cloudentity Administrators

Learn how Cloudentity implements roles for tenant and workspace administrators and how to assign these roles.

About Roles for Cloudentity Administrators

Cloudentity allows you to assign roles to administrators. This way, administrators only have access to actions in scope of their responsibilities, ranging from administrating the whole tenant to read-only access limited to a specific workspace.

Assign Roles to Tenant Administrators in New Tenant

  1. Go to Tenant Settings > Administrators.

    Tenant settings
  2. If the list is empty, select Create New to invite a new administrator. Enter the admin's e-mail, First Name Last Name, and Tenant Role, then select Create.

    New admin is created and the User Profile form opens. Invitation e-mail is sent to the admin's e-mail. Once the admin accepts the invitation, their account becomes active, and they are able to log in and perform actions matching their assigned role.

  3. To assign a new role to existing admin, select the admin from the list to open the User Profile page. Assign a role to the admin in the Tenant Role field.

Assign Roles to Tenant Administrators in Existing Tenant

Only Tenant Admins can perform this action. This flow is valid for tenants existing before roles were implemented.

  1. Go to Tenant Settings > Administrators.

    Select Open Admin Workspace as prompted. You are redirected to the Identity Providers page in the Admin workspace.

    Tenant settings
  2. Select the Built in Admin IDP.

  3. Select Manage Pool from the IDP configuration page. You are redirected to the Identity Pools page where you can see the Cloudentity Administrators Identity Pool. Open this pool and go to Users page.

  4. Select a user to assign a role to. Go to the Roles page and select a tenant role for this user.

  5. Save changes. Affected user should now have permissions matching the assigned role.

Assign Workspace Administrators

Only Tenant or Workspace Administrators can perform this action. All tenant administrators, auditors, and members can be assigned a workspace role.

  1. In the target workspace, go to Manage Access. This page shows a list of users with Admin/Auditor rights in scope of this workspace.

  2. Select Add User and select the user from the form (which shows all tenant admins, auditors, and members).

    Field

    Description

    Role

    Role to be assigned to the user, either Workspace Admin or Workspace Auditor.

    User

    User to be granted a role in this workspace.

  3. Select Add. This user can now perform either administrative or auditorial tasks on this workspace. When the user logs in, they see the administrative UI tailored to their permissions.

Roles and Permissions in Cloudentity

Cloudentity implements the following set of roles intended for tenant and workspace administrators, granting their assignees specific permissions on a tenant or workspace:

Action

Tenant Admin

Tenant Auditor

Workspace Admin

Workspace Auditor

Tenant Member (None)

Get Tenant

Yes

Yes

No

No

No

Update Tenant

Yes

No

No

No

No

Read Tenant Roles

Yes

Yes

No

No

No

Manage Tenant Roles

Yes

No

No

No

No

Create Workspace

Yes

No

No

No

No

Read Themes

Yes

Yes

No

No

No

Manage Themes

Yes

No

No

No

No

Read MFA Methods

Yes

Yes

No

No

No

Manage MFA Methods

Yes

No

No

No

No

Read Brute Force Protection Settings

Yes

Yes

No

No

No

Manage Brute Force Protection Settings

Yes

No

No

No

No

Read Workspace Theme Binding

Yes

Yes

No

No

No

Manage Workspace Theme Binding

Yes

No

No

No

No

Read Identity Pools

Yes

Yes

No

No

No

Manage Identity Pools

Yes

No

No

No

No

Read Identity Pool Users

Yes

Yes

No

No

No

Manage Identity Pool Users

Yes

No

No

No

No

Read Permission Systems

Yes

Yes

No

No

No

Manage Permission Systems

Yes

No

No

No

No

Get Workspace

Yes

Yes

Yes

Yes

No

Update Workspace

Yes

No

Yes

No

No

Delete Workspace

Yes

No

No

No

No

Read Workspace Roles

Yes

Yes

Yes

Yes

No

Manage Workspace Roles

Yes

No

Yes

No

No

Read Workspace Analytics

Yes

Yes

Yes

Yes

No

Read Services in Workspace

Yes

Yes

Yes

Yes

No

Manage Services in Workspace

Yes

No

Yes

No

No

Read Workspace IDPs

Yes

Yes

Yes

Yes

No

Manage Workspace IDPs

Yes

No

Yes

No

No

Read Workspace Extension Scripts

Yes

Yes

Yes

Yes

No

Manage Workspace Extension Scripts

Yes

No

Yes

No

No

Read Workspace Claims

Yes

Yes

Yes

Yes

No

Manage Workspace Claims

Yes

No

Yes

No

No

Read Workspace Authorizers

Yes

Yes

Yes

Yes

No

Manage Workspace Authorizers

Yes

No

Yes

No

No

Read Workspace APIs

Yes

Yes

Yes

Yes

No

Manage Workspace APIs

Yes

No

Yes

No

No

Read Workspace Policies

Yes

Yes

Yes

Yes

No

Manage Workspace Policies

Yes

No

Yes

No

No

Read Webhooks

Yes

Yes

Yes

Yes

No

Manage Webhooks

Yes

No

Yes

No

No

Read Custom Apps

Yes

Yes

Yes

Yes

No

Manage Custom Apps

Yes

No

Yes

No

No

Read Secrets

Yes

Yes

Yes

Yes

No

Manage Secrets

Yes

No

Yes

No

No

Read Audit Events

Yes

Yes

Yes

Yes

No

Read Clients

Yes

Yes

Yes

Yes

No

Manage Clients

Yes

No

Yes

No

No

Read System Templates (UI components)

Yes

Yes

No

No

Yes

Read System Tenant Services

Yes

Yes

No

No

Yes

Read System Tenant APIs

Yes

Yes

No

No

Yes

Read System Environment (overall state of the tenant)

Yes

Yes

No

No

Yes

Read System Notifications

Yes

Yes

No

No

Yes

This way, you can restrict the privilege level sufficient for specific Cloudentity administrators in accordance with the needs of your organization.

Roles_and_Permissions_in_Cloudentity.svg