Creating an administrator role

When you create an administrator role, you are creating a custom role. You cannot create built-in roles.

About this task

As a security enhancement, IBM® Security Verify requires new entitlements to view the client secret. For more information, see Security updates for entitlements and Access entitlements.
Note: To minimize the impact, update your custom admin roles and API clients with the new entitlements according to their needs before the incoming client secret changes go into effect.

Procedure

  1. Navigate to Administrator roles.
    The roles are listed by name, description, and type.
  2. Optional: You can filter the roles by role type, either Regular Built-in or Custom, or Dynamic. You can also search a role by its name or description.
  3. Click Create role.
  4. Click Regular role for the role type.
  5. Provide the information for General setup.
    1. Provide a name for the role.
      The name is limited to 1024 characters.
    2. Optional: Provide a description.
      The description is limited to 1024 characters.
  6. Click Next.
  7. Provide the Role composition information.
    1. Click the Roles tab.
    2. Select any roles that you want to include in the new role.
    3. On the Permissions tab, select any permissions that you want to assign to the role.
      The Subscription column identifies the type of subscription that your tenant needs to be able to assign that permission.
      Note: If you select a permission that has the Scope type group, manageUserGroups, readUserGroups, or resetPasswordAnyUser and your tenant supports large groups, you can add a scope to limit the groups that can be managed by this role.
  8. Click Next.
  9. Optional: If you selected a permission with Scope type group and the tenant supports large groups, add a scope.
    1. Select the Limit group-related permissions to specific groups checkbox.
      This option limits the Administrator role member's user-group permission to the specified groups.
    2. Use the search field to find a group and select it from the results.
      Repeat the search for each group that you want to add. To remove a group from the list, click the remove icon.
  10. Click Next.
  11. Review the information on the Preview page.
    The selected roles, permissions, and any scopes are displayed.
  12. Click Create role.
    The new role is displayed in the Administration roles table.
  13. Selecting Roles
    Note:

    In order to inspect the list of all users and defining the activity of a specific user, the administrator needs one or more permissions of the following list:

    • readUserGroups
    • manageUserGroups
    • manageAllUserGroups
    • manageUserStandardGroups

    In addition, the administrator could need one or more general permissions of the following list:

    • tenantadmin (member of admin group can be assigned via API invoking call only).
    • reserved_appowner (member of application owners group, or it can be assigned via API invoking call only).