Manage Cloud Identity Engine App Roles
Table of Contents
Expand all | Collapse all
-
- Cloud Identity Engine Attributes
- Collect Custom Attributes with the Cloud Identity Engine
- View Directory Data
- Cloud Identity Engine User Context
- Create a Cloud Dynamic User Group
- Configure Third-Party Device-ID
- Configure an IP Tag Cloud Connection
- View Mappings and Tags
- Configure Dynamic Privilege Access in the Cloud Identity Engine
- Send Cortex XDR Risk Signals to Okta
- Configure SSF Okta Receiver as a Risk Connection
- Configure the Secrets Vault
-
- Set Up Password Authentication
-
- Configure Azure as an IdP in the Cloud Identity Engine
- Configure Okta as an IdP in the Cloud Identity Engine
- Configure PingOne as an IdP in the Cloud Identity Engine
- Configure PingFederate as an IdP in the Cloud Identity Engine
- Configure Google as an IdP in the Cloud Identity Engine
- Configure a SAML 2.0-Compliant IdP in the Cloud Identity Engine
- Set Up a Client Certificate
- Configure an OIDC Authentication Type
- Set Up an Authentication Profile
- Configure Cloud Identity Engine Authentication on the Firewall or Panorama
- Configure the Cloud Identity Engine as a Mapping Source on the Firewall or Panorama
- Configure Dynamic Privilege Access in the Cloud Identity Engine
- Get Help
Manage Cloud Identity Engine App Roles
App roles determine the privileges that users have and how they can use the Cloud Identity Engine
app. For more information on roles, refer to the Common Services documentation. To configure a
role:
- Select Common ServicesIdentity & Access.
- Select the tenant containing the user whose role you want to assign.
- Select a user and click Assign Roles or if the user already has a role, click Add Another.
- Select Cloud Identity Engine from the list of All Apps & Services.
- Based on the user’s access needs, select the appropriate Role for the user from the following table:
| Role | Description |
|---|---|
| Deployment Administrator | This role provides access to deployment functionality and view-only access to other functions. This role allows users to view directory summary data but they can't view or query detailed directory data. |
| Multitenant Superuser | This role provides full viewing and editing privileges for all functions for all tenants in a multitenant hierarchy. Assign this role only to users or service accounts who need unrestricted access to the Cloud Identity Engine. |
| Superuser | This role provides full viewing and editing privileges for all available functions system-wide. It includes all privileges for all other roles. Assign this role only to users or service accounts who need unrestricted privileges. |
| Vault View Only Administrator | This role provides read-only access to Cloud Identity Engine vault functionality. It allows administrators to view vault configurations, secrets metadata, and policies without modification capabilities. |
| Vault Administrator | This role provides full read and write access to Cloud Identity Engine vault functionality. It enables administrators to manage vault configurations, secrets, policies, and access controls. |
| View Only Administrator | This role allows users to view all available data for the tenant in the Cloud Identity Engine, including detailed directory data. |
If a user has multiple roles in the hub, the user is granted the
same privileges for the role that allows all granted privileges for all of the user's
roles.
For example, if a user has the View Only Administrator role and the Deployment
Administrator role for the Cloud Identity Engine, the Deployment Administrator role
grants management privileges without the ability to view or query detailed data,
while the View Only Administrator role grants privileges to view all Cloud Identity
Engine data, including detailed data. To allow the privileges granted by both of
these roles, a user who has both of these roles is granted the same privileges as a
user with the Superuser role, which allows full viewing and editing privileges.