title: User & Role Management category: Administration tags: users, roles, permissions, admin, management priority: Normal
User & Role Management
This guide covers managing IdentityCenter application users, roles, and permissions. Proper user and role management ensures that administrators have the access they need while following the principle of least privilege.
Overview
IdentityCenter has its own internal user management system, separate from the directory objects it manages. Application users are the people who log in to the IdentityCenter web portal to administer, audit, or operate the system.
The Users Page
Navigate to /admin/users to manage application user accounts.
Viewing Users
The Users page displays all registered application users with the following information:
| Column | Description |
|---|---|
| Username | Login name for the account |
| Display Name | Full name of the user |
| Contact email address | |
| Roles | Assigned application roles |
| Status | Enabled or Disabled |
| Last Login | Most recent login timestamp |
| Created | Account creation date |
Creating Admin Accounts
To create a new application user:
Navigate to /admin/users
Click Add User
Fill in the required fields:
Field Required Description Username Yes Unique login identifier Display Name Yes Full name for display Email Yes Email address for notifications Password Yes Must meet password policy requirements Roles Yes One or more application roles Enabled Yes Whether the account is active Assign one or more roles (see Application Roles below)
Click Save
Tip: For the initial setup, the QuickConfig wizard creates the first admin account. Additional accounts should be created through the Users page.
Enabling and Disabling Accounts
To disable a user account without deleting it:
- Navigate to /admin/users
- Click the user's name to open their profile
- Toggle the Enabled switch to off
- Click Save
Disabled accounts:
- Cannot log in to the web portal
- Retain their configuration and role assignments
- Can be re-enabled at any time
- Are preserved for audit trail purposes
Resetting Passwords
To reset a user's password:
- Navigate to /admin/users
- Click the user's name
- Click Reset Password
- Enter and confirm the new password
- Click Save
The user will need to use the new password on their next login.
Viewing Login History
To review a user's login activity:
- Navigate to /admin/users
- Click the user's name
- Select the Login History tab
Login history includes:
- Timestamp of each login attempt
- Success or failure status
- Source IP address
- Browser/client information
Application Roles
Built-in Roles
IdentityCenter includes three built-in roles:
| Role | Access Level | Description |
|---|---|---|
| Admin | Full access | Complete control over all features, settings, and configurations |
| User | Limited access | Can view dashboards, run reports, and perform day-to-day operations |
| Auditor | Read-only compliance | Can view all data, logs, and reports but cannot modify settings |
Role Permissions Detail
Admin Role
Administrators have unrestricted access to all features:
| Area | Permissions |
|---|---|
| Dashboard | View all metrics and widgets |
| Connections | Create, edit, delete, test |
| Sync Projects | Create, edit, delete, run |
| Policies | Create, edit, delete, evaluate |
| Access Reviews | Create, manage campaigns, make decisions |
| Workflows | Create, edit, delete, approve |
| Users & Roles | Create, edit, delete users and roles |
| Configuration | Modify all system settings |
| Logs & Audit | View and export all logs |
| Email Templates | Create, edit, delete templates |
| Reports | Create, run, export all reports |
User Role
Standard users have operational access without administrative control:
| Area | Permissions |
|---|---|
| Dashboard | View assigned metrics |
| Connections | View only |
| Sync Projects | View and run (cannot create or edit) |
| Policies | View violations (cannot create or edit policies) |
| Access Reviews | Complete assigned reviews |
| Workflows | Submit requests, view own requests |
| Users & Roles | View own profile only |
| Configuration | No access |
| Logs & Audit | View operational logs |
| Email Templates | No access |
| Reports | Run pre-defined reports |
Auditor Role
Auditors have comprehensive read-only access for compliance purposes:
| Area | Permissions |
|---|---|
| Dashboard | View all metrics (read-only) |
| Connections | View configurations (read-only) |
| Sync Projects | View all runs and history (read-only) |
| Policies | View all policies, violations, and exceptions (read-only) |
| Access Reviews | View all campaigns and decisions (read-only) |
| Workflows | View all workflows and history (read-only) |
| Users & Roles | View user list (read-only) |
| Configuration | View settings (read-only) |
| Logs & Audit | View and export all logs |
| Email Templates | View templates (read-only) |
| Reports | Run and export all reports |
The Roles Page
Navigate to /admin/roles to manage application roles.
Viewing Roles
The Roles page displays all roles with their assigned permissions and member count.
Creating Custom Roles
To create a role with specific permissions:
Navigate to /admin/roles
Click Add Role
Enter the role name and description
Select permissions for each application area:
Permission Type Description View Can see the feature and its data Create Can create new items Edit Can modify existing items Delete Can remove items Execute Can run operations (sync, evaluate, export) Click Save
Example custom roles:
| Role Name | Purpose | Key Permissions |
|---|---|---|
| Sync Operator | Manages sync projects | View + Execute on Sync Projects, View on Connections |
| Policy Manager | Manages compliance policies | Full access to Policies, View on Sync and Objects |
| Help Desk | Handles user requests | View on Objects, Execute on Workflows, View on Audit Logs |
| Report Analyst | Runs reports and exports data | View + Execute on Reports, View on Dashboard |
Editing Roles
- Navigate to /admin/roles
- Click the role name
- Modify the permissions as needed
- Click Save
Important: Changes to role permissions take effect immediately for all users assigned that role. Active sessions will reflect the new permissions on the next page navigation.
Assigning Roles to Users
Roles can be assigned in two places:
- From the Users page: Edit a user and select roles in the Roles dropdown
- From the Roles page: Open a role and add users to the Members list
A user can have multiple roles. Permissions are additive -- if any assigned role grants a permission, the user has that permission.
Session Management
Active Sessions
Navigate to /admin/users and select a user to view their active sessions. Each session shows:
| Field | Description |
|---|---|
| Session Start | When the user logged in |
| Last Activity | Most recent page interaction |
| IP Address | Client IP address |
| Browser | Browser and OS information |
Forced Logout
To forcibly end a user's session:
- Navigate to the user's profile
- Select the Sessions tab
- Click Terminate next to the session you want to end
The user will be redirected to the login page on their next interaction.
When to force logout:
- Suspected unauthorized access
- After disabling an account
- After a security incident
- When a user reports a lost or stolen device
Admin Notifications
Configure notification preferences for administrators at Administration > Notifications:
| Notification Type | Description | Default |
|---|---|---|
| Sync Failures | Alert when a sync project fails | Enabled |
| Policy Violations | Alert for new Critical/High violations | Enabled |
| System Health | Alert for performance or availability issues | Enabled |
| Login Failures | Alert after multiple failed login attempts | Enabled |
| Configuration Changes | Alert when system settings are modified | Disabled |
Each administrator can customize which notifications they receive and their preferred delivery method (email or in-app).
Best Practices
Principle of Least Privilege
- Start with minimal access -- Assign the least permissive role that allows the user to do their job
- Use custom roles -- Create targeted roles instead of giving everyone the Admin role
- Avoid shared accounts -- Each person should have their own account for audit trail purposes
- Review access regularly -- Audit user accounts and role assignments quarterly
Account Management
- Separate admin and daily-use accounts -- Administrators should have a standard User account for daily work and a separate Admin account for administrative tasks
- Disable rather than delete -- When a user leaves, disable their account rather than deleting it to preserve audit history
- Use strong passwords -- Enforce password complexity through SecuritySettings
- Monitor login failures -- Review login history for signs of unauthorized access attempts
Quarterly Access Review
Conduct a quarterly review of application user access:
- Export the current user list with roles from /admin/users
- Verify each user still needs their assigned roles
- Remove roles that are no longer needed
- Disable accounts for users who have left the organization
- Document the review for compliance records