When you create an administrator role, you are creating a custom role. You cannot create
built-in roles.
About this task
As a security enhancement, IBM® Security Verify requires new entitlements to view
the client secret. For more information, see Security updates for entitlements and Access entitlements.Note: To minimize the impact, update your custom admin
roles and API clients with the new entitlements according to their needs before the incoming client
secret changes go into effect.
Procedure
-
Navigate to Administrator roles.
The roles are listed by name, description, and type.
- Optional: You can filter the roles by role type, either Regular Built-in or Custom, or
Dynamic. You can also search a role by its name or description.
- Click Create role.
- Click Regular role for the role
type.
- Provide the information for General setup.
- Provide a name for the role.
The name is limited to 1024
characters.
- Optional: Provide a description.
The
description is limited to 1024 characters.
- Click Next.
- Provide the Role composition information.
- Click the Roles tab.
- Select any roles that you want to include in the new role.
- On the Permissions tab, select any permissions that you want to
assign to the role.
The Subscription column identifies the type of subscription that your
tenant needs to be able to assign that permission.
Note: If you select a permission
that has the Scope type group, manageUserGroups,
readUserGroups, or resetPasswordAnyUser and your tenant
supports large groups, you can add a scope to limit the groups that can be managed by this
role.
- Click Next.
- Optional: If you selected a permission with Scope
type group and the tenant supports large groups, add a scope.
- Select the Limit group-related permissions to specific groups
checkbox.
This option limits the Administrator role member's user-group permission to the
specified groups.
- Use the search field to find a group and select it from the results.
Repeat
the search for each group that you want to add. To remove a group from the list, click the remove
icon.
- Click Next.
- Review the information on the Preview page.
The selected
roles, permissions, and any scopes are displayed.
- Click Create role.
The new role is displayed in
the Administration roles table.
-
Selecting Roles
Note:
In order to inspect the list of all users and defining the activity of a specific user, the
administrator needs one or more permissions of the following list:
readUserGroups
manageUserGroups
manageAllUserGroups
manageUserStandardGroups
In addition, the administrator could need one or more general permissions of the following
list:
tenantadmin
(member of admin
group can be assigned via API
invoking call only).
reserved_appowner
(member of application owners
group, or it
can be assigned via API invoking call only).