Assigning Roles to SecureAuth Administrators
Learn how SecureAuth implements roles for tenant and workspace administrators and how to assign these roles.
About Roles for SecureAuth Administrators
SecureAuth allows you to assign roles to administrators. This way, administrators only have access to actions in scope of their responsibilities, ranging from administrating the whole tenant to read-only access limited to a specific workspace.
Assign Roles to Tenant Administrators in New Tenant
-
Go to Tenant Settings > Administrators.
-
If the list is empty, select Create New to invite a new administrator. Enter the admin's e-mail, First Name Last Name, and Tenant Role, then select Create.
New admin is created and the User Profile form opens. Invitation e-mail is sent to the admin's e-mail. Once the admin accepts the invitation, their account becomes active, and they are able to log in and perform actions matching their assigned role.
-
To assign a new role to existing admin, select the admin from the list to open the User Profile page. Assign a role to the admin in the Tenant Role field.
Assign Roles to Tenant Administrators in Existing Tenant
Only Tenant Admins can perform this action. This flow is valid for tenants existing before roles were implemented.
-
Go to Tenant Settings > Administrators.
Select Open Admin Workspace as prompted. You are redirected to the Identity Providers page in the Admin workspace.
-
Select the Built in Admin IDP.
-
Select Manage Pool from the IDP configuration page. You are redirected to the Identity Pools page where you can see the SecureAuth Administrators Identity Pool. Open this pool and go to Users page.
-
Select a user to assign a role to. Go to the Roles page and select a tenant role for this user.
-
Save changes. Affected user should now have permissions matching the assigned role.
Assign Workspace Administrators
Only Tenant or Workspace Administrators can perform this action. All tenant administrators, auditors, and members can be assigned a workspace role.
-
In the target workspace, go to Manage Access. This page shows a list of users with Admin/Auditor rights in scope of this workspace.
-
Select Add User and select the user from the form (which shows all tenant admins, auditors, and members).
Field Description Role Role to be assigned to the user, either Workspace Admin or Workspace Auditor. User User to be granted a role in this workspace. -
Select Add. This user can now perform either administrative or auditorial tasks on this workspace. When the user logs in, they see the administrative UI tailored to their permissions.
Roles and Permissions in SecureAuth
SecureAuth implements the following set of roles intended for tenant and workspace administrators, granting their assignees specific permissions on a tenant or workspace:
| Action | Tenant Admin | Tenant Auditor | Workspace Admin | Workspace Auditor | Tenant Member (None) |
|---|---|---|---|---|---|
| Get Tenant | Yes | Yes | No | No | No |
| Update Tenant | Yes | No | No | No | No |
| Read Tenant Roles | Yes | Yes | No | No | No |
| Manage Tenant Roles | Yes | No | No | No | No |
| Create Workspace | Yes | No | No | No | No |
| Read Themes | Yes | Yes | No | No | No |
| Manage Themes | Yes | No | No | No | No |
| Read MFA Methods | Yes | Yes | No | No | No |
| Manage MFA Methods | Yes | No | No | No | No |
| Read Brute Force Protection Settings | Yes | Yes | No | No | No |
| Manage Brute Force Protection Settings | Yes | No | No | No | No |
| Read Workspace Theme Binding | Yes | Yes | No | No | No |
| Manage Workspace Theme Binding | Yes | No | No | No | No |
| Read Identity Pools | Yes | Yes | No | No | No |
| Manage Identity Pools | Yes | No | No | No | No |
| Read Identity Pool Users | Yes | Yes | No | No | No |
| Manage Identity Pool Users | Yes | No | No | No | No |
| Read Permission Systems | Yes | Yes | No | No | No |
| Manage Permission Systems | Yes | No | No | No | No |
| Get Workspace | Yes | Yes | Yes | Yes | No |
| Update Workspace | Yes | No | Yes | No | No |
| Delete Workspace | Yes | No | No | No | No |
| Read Workspace Roles | Yes | Yes | Yes | Yes | No |
| Manage Workspace Roles | Yes | No | Yes | No | No |
| Read Workspace Analytics | Yes | Yes | Yes | Yes | No |
| Read Services in Workspace | Yes | Yes | Yes | Yes | No |
| Manage Services in Workspace | Yes | No | Yes | No | No |
| Read Workspace IDPs | Yes | Yes | Yes | Yes | No |
| Manage Workspace IDPs | Yes | No | Yes | No | No |
| Read Workspace Extension Scripts | Yes | Yes | Yes | Yes | No |
| Manage Workspace Extension Scripts | Yes | No | Yes | No | No |
| Read Workspace Claims | Yes | Yes | Yes | Yes | No |
| Manage Workspace Claims | Yes | No | Yes | No | No |
| Read Workspace Authorizers | Yes | Yes | Yes | Yes | No |
| Manage Workspace Authorizers | Yes | No | Yes | No | No |
| Read Workspace APIs | Yes | Yes | Yes | Yes | No |
| Manage Workspace APIs | Yes | No | Yes | No | No |
| Read Workspace Policies | Yes | Yes | Yes | Yes | No |
| Manage Workspace Policies | Yes | No | Yes | No | No |
| Read Webhooks | Yes | Yes | Yes | Yes | No |
| Manage Webhooks | Yes | No | Yes | No | No |
| Read Custom Apps | Yes | Yes | Yes | Yes | No |
| Manage Custom Apps | Yes | No | Yes | No | No |
| Read Secrets | Yes | Yes | Yes | Yes | No |
| Manage Secrets | Yes | No | Yes | No | No |
| Read Audit Events | Yes | Yes | Yes | Yes | No |
| Read Clients | Yes | Yes | Yes | Yes | No |
| Manage Clients | Yes | No | Yes | No | No |
| Read System Templates (UI components) | Yes | Yes | No | No | Yes |
| Read System Tenant Services | Yes | Yes | No | No | Yes |
| Read System Tenant APIs | Yes | Yes | No | No | Yes |
| Read System Environment (overall state of the tenant) | Yes | Yes | No | No | Yes |
| Read System Notifications | Yes | Yes | No | No | Yes |
This way, you can restrict the privilege level sufficient for specific SecureAuth administrators in accordance with the needs of your organization.
