Users and Roles

Admin Portal roles are sets of user accounts. You use roles to assign applications, permissions, and policies to sets of users. Users can be members of multiple roles.

Privileged Access Service provides two predefined roles:

  • System Administrator
  • Everybody

The account that is created automatically at tenant creation is an Privileged Access Service service user account and is automatically made a member of the System Administrator role with all administrative rights. Roles control what different sets of users can do and you can add roles to define the policies that apply to different groups of users.

By default, all new privileged access service users are added to the Everybody role. Members of the Everybody role are automatically granted permission to access to the Admin Portal. If you have some users that are not included in the Everybody role, however, you must explicitly deploy the Admin Portal application to the role where those users are members.

The Privileged Access Service assigns applications and applies the selected administrative rights to all role members. For example, if you add an Active Directory/LDAP group to a role, the applications assigned to that role are now available to members of that group. Similarly, when you remove a user from a role, the Privileged Access Service deletes all the web applications assigned to that role from registered devices.

Changes that impact the assigned applications or administrative rights will take effect when the user next logs in to the device. You can push the changes to the users for immediate update by selecting the role members on the Users page and sending the Reload command.

See Predefined roles for a list of predefined roles.

Your role must have the Roles Management administrative right to add and modify roles. See Creating Privileged Access Service administrators.