MFA Guides

Create A New Role

Create a New Role provides the capability to create new roles within the system. This configuration displays as a pop-up window once Create a New Role is clicked.


Administrators can select any of the available configuration options, some of which are expanded below, and then click Create a New Role or click Cancel to discard.

Along with naming the role and providing a description, there are four primary areas within the Create a New Role dialog.

  1. Function

  2. Modification

  3. Assignment

  4. Management

When creating roles and configuring their permissions, it is helpful to limit the number of administrators with full permissions to manage Authentication Methods and Sets as well as manage Roles. By limiting the scope of each role, the opportunity for an unauthorized administrator to create users and issue unauthorized credentials to users is minimized. The ability to assign a role to a user should be granted only to a security group or the highest level of an administrative user group.

Use Case: Delegated Administration with Scope

Administrators can delegate a role that can only manage defined roles.

For example, if a user is a part of a global organization where administrators can manage users within their assigned region only, a role can be created named North American Administrators that can only manage users assigned the North American User role.

The creation of this role type requires two steps.

  1. Create the lowest level role by clicking on the Create a New Role link under the Roles tab.

  2. Create the North American Administrators Role, assign the desired rights, and add the permissions to manage users with the following roles by selecting North American User.

Repeat this sequence for each region. Special roles such as Executive Administrator and Executive Users can be created to span multiple geographic regions. This approach ensures that administrators who traditionally manage a defined user base continue to be restricted to the same user base.