Configure login accounts for Administrative Roles

In the Management Portal at Setup > Administrative Roles, prevent unauthorized access to the Management Portal and Setup and Sync Tool.

On the Logins tab, click a login account to configure it and to assign administrative roles. Login accounts can authenticate administrators, based on Active Directory user name or group membership.

Properties tab

Field Explanation and Tips
Login Specify the login account.
Login Type Specify which type of authentication should be used:
  • Select Default to use Windows authentication. If you select this option, specify in the Login field the Active Directory user or group that can authenticate the user.
    • Specify users in the format Domain\User.
    • Specify groups in the format Domain\Group.
  • Select Identity Broker to allow an administrator to sign in with an identity provider as configured in Identity Broker (for example, a Microsoft Azure AD account).
    • Specify in the Login field the Windows account or UPN of the user, depending on configuration of the Identity Broker.
    • Make sure the user is part of the same domain as the Identity Director server. Otherwise, the Domain Local Groups of the user cannot be used as Groups in the Administrative Roles/Logins.
    • To allow administrators to sign in with their UPN, configure a people identifier UPN, so Identity Director can match a person in your environment with the Identity Broker claim.
    • Configure Identity Broker as Login Type in the Management Portal

    See Getting Started with the Identity Broker for more information.
Administrative Role Assign the login account to one or more administrative roles. This determines the administrative permissions of the login account.
  • To prevent accidental lockout, the first login account that you create is automatically assigned to the default role Full Access. This role grants Modify permissions to all functionality of the Management Portal and the Setup and Sync Tool. You cannot edit or delete this role.
  • If you assign multiple administrative roles, the permissions of all roles are combined, in which the least restrictive permissions apply.

Resulting Security tab

View the outcome of all assigned administrative roles.
However, a user may obtain additional permissions at the moment of sign-in, based on his membership of Active Directory groups, which may also be assigned administrative roles.

  • You have secured access to the Management Portal and the Setup and Sync Tool, if you configure at least one login account and assign it to at least one administrative role.
  • If you delete the last login account that is assigned to the administrative role Full Access, anyone has full access to the Management Portal and the Setup and Sync Tool.
  • Login accounts do not require a license: you do not need to link it to a person in Identity Director to have access to the Management Portal and the Setup and Sync Tool.
  • You can sign in to the Management Portal with your Windows User Account and with your User Principal Name (UPN). A UPN is the name of a user in an e-mail address-like format. When you sign in, the UPN is matched to a user account in Microsoft Active Directory and the identifier of a person in Identity Director.
See also