--- title: PingOne Built-in Role Permissions description: "Can assign: Environment Admin" component: pingone-api page_id: pingone-api:platform:reference/roles-and-permissions-in-pingone/pingone-role-permissions canonical_url: https://developer.pingidentity.com/pingone-api/platform/reference/roles-and-permissions-in-pingone/pingone-role-permissions.html section_ids: organization-admin-role: Organization Admin Role environment-admin-role: Environment Admin Role identity-data-admin-role: Identity Data Admin Role identity-data-read-only-admin-role: Identity Data Read-Only Admin Role davinci-admin-role: DaVinci Admin Role davinci-read-only-admin-role: DaVinci Read-Only Admin Role client-application-developer-role: Client Application Developer Role application-owner-role: Application Owner Role configuration-read-only-admin-role: Configuration Read-Only Admin Role custom-role-admin-role: Custom Role Admin Role help-desk-admin-role: Help Desk Admin Role pingone-privilege-administrator-role: PingOne Privilege Administrator Role --- # PingOne Built-in Role Permissions ## Organization Admin Role **Can assign**: Environment Admin | Category | Permission | | ----------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Applications | Read application catalog | | Authorization | Authorize, create, delete, read, and update decision endpointCreate, delete, read, test, and update entityDelete, read, and update tagRead authorize gateway deploymentRead deployment packageRead policy versionRead recent decisions | | Directory | Create, delete, read, and update custom roles | | Integrations | Read and validate PingID migrationRead provisioning rule | | Monitoring | Read API usageRead DaVinci metricsRead authenticationRead dashboardRead templateRead user demographics | | Organization | Create and read bootstrapCreate and read deploymentCreate, delete, promote, read, and update environmentRead console accessRead licenseRead organizationRead rate limits | | Other | Create and update advanced identity cloud orchestrationCreate, delete, read, and update PingOne for Enterprise orchestrationCreate, delete, read, and update pingintelligence orchestrationRead and update early access features | | Settings | Create keyDisplay environment overviewDisplay environment propertiesRead and update administrator security configurationUpdate environment licenseUpdate mutable properties | | Threat Protection | Create and read exploration | ## Environment Admin Role **Can assign**: All roles except Organization Admin | Category | Permission | | --------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Applications | Create, delete, import, read, and update applicationCreate, delete, import, read, and update resourceCreate, delete, read, and update attributeCreate, delete, read, and update flow policy assignmentCreate, delete, read, and update grantCreate, delete, read, and update key rotation policyCreate, delete, read, and update scopeCreate, delete, read, and update sign-on policy assignmentDelete, read, set, and update application secretDelete, read, set, and update resources secretIssue certificateRead and update application admin role assignmentsRead application catalog | | Authentication | Create, delete, and read FIDO device metadataCreate, delete, and read adaptive access policy assignmentCreate, delete, read, and update FIDO policyCreate, delete, read, and update OATH tokenCreate, delete, read, and update adaptive access policyCreate, delete, read, and update device authentication policyCreate, delete, read, and update experience builder featuresCreate, delete, read, and update password policyCreate, delete, read, and update push credentialsCreate, delete, read, and update sign-on policyDelete, read, and update MFA settingsDelete, read, and update device requirementsRead OATH job | | Authorization | Authorize, create, read, and update decision endpointCreate, delete, and read application role assignmentsCreate, delete, and read application role entriesCreate, delete, read, and update API servicesCreate, delete, read, and update application permissionsCreate, delete, read, and update application resourcesCreate, delete, read, and update application rolesCreate, delete, read, and update authorization moduleCreate, delete, read, and update authorization processorCreate, delete, read, and update authorization statementCreate, delete, read, and update external OAuth serverCreate, delete, read, test, and update authorization attributeCreate, delete, read, test, and update authorization conditionCreate, delete, read, test, and update authorization policyCreate, delete, read, test, and update authorization ruleCreate, delete, read, test, and update authorization serviceCreate, delete, read, test, and update entityDelete, read, and update tagDeploy and read API service deploymentRead application entitlementsRead authorize gateway deploymentRead deployment packageRead policy versionRead recent decisions | | DaVinci | Read access tokenRead flow policy | | Digital Credentials | Create and read OpenID4VCI offerCreate, delete, and read verification sessionCreate, delete, read, and update credential signing keyCreate, delete, read, and update credential typeCreate, delete, read, and update digital walletCreate, delete, read, and update digital wallet applicationCreate, delete, read, and update issuance ruleCreate, delete, read, and update verifiable credentialCreate, read, and update credential issuer profileRead and update staged changes | | Directory | Create, delete, read, and update populationDelete, read, and update schemaRead custom rolesRead groupRead group provisioning rule sync statusRead user role assignmentsRead user target store sync status | | Identity Verification | Create data based identity verificationCreate identity record matchingCreate, delete, get, and update documentCreate, delete, read, and update verify policyCreate, delete, read, and update voice phraseCreate, delete, read, and update voice phrase content | | Integrations | Check connectionCreate and get revisionCreate and update provisioning sync orchestrationCreate, delete, read, and update gatewayCreate, delete, read, and update identity providerDelete, read, and update gateway role assignmentsDelete, read, and update mappingDelete, read, and update provisioning planDelete, read, and update provisioning ruleDelete, read, and update provisioning storeExecute, read, and validate PingID migrationGet connection sensitive configuration | | Monitoring | Create, delete, read, and update alert delivery channelCreate, delete, read, test, and update subscriptionRead DaVinci metricsRead audit report and event dataRead authenticationRead dashboardRead provisioningRead templateRead user demographics | | Organization | Create and read deploymentCreate, delete, read, and update rate limit configurationsPromote, read, and update environmentRead console accessRead licenseRead organizationRead rate limits | | Other | Create and update advanced identity cloud orchestrationCreate, read, and update configurationRead and update PingOne for Enterprise orchestrationRead and update early access featuresRead and update pingintelligence orchestrationRead getting started flows | | Promotion | Create, delete, execute, and read promotionCreate, delete, read, and update promotion variableCreate, delete, read, and update snapshotRead and update promotion configuration | | Settings | Create, delete, read, and update certificateCreate, delete, read, and update custom domainCreate, delete, read, and update email domainCreate, delete, read, and update inbound traffic policyCreate, delete, read, and update keyDisplay environment overviewDisplay environment propertiesRead and update administrator security configurationRead and update ingress settings | | Threat Protection | Create and read explorationCreate feedbackCreate, delete, read, and update policyCreate, delete, read, and update predictorRead and update risk settings | | User Experience | Create notificationCreate, delete, and read imageCreate, delete, read, and update agreementCreate, delete, read, and update branding themesCreate, delete, read, and update formCreate, delete, read, and update languageCreate, delete, read, and update notifications policyCreate, delete, read, and update template contentDelete, read, and update notifications settingsDelete, read, and update reCAPTCHA V2 configurationRead and update branding settingsRead end user UI configurationsRead notification templateRead quota | ## Identity Data Admin Role **Can assign**: Identity Data Admin, Identity Data Read-Only Admin, Help Desk Admin | Category | Permission | | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Authentication | Create test deviceCreate, delete, and read pairing keyCreate, delete, read, and update sessionsRead password policy | | Authorization | Create, delete, and read application role assignmentsCreate, delete, and read application role entriesCreate, delete, read, and update application permissionsCreate, delete, read, and update application resourcesCreate, delete, read, and update application rolesRead application entitlements | | Digital Credentials | Create and read OpenID4VCI offerCreate, delete, and read verification sessionCreate, delete, read, and update credential signing keyCreate, delete, read, and update credential typeCreate, delete, read, and update digital walletCreate, delete, read, and update digital wallet applicationCreate, delete, read, and update issuance ruleCreate, delete, read, and update verifiable credentialCreate, read, and update credential issuer profileRead and update staged changes | | Directory | Authenticate, create, delete, read, and update deviceCreate, delete, and read group membershipCreate, delete, and read group role assignmentsCreate, delete, and read user linked accountsCreate, delete, import, invite, read, update, and verify userCreate, delete, read, and update accessing deviceCreate, delete, read, and update groupCreate, delete, read, and update user (SCIM)Create, delete, read, and update user association with accessing deviceDelete user identity assuranceForce change, read, recover, reset, set, unlock, and validate user passwordLock and unlock user accountRead and update user role assignmentsRead custom rolesRead group provisioning rule sync statusRead populationRead schemaRead schema (SCIM)Read sessionRead user (LDAP gateway)Read user target store sync statusReset user quotaUpdate user MFA-bypassUpdate user MFA-enabledUpdate user enabledUpdate user identity providerUpdate user verify statusValidate user password (LDAP gateway) | | Identity Verification | Create data based identity verificationCreate identity record matchingCreate, delete, get, and update documentCreate, delete, read, and update verify policyCreate, delete, read, and update verify transactionsCreate, delete, read, and update voice phraseCreate, delete, read, and update voice phrase contentDelete and get reference dataDelete, get, and update verified user data | | Integrations | Execute direct LDAPRead PingID migrationRead identity providerRead provisioning ruleValidate Kerberos | | Monitoring | Read DaVinci metricsRead PingID activityRead audit report and event dataRead authenticationRead dashboardRead templateRead user demographics | | Organization | Read console accessRead deploymentRead environmentRead licenseRead organizationRead rate limit configurationsRead rate limits | | Privilege | Create onboarding token | | Settings | Display environment overviewDisplay environment propertiesRead administrator security configurationRead certificate | | Threat Protection | Create and read explorationCreate feedbackCreate predictionCreate, read, and update evaluationRead policyRead predictorRead risk settingsReset user profile | | User Experience | Create, delete, and read imageCreate, delete, read, and update user consentCreate, read, and update OAuth consent | ## Identity Data Read-Only Admin Role **Can assign**: None | Category | Permission | | --------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Authentication | Read pairing keyRead password policyRead sessions | | Authorization | Read application entitlementsRead application permissionsRead application resourcesRead application role assignmentsRead application role entriesRead application roles | | Digital Credentials | Read OpenID4VCI offerRead credential issuer profileRead credential signing keyRead credential typeRead digital walletRead digital wallet applicationRead issuance ruleRead staged changesRead verifiable credentialRead verification session | | Directory | Read accessing deviceRead custom rolesRead deviceRead groupRead group membershipRead group provisioning rule sync statusRead group role assignmentsRead populationRead schemaRead schema (SCIM)Read sessionRead userRead user (LDAP gateway)Read user (SCIM)Read user association with accessing deviceRead user linked accountsRead user passwordRead user role assignmentsRead user target store sync status | | Identity Verification | Read verify policyRead verify transactionsRead voice phraseRead voice phrase content | | Integrations | Read PingID migrationRead identity providerRead provisioning rule | | Monitoring | Read DaVinci metricsRead PingID activityRead audit report and event dataRead authenticationRead dashboardRead templateRead user demographics | | Organization | Read console accessRead deploymentRead environmentRead licenseRead organizationRead rate limit configurationsRead rate limits | | Settings | Display environment overviewDisplay environment propertiesRead administrator security configurationRead certificate | | Threat Protection | Create and read explorationRead evaluationRead policyRead predictorRead risk settings | | User Experience | Read OAuth consentRead imageRead user consent | ## DaVinci Admin Role **Can assign**: DaVinci Admin, DaVinci Read-Only Admin | Category | Permission | | --------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | DaVinci | Create, delete, deploy, read, and update DaVinci flowsCreate, delete, read, and update DaVinci UI templatesCreate, delete, read, and update DaVinci applicationsCreate, delete, read, and update DaVinci connectionsCreate, delete, read, and update DaVinci flow policiesCreate, delete, read, and update DaVinci variablesDelete, export, read, revert, and update DaVinci flow versionsDelete, read, and update DaVinci usersRead DaVinci connectorsRead DaVinci eventsRead DaVinci interaction eventsRead DaVinci stats | | Directory | Read schema | | Integrations | Read PingID migration | | Organization | Read console accessRead deploymentRead environmentRead licenseRead organization | | Settings | Display environment overviewDisplay environment properties | | User Experience | Create, delete, read, and update formDelete, read, and update reCAPTCHA V2 configurationRead and update languageRead branding settingsRead branding themes | ## DaVinci Read-Only Admin Role **Can assign**: None | Category | Permission | | --------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | DaVinci | Read DaVinci UI templatesRead DaVinci applicationsRead DaVinci connectionsRead DaVinci connectorsRead DaVinci eventsRead DaVinci flow policiesRead DaVinci flow versionsRead DaVinci flowsRead DaVinci interaction eventsRead DaVinci statsRead DaVinci usersRead DaVinci variables | | Directory | Read schema | | Integrations | Read PingID migration | | Organization | Read console accessRead deploymentRead environmentRead licenseRead organization | | Settings | Display environment overviewDisplay environment properties | | User Experience | Read branding settingsRead branding themesRead formRead languageRead reCAPTCHA V2 configuration | ## Client Application Developer Role **Can assign**: None | Category | Permission | | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Applications | Create, delete, read, and update applicationCreate, delete, read, and update attributeCreate, delete, read, and update flow policy assignmentCreate, delete, read, and update grantCreate, delete, read, and update resourceCreate, delete, read, and update scopeCreate, delete, read, and update sign-on policy assignmentDelete, read, and update application secretDelete, read, and update resources secretRead and update application admin role assignmentsRead application catalog | | Authentication | Create, delete, and read adaptive access policy assignmentCreate, delete, read, and update adaptive access policyCreate, delete, read, and update push credentialsDelete, read, and update device requirementsRead sign-on policy | | Authorization | Create, delete, read, and update API servicesCreate, delete, read, and update external OAuth serverDeploy and read API service deploymentRead application entitlementsRead application permissionsRead application resourcesRead application role assignmentsRead application role entriesRead application roles | | DaVinci | Read access tokenRead flow policy | | Directory | Read custom rolesRead groupRead populationRead schemaRead user role assignments | | Integrations | Create, delete, read, and update identity providerRead PingID migrationRead provisioning rule | | Monitoring | Read DaVinci metricsRead authenticationRead dashboardRead templateRead user demographics | | Organization | Read console accessRead deploymentRead environmentRead licenseRead organizationRead rate limit configurationsRead rate limits | | Other | Read PingOne for Enterprise orchestrationRead and update configurationRead getting started flowsRead pingintelligence orchestration | | Settings | Display environment overviewDisplay environment propertiesRead administrator security configurationRead certificateRead custom domainRead key | | Threat Protection | Create and read exploration | | User Experience | Create, delete, and read imageRead branding settingsRead branding themesRead end user UI configurationsRead formRead reCAPTCHA V2 configuration | ## Application Owner Role **Can assign**: None | Category | Permission | | --------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Applications | Create, delete, read, and update flow policy assignmentCreate, delete, read, and update sign-on policy assignmentDelete, read, and update applicationRead application admin role assignmentsRead application catalogRead application secretRead attributeRead grantRead resourceRead resources secretRead scope | | Authentication | Create, delete, and read adaptive access policy assignmentRead device requirementsRead push credentialsRead sign-on policy | | Authorization | Read API services | | DaVinci | Read flow policy | | Directory | Read custom rolesRead groupRead schema | | Organization | Read environmentRead licenseRead organization | | Settings | Display environment overviewDisplay environment propertiesRead certificateRead custom domainRead key | | User Experience | Create and read image | ## Configuration Read-Only Admin Role **Can assign**: None | Category | Permission | | --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Applications | Read applicationRead application admin role assignmentsRead application catalogRead application secretRead attributeRead flow policy assignmentRead grantRead key rotation policyRead resourceRead resources secretRead scopeRead sign-on policy assignment | | Authentication | Read FIDO device metadataRead FIDO policyRead MFA settingsRead OATH jobRead OATH tokenRead adaptive access policyRead adaptive access policy assignmentRead device authentication policyRead device requirementsRead experience builder featuresRead password policyRead push credentialsRead sign-on policy | | Authorization | Read API service deploymentRead API servicesRead application entitlementsRead application permissionsRead application resourcesRead application role assignmentsRead application role entriesRead application rolesRead authorization attributeRead authorization conditionRead authorization moduleRead authorization policyRead authorization processorRead authorization ruleRead authorization serviceRead authorization statementRead authorize gateway deploymentRead decision endpointRead deployment packageRead entityRead external OAuth serverRead policy versionRead recent decisionsRead tag | | DaVinci | Read access tokenRead flow policy | | Digital Credentials | Read OpenID4VCI offerRead credential issuer profileRead credential signing keyRead credential typeRead digital walletRead digital wallet applicationRead issuance ruleRead verifiable credentialRead verification session | | Directory | Read custom rolesRead groupRead group provisioning rule sync statusRead populationRead schemaRead user role assignmentsRead user target store sync status | | Identity Verification | Read verify policyRead voice phraseRead voice phrase content | | Integrations | Read PingID migrationRead gatewayRead gateway role assignmentsRead identity providerRead mappingRead provisioning planRead provisioning ruleRead provisioning store | | Monitoring | Read DaVinci metricsRead alert delivery channelRead audit report and event dataRead authenticationRead dashboardRead provisioningRead subscriptionRead templateRead user demographics | | Organization | Read console accessRead deploymentRead environmentRead licenseRead organizationRead rate limit configurationsRead rate limits | | Other | Read PingOne for Enterprise orchestrationRead configurationRead early access featuresRead getting started flowsRead pingintelligence orchestration | | Promotion | Read promotionRead promotion configurationRead promotion variableRead snapshot | | Settings | Display environment overviewDisplay environment propertiesRead administrator security configurationRead certificateRead custom domainRead email domainRead inbound traffic policyRead ingress settingsRead key | | Threat Protection | Create and read explorationRead policyRead predictorRead risk settings | | User Experience | Read agreementRead branding settingsRead branding themesRead end user UI configurationsRead formRead imageRead languageRead notification templateRead notifications policyRead notifications settingsRead quotaRead reCAPTCHA V2 configurationRead template content | ## Custom Role Admin Role **Can assign**: None | Category | Permission | | ------------ | ------------------------------------------------------------ | | Directory | Create, delete, read, and update custom roles | | Integrations | Read PingID migration | | Organization | Read deploymentRead environmentRead licenseRead organization | | Settings | Display environment overviewDisplay environment properties | ## Help Desk Admin Role **Can assign**: None | Category | Permission | | --------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Authentication | Read sessions | | Authorization | Read application entitlementsRead application permissionsRead application resourcesRead application role assignmentsRead application role entriesRead application roles | | Directory | Authenticate, create, delete, read, and update deviceRead and verify userRead groupRead group membershipRead populationRead schemaRead schema (SCIM)Read sessionRead user linked accountsRead user role assignmentsRecover, reset, set, and unlock user passwordUpdate user MFA-enabledUpdate user enabled | | Monitoring | Read PingID activity | | Organization | Read console accessRead deploymentRead environmentRead licenseRead organization | | User Experience | Read image | ## PingOne Privilege Administrator Role **Can assign**: None | Category | Permission | | ------------ | ------------------------------------------------------------ | | Organization | Read deploymentRead environmentRead licenseRead organization | | Privilege | Access admin console |