---
title: Roles and Permissions in PingOne
description: The ability to perform an action in PingOne is determined by Role-Based Access Control (RBAC). For example, when you initiate a request to a PingOne endpoint, you must have the role required by the endpoint to execute the request. Roles define the permissions available to users with that role.
component: pingone-api
page_id: pingone-api:platform:reference/roles-and-permissions-in-pingone
canonical_url: https://developer.pingidentity.com/pingone-api/platform/reference/roles-and-permissions-in-pingone.html
---

# Roles and Permissions in PingOne

The ability to perform an action in PingOne is determined by Role-Based Access Control (RBAC). For example, when you initiate a request to a PingOne endpoint, you must have the role required by the endpoint to execute the request. Roles define the permissions available to users with that role.

Refer to:

* [Built-in Admin Roles](../roles/predefined-roles.html) for the PingOne built-in admin roles that can be assigned.

  * [Custom Admin Roles](../roles/custom-roles.html) to create your own roles for PingOne administrators.

* [PingOne Permissions by Identifier](roles-and-permissions-in-pingone/pingone-permissions-by-identifier.html) for the permission identifiers and descriptions. This information is returned by [Read All Built-in Admin Roles](../roles/predefined-roles/read-all-roles.html).

* [PingOne Permissions by Service](roles-and-permissions-in-pingone/permissions-by-service.html) when assigning admin roles per PingOne service.

* [PingOne Permissions by Resource](roles-and-permissions-in-pingone/permissions-by-resource.html) when assigning admin roles per PingOne resource.

* [PingFederate SSO admin permissions](roles-and-permissions-in-pingone/pingfederate-sso-admin-permissions.html) for the available PingFederate roles.

Admin assignments to roles are set either by:

* [Automatic assignment for some roles](../roles/predefined-roles.html#automatic-role-assignment).

* [Group Role Assignments](../group-role-assignments/group-role-assignments.html).

* [User Role Assignments](../users/user-role-assignments.html).

The built-in PingOne roles are:

| Role                          | Can Assign                                                          |
| ----------------------------- | ------------------------------------------------------------------- |
| Organization Admin            | Environment Admin                                                   |
| Environment Admin             | All roles except Organization Admin                                 |
| Identity Data Admin           | Identity Data Admin, Identity Data Read-Only Admin, Help Desk Admin |
| DaVinci Admin                 | DaVinci Admin, DaVinci Read-Only Admin                              |
| Custom Role Admin             | None                                                                |
| Application Owner             | None                                                                |
| Identity Data Read-Only Admin | None                                                                |
| Configuration Read-Only Admin | None                                                                |
| DaVinci Read-Only Admin       | None                                                                |
| Client Application Developer  | None                                                                |
| Help Desk Admin               | None                                                                |
| PingOne Privilege Admin       | None                                                                |
| Promotion Admin               | None                                                                |