User roles

The Identity Service supports the following traditional (non-persona-based) user roles:

• Tenant Admin. Users assigned to this role can edit users and roles within their own tenant. The following actions are available to users assigned to this role:

  • Edit this tenant

  • Add or remove domains

  • Switch hosting options

  • Add users to this tenant

  • Disable users in this tenant

  • Enable users in this tenant

  • Delete users from this tenant

  • Manage licensing options within a tenant's applications

  • Add custom roles to this tenant's applications

  • Remove custom roles from this tenant's applications

  • Edit and add roles to this tenant's users

  • All Tenant Reader user role actions

• Tenant Reader. Users assigned to this role can view the tenants to which they are assigned.

• Applications Admin. Applicable primarily within on-premises environments. Users with this role can see across and edit all applications in the Identity system. The following actions are available to users assigned to this role:

  • Add application access to a tenant

  • Manage application roles, clients, and API resources

  • Remove application access from a tenant