Roles and Permissions in PingOne
The ability to perform an action in PingOne is determined by Role-Based Access Control (RBAC). For example, when you initiate a request to a PingOne endpoint, you must have the role required by the endpoint to execute the request. Roles define the permissions available to users with that role.
-
Refer to PingOne Role Permissions for the PingOne roles and their permissions.
-
Refer to PingFederate SSO admin permissions for the available PingFederate roles.
-
Refer to PingOne Permissions by Identifier for all permissions.
You’ll notice that our endpoint documentation uses icons to indicate the role or roles needed to access the endpoint (refer to Read All Built-in Admin Roles for an example).
The PingOne roles are:
| Role | Icon | Abbr. | Can Assign |
|---|---|---|---|
Organization Admin |
|
ORG |
Environment Admin |
Environment Admin |
|
ENV |
All roles except Organization Admin |
Identity Data Admin |
|
IDA |
Identity Data Admin, Identity Data Read-Only Admin, Help Desk Admin |
DaVinci Admin |
|
DVA |
DaVinci Admin, DaVinci Read-Only Admin |
Custom Role Admin |
|
ROLE |
None |
Application Owner |
|
APP‑O |
None |
Identity Data Read-Only Admin |
|
IDA-R |
None |
Configuration Read-Only Admin |
|
CFA-R |
None |
DaVinci Read-Only Admin |
|
DVA‑R |
None |
Client Application Developer |
|
APP |
None |
Help Desk Admin |
|
HDA |
None |
