--- title: Role assignment with Terraform description: The following shows an example of environment creation using the PingOne Terraform provider, followed by role permission assignment to administration users that are members of a group we will create. component: terraform page_id: terraform::products/pingone/tutorials/role_assignment canonical_url: https://developer.pingidentity.com/terraform/products/pingone/tutorials/role_assignment.html revdate: March 19, 2025 --- # Role assignment with Terraform The following shows an example of environment creation using the PingOne Terraform provider, followed by role permission assignment to administration users that are members of a group we will create. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | PingOne supports assigning administrator roles groups, and members of those groups are assigned administrator roles. Although you can use Terraform to assign administrator roles to individuals directly, Ping Identity recommends that role assignments provisioned by Terraform are assigned to groups instead and that you manage group membership through Joiner/Mover/Leaver Identity Governance processes. | The example assumes that all relevant admins users will have a role strategy as follows: * **Environment Admin**, scoped to individual environments (not scoped to the organization) * **Identity Data Admin**, scoped to individual environments | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | The example uses:* The `pingone_admin_environment_id` variable that can be mapped directly or can be found from the environment name from the [`pingone_environment` data source](https://registry.terraform.io/providers/pingidentity/pingone/latest/docs/data-sources/environment) * The `license_id` variable that can be mapped directly or can be found from the license name from the [`pingone_licenses` data source](https://registry.terraform.io/providers/pingidentity/pingone/latest/docs/data-sources/licenses). | First, you'll create the group in PingOne to which you'll assign your administrator users. This example uses the [`pingone_group` resource](https://registry.terraform.io/providers/pingidentity/pingone/latest/docs/resources/group). ```terraform resource "pingone_group" "my_awesome_admins_group" { environment_id = var.pingone_admin_environment_id name = "My awesome admins group" description = "My new awesome group for admins who are awesome" lifecycle { # change the `prevent_destroy` parameter value to `true` to prevent this data carrying resource from being destroyed prevent_destroy = false } } ``` Next, you'll fetch the required roles. You'll need to find the IDs of the **Identity Data Admin** and **Environment Admin** predefined admin roles, which are different between tenant organizations. You can use the [`pingidentity/utils/pingone` helper module](https://registry.terraform.io/modules/pingidentity/utils/pingone/latest) to retrieve the role IDs, so that you can use role IDs in role assignment to the group: ```terraform module "admin_utils" { source = "pingidentity/utils/pingone" version = "0.1.0" region_code = "EU" // Will be either NA, EU, CA, AU or AP depending on your tenant region. environment_id = var.pingone_admin_environment_id } ``` | | | | - | ------------------------------------------------------------------------------------------------------------------------------------ | | | When including a new module in Terraform HCL, remember to re-run `terraform init` to initialize the module in the Terraform project. | You can then define the new sandbox environment using the [PingOne Terraform provider](https://registry.terraform.io/providers/pingidentity/pingone/latest) with the [`pingone_environment` resource](https://registry.terraform.io/providers/pingidentity/pingone/latest/docs/resources/environment), with the SSO service enabled. This is the environment to which you want to scope the administrator roles so that your users can manage configuration and data within this environment: ```terraform resource "pingone_environment" "my_environment" { name = "Example PingOne Role Permission Assignment Environment" type = "SANDBOX" license_id = var.license_id services = [ { type = "SSO" } ] } ``` After you've created the new environment, you can assign the roles to the administration users with the [`pingone_group_role_assignment` resource](https://registry.terraform.io/providers/pingidentity/pingone/latest/docs/resources/group_role_assignment). ```terraform resource "pingone_group_role_assignment" "admin_sso_identity_admin" { environment_id = var.pingone_admin_environment_id group_id = pingone_group.my_awesome_admins_group.id role_id = module.admin_utils.pingone_role_id_identity_data_admin scope_environment_id = pingone_environment.my_environment.id } resource "pingone_group_role_assignment" "admin_sso_environment_admin" { environment_id = var.pingone_admin_environment_id group_id = pingone_group.my_awesome_admins_group.id role_id = module.admin_utils.pingone_role_id_environment_admin scope_environment_id = pingone_environment.my_environment.id } ``` The group "My awesome admins group" has now been assigned the **Identity Data Admin** and **Environment Admin** roles. Any user who is made a member of the group will inherit these administrative roles and their associated permissions.