1. Administration and security
  2. Administration
  3. Access Control
  4. Roles

The Roles tab in the Access Control section of the Administration console enables you to review the roles in your tenant. 

You must have either the Tenant Admin or View Admin role to access the Roles tab.

To view the roles in your tenant:

  1. In the Administration console, navigate to Access Control > Roles.
  2. View the list of roles.
The Roles tab in Administration console. The Tenant Admin role is selected.  The policy details display on the bottom half of the screen.

The Roles tab displays:

  • the roles in your tenant
  • the policy associated with each role
  • the description of each role
  • the number of users assigned to the role  

Click on the entry in the Users Assigned column to navigate to the Assignments tab and view a list of users assigned to that role.

Select an entry to view the policy details of the individual role.  For more information, see Policies.

Access Control Roles

RolePolicyDescription
View AdminView AdminView administrators can view the configuration of a tenant, but cannot update anything.
Tenant AdminTenant Admin

Tenant administrators manage the configurations and settings at the tenant level. Tenant administrators:

  • Cannot access other tenants
  • Cannot access tenant data
  • Can access metadata

Tenant administrators have the Read permissions that the view administrator has. In addition, they can:

  • Assign process owners, tenant auditors, and other tenant admins
  • Create Role Membership for other tenant roles
  • Update Model Categories
  • Update Users

Note: The Assignments feature cannot remove this role if you're the only user in your tenant assigned to the Tenant Admin role.

Tenant Security AdminTenant Security Admin

Tenant security administrators manage the tenant’s security settings. They can:

  • access the Self Service SAML feature in the Administration Console (via the SSO tab)
  • create a new identity provider (IdP) connection
  • modify an existing IdP connection
  • disable an existing IdP connection
Encryption AdminEncryption Admin Policy

Encryption administrators manage the BYOK encryption keys for their organization and handle the encryption of their workspaces. Encryption administrators can only see the workspaces and keys for the tenant to which they belong.

Encryption administrators can:

  • create, read, and update encryption keys
  • assign the Encryption Admin role
  • remove the Encryption Admin role

Note: To unassign yourself from the encryption administrator role, have another encryption administrator unassign you.  Encryption administrators cannot unassign themselves from the Encryption Admin role.

Integration AdminIntegration Admin

The Integration Admin role enables you to access the Integration Framework feature to:

  • create, edit, and delete a connection
  • create, edit, and delete an integration
Page BuilderPage Builder

A Page Builder can:

Process OwnerProcess Owner

In a future release, process owners can create, edit, update, and delete Workflow processes for their tenant. Workflow processes consist of several tasks that the process owner assigns to users. For example,  viewing and modifying information on dashboards and approving or rejecting those changes. In addition, process owners can start cycles of their workflow processes and can complete their own workflow tasks.

Notes: Administrators who have the Process Owner role can run tasks in any workflow process.
Your organization must be licensed for the Workflow feature to make use of the Process Owner role. If you do not have Workflow enabled, you can view and assign the Process Owner role. Process owners have no authorizations until Workflow is enabled.

Tenant AuditorTenant Auditor

Tenant Auditors can view audit information for their tenant. See Security - Audit.

Note: Your organization must be licensed for the Audit feature to make use of the tenant auditor role. If you do not have Audit enabled, you can view and assign the tenant auditor role. Tenant auditors have no authorizations until Audit is enabled.