Configure custom admin roles for ITP
Early Access release. See Enable self-service features.
This configuration creates a custom admin with all permissions required to manage ITP policies, user risk, and the Shared Signals Framework, and to browse and view ITP reports. You can adjust your selections if you want to limit a role to view-only permissions or specific resource sets. Refer to Use custom admin roles.
Permissions
You must be a super admin to configure custom admin roles for ITP.
Create the role
- In the Admin Console, go to .
-
Go to the Roles tab.
-
Click Create new role.
-
In the Role name field, enter ITP admin.
-
In the Role description field, enter Manage permissions for ITP.
-
Select the following permissions:
-
Clear users' sessions: Gives admins the ability to clear user sessions.
-
Manage users' risk: Grants access to user risk details and lets admins elevate user risk.
-
Clear API tokens: Gives admins the ability to configure Universal Logout for a specific user.
-
View groups and their details: Required for admins to see group assignments in the entity risk policy and the session protection policy.
-
Manage applications: Gives admins the ability to configure Universal Logout for an app.
-
Run delegated flow: Gives admins the ability to run a delegated flow for use in the entity risk policy or the session protection policy.
-
View delegated flow: Gives admins the ability to view and select a delegated flow for use in the entity risk policy or the session protection policy.
-
Manage Shared Signals Framework Receiver: Gives admins the ability to configure SSF receiver streams.
-
Manage policies: Gives admins the ability to configure the entity risk policy and the session protection policy.
-
-
Click Save role.
Create the resource sets
You can only select one policy per resource set. If you want to include both the entity risk and session protection policies, you must create two resource sets.
- In the Admin Console, go to .
- Go to the Resources tab.
- Click Create new resource set.
- In the Name field, enter ITP resources.
- In the Description field, enter Resources for ITP admins.
- Click Add Resources, and then configure the following
sets:
- Users: Select the users that you want the ITP admin to manage.
- Groups: Select the groups that you want the ITP admin to manage.
- Applications: Select the apps that you want the ITP admin to manage.
- Shared Signals Framework receiver: Select All Shared Signals Framework receivers.
- Policies: Select Entity risk policy.
- Workflows: Select the flows that you want the ITP admin to manage.
- Click Save selection, and then click Create.
- On the Resources tab, click Create new resource set.
- In the Name field, enter Session protection.
- In the Description field, enter Session protection policy for ITP admins.
- Click Add Resources.
- For the Policies resource set, select Session protection policy.
- Click Save selection, and then click Create.
All of these resources are required for the roles you set. ITP tasks may fail without an error message if a resource is missing.
Assign the custom role and resource sets to a user
- In the Admin Console, go to .
- Go to the Admins tab.
- Click Add administrator.
- Search for the user or group that you want to assign.
- In the Role dropdown menu, select ITP Admin.
- In the Resource set dropdown menu, select ITP resources.
- In the Role dropdown menu, select ITP Admin.
- In the Resource set dropdown menu, select Session protection.
- On the Administrator assignment by admin page, click Add assignment.
- In the Role dropdown menu, select Report Administrator. This role lets the admin view ITP reports and dashboard widgets.
- Optional. Click Preview next to the Role or Resource set menu to verify the permissions you're assigning.
- Click Save Changes.
Admins with custom roles lose their access if the EA feature is disabled. Their permissions are restored when the feature is turned on again. Review your role assignments before disabling or enabling the feature.