Manage Cloud Identity Engine App Roles
Table of Contents
Expand all | Collapse all
-
- Cloud Identity Engine Attributes
- Collect Custom Attributes with the Cloud Identity Engine
- View Directory Data
- Cloud Identity Engine User Context
- Create a Cloud Dynamic User Group
- Configure Third-Party Device-ID
- Configure an IP Tag Cloud Connection
- Configure Dynamic Privilege Access in the Cloud Identity Engine
- Configure Security Risk for the Cloud Identity Engine
-
-
- Configure Azure as an IdP in the Cloud Identity Engine
- Configure Okta as an IdP in the Cloud Identity Engine
- Configure PingOne as an IdP in the Cloud Identity Engine
- Configure PingFederate as an IdP in the Cloud Identity Engine
- Configure Google as an IdP in the Cloud Identity Engine
- Configure a SAML 2.0-Compliant IdP in the Cloud Identity Engine
- Configure a Client Certificate
- Configure an OIDC Authentication Type
- Set Up an Authentication Profile
- Configure Cloud Identity Engine Authentication on the Firewall or Panorama
- Configure the Cloud Identity Engine as a Mapping Source on the Firewall or Panorama
- Configure Dynamic Privilege Access in the Cloud Identity Engine
-
- Get Help
Manage Cloud Identity Engine App Roles
App roles determine the privileges that users have and how they can use the Cloud Identity Engine
app. For more information on roles, refer to the Common Services documentation. To configure a
role:
- Select Common ServicesIdentity & Access.
- Select the tenant containing the user whose role you want to assign (if it's not already selected).
- Select a user and click Assign Roles.
- To Add Access, select Cloud Identity Engine from the list of Apps & Services.
- Select the appropriate Role for the user based on the following table based on the user’s access needs.
| Role | Description |
|---|---|
| View Only Administrator | This role allows users to view all available data for the tenant in the Cloud Identity Engine, including detailed Active Directory (AD) data. |
| Deployment Administrator | This role provides access to deployment functionality and view-only access to other functions. This role allows users to view AD summary data but they can't view or query detailed AD data. |
| MSP Superuser | This role provides full viewing and editing privileges for all functions for all tenants in a multitenant hierarchy. Assign this role only to users or service accounts who need unrestricted access to the Managed Service Provider (MSP) portal. |
| Superuser | This role provides full viewing and editing privileges for all available functions system-wide. It includes all privileges for all other roles. Assign this role only to users or service accounts who need unrestricted privileges. |
If a user has multiple roles in the Managed Service Provider
(MSP) portal, the user is granted the same privileges for the role that allows all
granted privileges for all of the user's roles.
For example, if a user has the View
Only Administrator role and the Deployment Administrator role for the Cloud Identity
Engine, the Deployment Administrator role grants management privileges without the
ability to view or query detailed data, while the View Only Administrator role
grants privileges to view all Cloud Identity Engine data, including detailed data.
To allow the privileges granted by both of these roles, a user who has both of these
roles is granted the same privileges as a user with the Superuser role, which allows
full viewing and editing privileges.