Privileged Access Service provides two predefined roles by default: Everybody and System Administrator. Initially, only the members of the System Administrator role have the full rights to perform all administrative tasks. If you want to delegate full administrative activity to other users, you can add them to the predefined System Administrator role.
All other users are added to the Everybody role by default.
In most organizations, however, the two default roles do not provide enough granular control over who can do what or which policies should be applied to different groups of users, so additional roles are necessary. You can create as many additional roles as you need.
You can add roles before or after you add directory service users. If you plan to delegate some administrative activity to other users, you might want to create the roles with specific administrative rights before you add users to the service.
To add a role
In the Admin Portal, click Access> Roles.
- Click Add Role.
Type the role name and an optional description, then click Save.
Click Members > Add to add users to the role.
You can add directory service users and external identity store users. If you are preparing a role with administrative rights before adding or inviting users, you can add the appropriate members later.
- Click Administrative Rights > Add.
Select the check box associated with each right you want to assign to the role, then click Add.
For a description of the administrative rights, see Admin Portal administrative rights.
- Click Save.