Custom administrator roles

The custom administrator roles feature gives you the ability to configure granular permissions within a role. This feature offers:

  • More control over creation of roles in a self-service way. You can create custom role assignments based on your specific use case.

  • Increased org security. You can assign granular permissions to your admins in a way that only gives them permissions that they need to perform a task. This reduces the need to assign the Super admin and Org admin roles to your users.

  • Simplified admin audits and compliance review with more visibility over granular admin permissions

An admin role assignment consists of these three components:

  • Admin - The user or the user group that you need to grant admin permissions to.

  • Role - A set of permissions that you constrain an admin to. There are two types of roles, standard and custom. You can create a maximum of 100 roles for an org. Currently, permissions are limited to managing user, group, and app activity, as well as running profile source imports.

  • Resource set - A collection of resources. You can create a maximum of 10,000 resource sets and assign a maximum of 1,000 resources for each resource set. Currently, only user groups and apps in your org are considered as resources.

Note
  • Resource sets are only available for custom admin roles.
  • You can only have 1,000 admins who have the same role and resource set combination constrained to them.

You have the flexibility to create or select any one of these components as a starting point for creating a custom admin role assignment. Before creating an admin role assignment, we recommend that you see Best practices for creating a custom role assignment.

Impact on Standard roles

  • Your pre-existing roles (super admin, org admin, group admin, app admin, read-only admin, mobile admin, help desk admin, report admin, API access management admin, and group membership admin) are referred to as Standard roles.

  • The standard role functionality is the same as earlier but the UI is different. See Use standard roles.

  • You can continue using the pre-existing roles and your existing assignments remain the same.

  • You can also assign custom roles to users who have standard roles assigned.

Limitations

  • Group and user resources for AD/LDAP groups don't include the group origin. If multiple groups have the same name, they is no way to distingush them from one another in the UI.

  • Admins who are only assigned custom admin roles can’t manage a user with a super admin assignment.

  • You can only get the admin reports from the Admin role assignment reports page in the Admin Console. Currently, getting reports using APIs is not supported.

Related topics

Use custom admin roles

Best practices for creating a custom role assignment

About the Administrators page