Question
There are multiple admin roles in Access Control. What can each role do?
Answer
There are a total of 5 types of admin roles. Please refer to the table below for what each role can and cannot do.
* Each admin has permission to view the admin console and can download log files.
However, some operations are restricted depending on the admin role.
Please see below for details.
| No. | Role Name | Details |
| 1 | Global Admin |
|
| 2 | Read Only Admin | No edit permissions for any menu. |
| 3 | Certificate Admin | Can issue, revoke, and edit device certificates and tenant shared certificates. |
| 4 | Secure Browser Admin | Can approve, reject, and edit secure browsers. |
| 5 | Certificate and Secure Browser Admin | Has both the permissions of 3 and 4 above. |
Examples of operations restricted by role
| Main Category | Subcategory | Function | ① | ② | ③ | ④ | ⑤ |
| System General Settings |
Domain Settings | Authentication Screen Management | ✔️ | View Only |
View Only |
View Only |
View Only |
| Password Policy Management | ✔️ | View Only |
View Only |
View Only |
View Only |
||
| Secure Browser Management | ✔️ | View Only |
View Only |
View Only |
View Only |
||
| Customize Device Certificate Installation Email | ✔️ | View Only |
View Only |
View Only |
View Only |
||
| Others | ✔️ | View Only |
View Only |
View Only |
View Only |
||
| Connected Service Settings |
Connected Service Management | ✔️ | View Only |
View Only |
View Only |
View Only |
|
| View Connected Service Metadata / SAML Signing Certificate Download | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ||
| Provisioning | Provisioning Management (Microsoft 365 / Google Workspace) |
✔️ | View Only |
View Only |
View Only |
View Only |
|
| Provisioning Management (Cybozu / Salesforce) |
✔️ | – | – | – | – | ||
| Dry run and synchronization | ✔️ | – | – | – | – | ||
| API client | ✔️ | View Only |
View Only |
View Only |
View Only |
||
| Users | User Management | User Management | ✔️ | View Only |
View Only |
View Only |
View Only |
| User Password Reset / Add Emergency OTP Token, etc. | ✔️ | View Only |
View Only |
View Only |
View Only |
||
| View User Access Logs / Export to CSV | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ||
| Custom User Attributes Management | ✔️ | View Only |
View Only |
View Only |
View Only |
||
| Access Settings |
Access Policy Template |
✔️ | View Only |
View Only |
View Only |
View Only |
|
| Access Policy Groups |
✔️ | View Only |
View Only |
View Only |
View Only |
||
| IP Sets | ✔️ | View Only |
View Only |
View Only |
View Only |
||
| Secure Browsers |
Pending Requests | View List | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
| Approve / Deny Requests | ✔️ | – | – | ✔️ | ✔️ | ||
| Devices | ✔️ | View Only |
View Only |
View Only |
View Only |
||
| Browser Policy Groups | ✔️ | View Only |
View Only |
View Only |
View Only |
||
| Certificates | Device Certificates *1 |
Register / Update / Revoke Device Certificates | ✔️ | View Only |
✔️ | View Only |
✔️ |
| Download Device Certificates (Personal / Batch) | ✔️ | – | ✔️ | – | ✔️ | ||
| Create Device Certificate List (tsv) | ✔️ | – | ✔️ | – | ✔️ | ||
| Device Certificate Operations (Replace / Resend Certificate Email, etc.) | ✔️ | – | ✔️ | – | ✔️ | ||
| Tenant Certificates | Create Tenant Certificate / Download / Renew / Revoke | ✔️ | View Only |
✔️ | View Only |
✔️ | |
| Log Management | Access Logs | View Logs / Export to CSV | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
| User Operation Logs | View Logs / Export to CSV | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
| Admin Operation Logs | View Logs / Export to CSV | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
| Sync Logs | View Logs | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
| Batch Registration Logs | View Logs | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
| Secure Browser Verify History |
View Logs | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | |
| Device Certificate Action History |
View Logs | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
*1 Users other than Global Admins cannot perform actions targeting Global Admins (such as issuing, revoking, or downloading Device Certificates) or obtain certain information related to Global Admins.