Best practices for creating a custom role assignment
While custom administrator roles offer you increased flexibility in combining the three components and the ability to grant granular roles to your admins, here are a few things to consider before you create admin assignments:
-
While you can use either Admin, Role, or Resource set to create a role assignment, we recommend that you think about the role assignment from a resource-first perspective. It's helpful to think which resources should be accessible to your admin and which roles should be granted to them.
-
If you want an admin to be able to view all resources but only manage specific resources, create two separate role assignments for the admin.
For example, you have a set of admins who need to view all users, but should only be able to edit users in some groups. In this case, create two roles: a View users role and an Edit users role. When you assign these roles to an admin:-
Constrain the View users role to a resource set that has all users in it.
You must create a resource set that constrains all users.
-
Constrain the Edit users role to a more granular resource set that contains the group of users the admins need access to edit.
-
You may have to assign several roles to an admin to constrain different permissions to different resource sets. See Role permissions.
Consider a scenario where group of admins has permission to manage your org's onboarding applications. However, you only want those admins to run imports for some of the apps in the assignment. In this case, you need:
-
Resource sets:
-
A resource set that contains all of the applications that admins need to manage. In this case, a resource set that contains all of the onboarding apps used by your org. You can name this resource set All Onboarding Apps.
-
A resource set that contains all applications that admins need to run imports for. In this case, a resource set that contains all of the onboarding apps that have a profile source. You can name this resource set Profile Source Apps.
-
-
Roles:
-
A new role with the Manage applications permission. You can name this role Onboarding App Managers.
-
Another role with the Run imports permission. You can name this role Profile Source App Managers.
-
-
To grant the right level of access to your admins:
-
Assign the Onboarding App Managers role to the All Onboarding Apps resource set.
-
Assign the Profile Source App Managers role to the Profile Source Apps resource set.
-
Consider another scenario where the Los Angeles Employees group is a subset of the United States Employees group. You want a group of help desk admins, who are members of the Los Angeles Help Desk group, to view all users in the United States Employees group. However, they should only be able to edit profiles of users who are members of the Los Angeles Employees group. In this case, you need:
-
Resource sets:
-
A resource set that contains all groups of users that the help desk admin needs permissions to view. In this case, a resource set that contains all the individual groups used to manage the United States Employees. You can name this resource set All United States Employees.
-
A resource set that contains groups that the admin should have a specific permission for. In this case, a resource set that only contains the Los Angeles Employee group. You can name this resource set Los Angeles Employees.
-
-
Roles:
-
A new role with the View users permission. You can save this custom role as Help Desk Viewer.
-
Another role with the Manage User profiles permission. You can save this custom role as Help Desk Profile Editor.
-
-
To create the role assignments from the Los Angeles Help Desk group:
-
Assign and constrain the Help Desk Viewer role to the All United States Employees resource set.
-
Assign and constrain the Help Desk Profile Editor role to the Los Angeles Employees resource set.
-
-
To easily understand custom roles at a glance:
-
Name your custom roles and resource sets in a way that the names are self-explanatory about the permissions and resources included.
-
Enter the details about these in the description.
-
For a video tutorial, see Best practices: Custom admin roles.