Organization roles
Organization roles allow you to give accounts organization administrator (org admins in short) roles. Org admins can access specific customer segments and perform certain account management tasks, depending on the role they've been assigned.
Organization management is similar to what brand admins do in the Admin Console, but on a smaller scale, for organizations.
Creating roles
Prerequisites
- Org admin accounts have to live in the same identity store as the organizations and customer accounts they need access to.
- Roles are available on an identity store basis. Any role can be used to allow permission to any of the organizations in the identity store.
- Cross-organization grants Also, accounts in the identity store don't have to be affiliated with an organization to have access rights to it.
Configuration
- Navigate to Organizations > Roles.
- Click '+Create role'
You don't need to have an organiziaton to create roles. Organizations are only required at role assignment.
- Mandatory Add the name of the role.
- You can add a description that will appear under the role in listings.
- You can choose to assign this role automatically to users who register to an existing organization via self-service.
- You can choose to assign this role automatically to only the first person who registers to an existing organization.
- Choose the access rights from the list. You can find the detailed description of access rights below.
- Once you've finished, click Save.
Role access rights
Minimal requirement
Account management read-only right is needed as a minimal requirement to access account management capabilities in the org admin portal. Without this access right, account management is not available.
You can include the following access rights in org admin roles:
| Access right | Description |
|---|---|
| Account authenticators | If this access right is included in the role, org administrators can READ See the enabled MFA authenticators WRITE Send password reset emails to the account WRITE Change the password manually WRITE Add new email or phone multi-factor authenticators DELETE or delete those MFA authenticators |
| Account identities | Org admins can change the available account identifiers (username and/or email identifier) with WRITE access. |
| Account management | Org admins can access and perform various account management tasks holding this right, such as inviting new users to the organization and its children, modifying personal identifying information, or disabling accounts. READ Check the account’s profile information WRITE Invite users to the organization WRITE Manage group assignments WRITE Update profile information for the available account attributes* WRITE Disable/enable account WRITE Delete session DELETE Delete account |
| Account verification | Org admins can manually verify a customer identity or revoke verification. This is useful when customer support has trust in the identity, but the verification flow somehow fails. False positive identity verification can also be removed if the identity poses a risk. |
| Organization management | Org admins can create new child organizations via the organization management portal if self-service organization registration is enabled in the identity store. |
| Personal data download | Org admins are allowed to download customer account information in HTML or JSON formats. |
Only those account attributes are available in the organization management portal and can be edited that are made visible and enabled for editing in the Admin Console. You can find out more about attribute availability settings here.
Recommended org admin roles
| Role name | Description | Access rights |
|---|---|---|
| Admin | This role provides full administrative access for org admins to customer accounts and organization management. | Every right is granted. |
| Customer support | This role empowers the org admin to provide help in every aspect of the customer account. Org admins can resolve issues such as outdated profile information, a forgotten password, or failed identity verification. | Account Authenticators: READ, WRITE, DELETE Account Identities: READ, WRITE Account Management: READ, WRITE, DELETE Account Verification: WRITE |
| Org auditor | This role provides read-only access to customer accounts. | Every READ right is granted. |
Role assignment
- Navigate to Organizations > Role assignments.
- You can change the identity store.
- Pair an Organization and Role. This will be the permission assigned to the selected account(s).
Org admins are granted the same permissions to the childen of the organization they're assigned to.
- Click '+ Assign accounts'.
You will be redirected to the 'Unassigned roles' tab. - Select one or more accounts from the list.
- Click "+ Assign"
- Confirm the dialog.
You will be informed about the successfulness of the role assignment. You can return to the Role assigments tab with the back button at the bottom of the page.
Updated 3 months ago