UniFi Identity Enterprise - Admin Role Configuration
Admin roles refer to the collection of permissions assigned to Workspace Admins. Assigning specific roles to each admin ensures they have the appropriate permissions for their responsibilities.
View Role Permission
- On your Identity Enterprise Manager, go to Organization > Admins > Roles.
- Select a role and click Settings > Permissions in the prompted panel.
Assign Admin Roles
Note: Admins can only assign lower-level roles to users or remove lower-level roles from users.
Do either of the following:
- Go to Organization > Admins > Roles > select a role > Users > Add Users.
- Go to Organization > Members > Users > select a user > Settings > Group & Role > Role.
- Go to Settings > UniFi Consoles > Sites > select an existing site > Overview > Site Admins.
Set an Expiration Time for Admin Roles
You can enable Set an expiration time when assigning admin roles to users. Once the role expires, Identity Enterprise automatically removes the admin role and its associated permissions. If no expiration time is specified, the role remains active until manually removed.
If an expiration time and assignment reason are added, admins can view this information in Identity Enterprise Manager by navigating to Identity Enterprise Manager > Organizations > Members > Users > select a user > Settings > hover your mouse over the i icon.
Add Custom Admin Roles
Workspace Owners and Super Admins can add custom admin roles to grant custom admin permissions.
Note: This feature is only available in the Identity Enterprise Standard Plan. To subscribe to it, please use your owner account to sign in to your Identity Enterprise Manager and go to Settings > Plan & Billing > Upgrade Plan.
- On your Identity Enterprise Manager, go to Organization > Admins > Roles and click the Add Role icon.
- Enter the Role Name and set the Permission Level to Workspace or Sites, then customize the Permissions.
- Click Add.
Default Admin Roles and Permissions
For Workspaces Created before February 2023
UniFi Identity Enterprise offers 10 types of predefined admin roles:
- Owner
- Super Admin
- HR Admin
- IT Admin
- Read-Only Admin
- SSO Apps Admin
- Site Admin
- Site HR Admin
- Site IT Admin
- Site Read-Only Admin
For Workspaces Created after February 2023
UniFi Identity Enterprise offers 3 types of predefined admin roles:
- Owner
- Super Admin
- Read-Only Admin
Permission Range
Permission ranges for the admins are divided into two categories:
- Admins with workspace-level permissions own all the management authority for the entire workspace.
- Admins with site-level permissions have management authority for the resources and users in the managed site.
Workspace-Level Permissions
User Management
Permission | Owner | Super Admin | HR Admin | IT Admin | Read-Only Admin |
View users and groups | Yes | Yes | Yes | Yes | Yes |
Add, edit, and delete users and groups | Yes | Yes | Yes | ||
Edit user lifecycle | Yes | Yes | Yes | ||
View AD/LDAP settings | Yes | Yes | Yes | Yes | Yes |
Edit AD/LDAP settings | Yes | Yes | Yes | ||
Import users from AD/LDAP | Yes | Yes | Yes | ||
Reset users' MFA | Yes | Yes | Yes |
Door Access Management
Permission | Owner | Super Admin | HR Admin | IT Admin | Read-Only Admin |
Set up UniFi Identity Door Access | Yes | Yes | Yes | ||
View NFC card list and information | Yes | Yes | Yes | Yes | Yes |
Remove NFC cards and PINs | Yes | Yes | Yes | Yes | |
Assign NFC cards and PINs | Yes | Yes | Yes | Yes | |
Add, edit, and delete door groups, floors, and doors | Yes | Yes | Yes | ||
Remote view | Yes | Yes | Yes | Yes | |
Remote unlock | Yes | Yes | Yes | ||
View door groups, floors, doors, and devices | Yes | Yes | Yes | Yes | Yes |
Edit door unlock schedules | Yes | Yes | Yes | ||
Edit door attendants | Yes | Yes | Yes | ||
Adopt devices, update firmware, and edit device information | Yes | Yes | Yes | ||
Submit feedback | Yes | Yes | Yes | Yes | Yes |
Update data version | Yes | Yes | Yes | ||
View access policies, schedules, and holiday groups | Yes | Yes | Yes | Yes | Yes |
Edit access policies, schedules, and holiday groups | Yes | Yes | Yes | ||
View visitor information | Yes | Yes | Yes | Yes | Yes |
Add and edit visitors | Yes | Yes | Yes | Yes | |
View access logs | Yes | Yes | Yes | Yes | Yes |
Export access logs | Yes | Yes | Yes |
|
Network Management
Permission | Owner | Super Admin | HR Admin | IT Admin | Read-Only Admin |
Set up WiFi | Yes | Yes | Yes | ||
View WiFi settings | Yes | Yes | Yes | Yes | Yes |
Edit WiFi settings | Yes | Yes | Yes | ||
Set up VPN | Yes | Yes | Yes | ||
View VPN settings | Yes | Yes | Yes | Yes | Yes |
Edit VPN settings | Yes | Yes | Yes |
Security Policy Management
Permission | Owner | Super Admin | HR Admin | IT Admin | Read-Only Admin |
View security policies | Yes | Yes | Yes | Yes | Yes |
Add, edit, and delete security policies | Yes | Yes | Yes |
Assignment Management
Permission | Owner | Super Admin | HR Admin | IT Admin | Read-Only Admin | SSO Apps Admin |
Assign/Unassign roles |
Yes | Yes | Yes | |||
Assign/Unassign groups | Yes | Yes | Yes | |||
Assign/Unassign access policies and NFC cards | Yes | Yes | Yes | Can only assign NFC cards to themselves | ||
Assign/Unassign One-Click WiFi | Yes | Yes | Yes | Can only assign WiFi to themselves | ||
Assign/Unassign One-Click VPN | Yes | Yes | Yes | Can only assign VPN to themselves | ||
Assign/Unassign cameras | Yes | Yes | Yes | Can only assign cameras to themselves | ||
Assign/Unassign SSO Apps | Yes | Yes | Yes | Can only assign SSO apps to themselves | Yes |
SSO Apps Management
Permission | Owner | Super Admin | HR Admin | IT Admin | Read-Only Admin | SSO Apps Admin |
View SSO apps | Yes | Yes | Yes | Yes | Yes | Yes |
Configure SSO apps | Yes | Yes | Yes | Yes |
Helpdesk Management
Permission | Owner | Super Admin | HR Admin | IT Admin | Read-Only Admin |
View tickets | Yes | Yes | Yes | Yes | Yes |
Edit tickets | Yes | Yes | Yes |
UniFi Console Management
Permission | Owner | Super Admin | HR Admin | IT Admin | Read-Only Admin |
View UniFi Console information |
Yes | Yes | Yes | Yes | Yes |
Submit feedback on UniFi Console |
Yes | Yes | Yes | Yes | Yes |
Access Site Manager from UniFi Identity Enterprise | Yes | Yes | Yes | Yes | Yes |
Add UniFi Console admins | Yes | Yes | Yes | ||
Delete UniFi Console | Yes | Yes | Yes | ||
Set up Identity Enterprise Agent | Yes | Yes | Yes |
Site-Level Permissions
User Management
Notes
A Site Admin has administrative authority over the resources and users under the managed site.
The following permissions of site admins are based on workspace settings. Workspace owner and super admins can edit the following permissions in Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud) > Settings > Users.
- Allow Site Admin to See All Users
- Allow Site Admin to Edit Site Users
- Allow Site Admin to Add or Invite Users
Permission | Site Admin | Site HR Admin | Site IT Admin | Site Read-Only Admin |
View users and groups | Yes | Yes | Yes | Yes |
Add, edit, and delete users and groups | Yes | Yes | ||
Edit user lifecycle | Yes | Yes | ||
Reset users' MFA | Yes | Yes |
Door Access Management
Permission | Site Admin | Site HR Admin | Site IT Admin | Site Read-Only Admin |
Set up Door Access | Yes | Yes | ||
View NFC card list and information | Yes | Yes | Yes | Yes |
Remove NFC cards and PINs | Yes | Yes | ||
Assign NFC cards and PINs | Yes | Yes | ||
Add, edit, and delete door groups, floors, and doors | Yes | Yes | ||
Remote view | Yes | Yes | Yes | Yes |
Remote unlock | Yes | Yes | Yes | |
View door groups, floors, doors, and devices | Yes | Yes | Yes | Yes |
Edit door unlock schedules | Yes | Yes | ||
Edit door attendants | Yes | Yes | ||
Adopt devices, update firmware, and edit device information | Yes | Yes | ||
Submit feedback | Yes | Yes | Yes | Yes |
Update data version | Yes | Yes | ||
View access policies, schedules, and holiday groups | Yes | Yes | Yes | Yes |
Edit access policies, schedules, and holiday groups | Yes | Yes | ||
View visitor information | Yes | Yes | Yes | Yes |
Add and edit visitors | Yes | Yes | ||
View access logs | Yes | Yes | Yes | Yes |
Export access logs | Yes | Yes |
Network Management
Permission | Site Admin | Site HR Admin | Site IT Admin | Site Read-Only Admin |
Set up WiFi | Yes | Yes | ||
View WiFi settings | Yes | Yes | Yes | Yes |
Edit WiFi settings | Yes | Yes | ||
Set up VPN | Yes | Yes | ||
View VPN settings | Yes | Yes | Yes | Yes |
Edit VPN settings | Yes | Yes |
Assignment Management
Permission | Site Admin | Site HR Admin | Site IT Admin | Site Read-Only Admin |
Assign/Unassign roles |
Yes | |||
Assign/Unassign groups | Yes | Yes | ||
Assign/Unassign access policies and NFC cards | Yes | Yes | Can only assign NFC cards to themselves | |
Assign/Unassign One-Click WiFi | Yes | Yes | Can only assign WiFi to themselves | |
Assign/Unassign One-Click VPN | Yes | Yes | Can only assign VPN to themselves | |
Assign/Unassign cameras | Yes | Yes | Can only assign cameras to themselves | |
Assign/Unassign SSO Apps | Yes | Yes | Can only assign SSO apps to themselves |
UniFi Console Management
Permission | Site Admin | Site HR Admin | Site IT Admin | Site Read-Only Admin |
View UniFi Console information |
Yes | Yes | Yes | Yes |
Submit feedback on UniFi Console |
Yes | Yes | Yes | Yes |
Access Site Manager from UniFi Identity Enterprise | Yes | Yes | Yes | Yes |
Add UniFi Console admins | Yes | Yes | ||
Delete UniFi Console | Yes | Yes | ||
Set up Identity Enterprise Agent | Yes | Yes |