You use roles to assign applications, permissions, and policies to separate sets of users. Your role must have the Roles Management administrative right to view, add, and modify roles. See Creating Privileged Access Service administrators for the details.
Privileged Access Service provides the following predefined roles:
Everybody: By default, all Privileged Access Service users are assigned to this role. For example, all users that are added to the Centrify Directory by using bulk import are added to the Everybody. When you add an individual user, the default setting is to add the account to the Everybody role. To exclude a user from the Everybody role, select the Is Service User option on the user Account page.
It is best practice to assign most users to the Everybody role. However, there are users you may not want to have in the Everybody role; for example, temporary users such as service contractors.
Invited Users: This role is created when you use the Invite Users button and select Invited Users as the Role.
If you do not use the Invite users button or select the Invited Users role when you invite a user, this role is not created.
sysadmin: This role grants full access to all Admin Portal settings. By default, the Centrify Directory account for the user who signed up for Privileged Access Service is a sysadmin role member. You cannot delete or rename the sysadmin role.
Only sysadmin role members can add more users to the sysadmin account.
Read only Administrator: This role is automatically created when you enable read-only access for a support technician.
You can delete the Readonly Administrator role after the time period expires.