Add an Administrative Role

An administrative role is a collection of permissions that can be assigned to an administrator. A role determines what level of control the administrator has over users, user groups, and so on.

You can add administrative roles to your deployment, and assign these roles to users. If you assign multiple administrative roles to a user, the permissions are combined.

Before you begin

To create an administrative role, you must have an administrative role that:

  • Grants permission to create administrative roles.

  • Includes the permissions he or she wants to add to the new administrative role.

  • Allows the administrator to delegate the permissions granted to his or her role. This is determined by the Permission Delegation setting for the role assigned to the administrator who is creating the role.


  1. In the Security Console, click Administration > Administrative Roles > Add New.

  2. In the Administrative Role Name field, enter a name for the new administrative role.

  3. (Optional) If you want to allow administrators to delegate their role permissions to other administrators, select Permission Delegation.

  4. In the Security Domain Scope tree, select the security domains in which the new administrative role grants permissions.

    By default, selecting a security domain automatically includes the subdomains. You can clear the Automatically include subdomains checkbox, and only assign the administrative role to the security domains that you select.

  5. In the Identity Source Scope field, select the identity sources where you want this administrative role to grant permissions.

  6. Click Next.

  7. Assign general permissions to the administrative role.

  8. (Optional) To restrict attributes, in the User Attribute Restriction field, select May only access specific attributes. An Attributes drop-down menu appears. Select Modify, View, or None for each attribute. If you select None, the attribute is hidden.

    The value in this field must be consistent with the value specified in the Entry Type field on the Add an Identity Attribute Definition page. If the attribute definition is read-only, do not select Modify for the User Attribute Restriction. If the attribute definition is required, do not specify View or None in the User Attribute Restriction. If you do, you cannot add the role.

  9. Click Next.

  10. Assign authentication permissions to the administrative role.

  11. Click Next.

  12. Assign self-service permissions to the administrative role.

  13. Click Next.

  14. Use the Security Domain drop-down menu to select the security domain that is associated with the administrative role.

  15. Review the summary of the administrative role, and click Save.