Organization roles

Organization roles allow you to give accounts organization administrator (org admins in short) roles. Org admins can access specific customer segments and perform certain account management tasks, depending on the role they've been assigned.

Organization management is similar to what brand admins do in the Admin Console, but on a smaller scale, for organizations.

Creating roles


  • Org admin accounts have to live in the same identity store as the organizations and customer accounts they need access to.
  • Roles are available on an identity store basis. Any role can be used to allow permission to any of the organizations in the identity store.
  • Cross-organization grants Also, accounts in the identity store don't have to be affiliated with an organization to have access rights to it.


  1. Navigate to Organizations > Roles.
  2. Click '+Create role'


You don't need to have an organiziaton to create roles. Organizations are only required at role assignment.

  1. Mandatory Add the name of the role.
  2. You can add a description that will appear under the role in listings.
  3. You can choose to assign this role automatically to users who register to an existing organization via self-service.
  4. You can choose to assign this role automatically to only the first person who registers to an existing organization.
  5. Choose the access rights from the list. You can find the detailed description of access rights below.
  6. Once you've finished, click Save.

Role access rights


Minimal requirement

Account management read-only right is needed as a minimal requirement to access account management capabilities in the org admin portal. Without this access right, account management is not available.

You can include the following access rights in org admin roles:

Access rightDescription
Account authenticatorsIf this access right is included in the role, org administrators can

READ See the enabled MFA authenticators

WRITE Send password reset emails to the account

WRITE Change the password manually

WRITE Add new email or phone multi-factor authenticators

DELETE or delete those MFA authenticators
Account identitiesOrg admins can change the available account identifiers (username and/or email identifier) with WRITE access.
Account managementOrg admins can access and perform various account management tasks holding this right, such as inviting new users to the organization and its children, modifying personal identifying information, or disabling accounts.

READ Check the accountโ€™s profile information

WRITE Invite users to the organization

WRITE Manage group assignments

WRITE Update profile information for the available account attributes*

WRITE Disable/enable account

WRITE Delete session

DELETE Delete account
Account verificationOrg admins can manually verify a customer identity or revoke verification. This is useful when customer support has trust in the identity, but the verification flow somehow fails. False positive identity verification can also be removed if the identity poses a risk.
Organization managementOrg admins can create new child organizations via the organization management portal if self-service organization registration is enabled in the identity store.
Personal data downloadOrg admins are allowed to download customer account information in HTML or JSON formats.


Only those account attributes are available in the organization management portal and can be edited that are made visible and enabled for editing in the Admin Console. You can find out more about attribute availability settings here.

Recommended org admin roles

Role nameDescriptionAccess rights
AdminThis role provides full administrative access for org admins to customer accounts and organization management.Every right is granted.
Customer supportThis role empowers the org admin to provide help in every aspect of the customer account. Org admins can resolve issues such as outdated profile information, a forgotten password, or failed identity verification. Account Authenticators: READ, WRITE, DELETE
Account Identities: READ, WRITE
Account Management: READ, WRITE, DELETE
Account Verification: WRITE
Org auditorThis role provides read-only access to customer accounts.Every READ right is granted.

Role assignment

  1. Navigate to Organizations > Role assignments.
  2. You can change the identity store.
  3. Pair an Organization and Role. This will be the permission assigned to the selected account(s).


Org admins are granted the same permissions to the childen of the organization they're assigned to.

  1. Click '+ Assign accounts'.
    You will be redirected to the 'Unassigned roles' tab.
  2. Select one or more accounts from the list.
  3. Click "+ Assign"
  4. Confirm the dialog.


You will be informed about the successfulness of the role assignment. You can return to the Role assigments tab with the back button at the bottom of the page.