UniFi Identity Enterprise - Admin Roles

Admin roles refer to the collection of permissions assigned to workspace admins. Assigning different roles to different admins ensures that the right person has the right workspace permission.

View Role Permission

  1. On your Identity Enterprise Manager, go to Organization > Admins > Roles.
  2. Select a role and click Settings > Permissions in the prompted panel.

Assign Admin Roles

Note: Admins can only assign lower-level roles to users or remove lower-level roles from users.

Do either of the following:

  • Go to Organization > Admins > Roles > select a role and click Users > Add Users on the prompted panel.
  • Go to Organization > Members > Users > select a user and go to Settings on the prompted panel.
  • Go to Settings > UniFi Consoles > Sites > select an existing site > Overview > Site-Level Admins.

Set an Expiration Time for Admin Roles

Admins can set expiration times by enabling "Set an expiration time" when assigning admin roles to users. Once a user’s admin role expires, Identity Enterprise will automatically remove their admin role and associated permissions. If no expiration time is set, the role won’t expire unless it is manually removed. 

If an expiration time and assignment reason are added, admins can view this information by selecting a user’s admin role in Identity Enterprise Manager > Organizations > Members > Users > select a user > Settings > hover your mouse over the Tooltip icon.

Manage Custom Admin Roles

Workspace owners and super admins can create custom admin roles to grant customized permissions.

Note: This feature is only available in the Identity Enterprise Standard Plan. To subscribe to it, please use your owner account to sign in to your Identity Enterprise Manager and go to Settings > Plan & Billing > Upgrade Plan.

  1. On your Identity Enterprise Manager, go to Organization > Admins > Roles and click the Add Role icon.
  2. Select "Add Custom Role".
  3. Enter role name, select Permission Level (i.e., workspace-level or site-level permission), specify Permissions, and then click Add.

Default Admin Roles and Permissions

For Workspaces Created before February 2023

UniFi Identity Enterprise offers 10 types of predefined admin roles:

  • Owner
  • Super Admin
  • HR Admin
  • IT Admin
  • Read-Only Admin
  • SSO Apps Admin
  • Site Admin
  • Site HR Admin
  • Site IT Admin
  • Site Read-Only Admin

For Workspaces Created after February 2023

UniFi Identity Enterprise offers 3 types of predefined admin roles:

  • Owner
  • Super Admin
  • Read-Only Admin

Permission Range

Permission ranges for the admins are divided into two categories:

  • Admins with workspace-level permissions own all the management authority for the entire workspace.
  • Admins with site-level permissions have management authority for the resources and users in the managed site.

Workspace-Level Permissions

User Management

Permission Owner Super Admin HR Admin IT Admin Read-Only Admin
View users and groups Yes Yes Yes Yes Yes
Add, edit, and delete users and groups Yes Yes Yes    
Edit user lifecycle Yes Yes Yes    
View AD/LDAP settings Yes Yes Yes Yes Yes
Edit AD/LDAP settings Yes Yes   Yes  
Import users from AD/LDAP Yes Yes Yes    
Reset users' MFA Yes Yes Yes    

Door Access Management

Permission Owner Super Admin HR Admin IT Admin Read-Only Admin
Set up UniFi Identity Door Access Yes Yes   Yes  
View NFC card list and information Yes Yes Yes Yes Yes
Remove NFC cards and PINs Yes Yes Yes Yes  
Assign NFC cards and PINs Yes Yes Yes Yes  
Add, edit, and delete door groups, floors, and doors Yes Yes   Yes  
Remote view Yes Yes Yes Yes  
Remote unlock Yes Yes Yes    
View door groups, floors, doors, and devices Yes Yes Yes Yes Yes
Edit door unlock schedules Yes Yes   Yes  
Edit door attendants Yes Yes Yes    
Adopt devices, update firmware, and edit device information Yes Yes   Yes  
Submit feedback Yes Yes Yes Yes Yes
Update data version Yes Yes   Yes  
View access policies, schedules, and holiday groups Yes Yes Yes Yes Yes
Edit access policies, schedules, and holiday groups Yes Yes   Yes  
View visitor information Yes Yes Yes Yes Yes
Add and edit visitors Yes Yes Yes Yes  
View access logs Yes Yes Yes Yes Yes
Export access logs Yes Yes Yes  

 

 

Network Management

Permission Owner Super Admin HR Admin IT Admin Read-Only Admin
Set up WiFi Yes Yes   Yes  
View WiFi settings Yes Yes Yes Yes Yes
Edit WiFi settings Yes Yes   Yes  
Set up VPN Yes Yes   Yes  
View VPN settings Yes Yes Yes Yes Yes
Edit VPN settings Yes Yes   Yes  

Security Policy Management

Permission Owner Super Admin HR Admin IT Admin Read-Only Admin
View security policies Yes Yes Yes Yes Yes
Add, edit, and delete security policies Yes Yes   Yes  

Assignment Management

Permission Owner Super Admin HR Admin IT Admin Read-Only Admin SSO Apps Admin

Assign/Unassign roles

Yes Yes Yes      
Assign/Unassign groups Yes Yes Yes      
Assign/Unassign access policies and NFC cards Yes Yes Yes Can only assign NFC cards to themselves    
Assign/Unassign One-Click WiFi Yes Yes Yes Can only assign WiFi to themselves    
Assign/Unassign One-Click VPN Yes Yes Yes Can only assign VPN to themselves    
Assign/Unassign cameras Yes Yes Yes Can only assign cameras to themselves    
Assign/Unassign SSO Apps Yes Yes Yes Can only assign SSO apps to themselves   Yes

SSO Apps Management

Permission Owner Super Admin HR Admin IT Admin Read-Only Admin SSO Apps Admin

View SSO apps Yes Yes Yes Yes Yes Yes
Configure SSO apps Yes Yes   Yes   Yes

Helpdesk Management

Permission Owner Super Admin HR Admin IT Admin Read-Only Admin
View tickets Yes Yes Yes Yes Yes
Edit tickets Yes Yes Yes    

UniFi Console Management

Permission Owner Super Admin HR Admin IT Admin Read-Only Admin

View UniFi Console information

Yes Yes Yes Yes Yes

Submit feedback on UniFi Console

Yes Yes Yes Yes Yes
Access UniFi Portal from UniFi Identity Enterprise Yes Yes Yes Yes Yes
Add UniFi Console admins Yes Yes   Yes  
Delete UniFi Console Yes Yes   Yes  
Set up Identity Enterprise Agent Yes Yes   Yes  

Site-Level Permissions

User Management

Notes
  • A Site Admin has administrative authority over the resources and users under the managed site.

  • The following permissions of site admins are based on workspace settings. Workspace owner and super admins can edit the following permissions in Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud) > Settings > Users.

    • Allow Site Admin to See All Users
    • Allow Site Admin to Edit Site Users
    • Allow Site Admin to Add or Invite Users
Permission Site Admin Site HR Admin Site IT Admin Site Read-Only Admin
View users and groups Yes Yes Yes Yes
Add, edit, and delete users and groups Yes Yes    
Edit user lifecycle Yes Yes    
Reset users' MFA Yes Yes    

Door Access Management

Permission Site Admin Site HR Admin Site IT Admin Site Read-Only Admin
Set up Door Access Yes   Yes  
View NFC card list and information Yes Yes Yes Yes
Remove NFC cards and PINs Yes Yes    
Assign NFC cards and PINs Yes Yes    
Add, edit, and delete door groups, floors, and doors Yes   Yes  
Remote view Yes Yes Yes Yes
Remote unlock Yes Yes Yes  
View door groups, floors, doors, and devices Yes Yes Yes Yes
Edit door unlock schedules Yes   Yes  
Edit door attendants Yes Yes    
Adopt devices, update firmware, and edit device information Yes   Yes  
Submit feedback Yes Yes Yes Yes
Update data version Yes   Yes  
View access policies, schedules, and holiday groups Yes Yes Yes Yes
Edit access policies, schedules, and holiday groups Yes   Yes  
View visitor information Yes Yes Yes Yes
Add and edit visitors Yes   Yes  
View access logs Yes Yes Yes Yes
Export access logs Yes Yes    

Network Management

Permission Site Admin Site HR Admin Site IT Admin Site Read-Only Admin
Set up WiFi Yes   Yes  
View WiFi settings Yes Yes Yes Yes
Edit WiFi settings Yes   Yes  
Set up VPN Yes   Yes  
View VPN settings Yes Yes Yes Yes
Edit VPN settings Yes   Yes  

Assignment Management

Permission Site Admin Site HR Admin Site IT Admin Site Read-Only Admin

Assign/Unassign roles

Yes      
Assign/Unassign groups Yes Yes    
Assign/Unassign access policies and NFC cards Yes Yes Can only assign NFC cards to themselves  
Assign/Unassign One-Click WiFi Yes Yes Can only assign WiFi to themselves  
Assign/Unassign One-Click VPN Yes Yes Can only assign VPN to themselves  
Assign/Unassign cameras Yes Yes Can only assign cameras to themselves  
Assign/Unassign SSO Apps Yes Yes Can only assign SSO apps to themselves  

UniFi Console Management

Permission Site Admin Site HR Admin Site IT Admin Site Read-Only Admin

View UniFi Console information

Yes Yes Yes Yes

Submit feedback on UniFi Console

Yes Yes Yes Yes
Access UniFi Portal from UniFi Identity Enterprise Yes Yes Yes Yes
Add UniFi Console admins Yes   Yes  
Delete UniFi Console Yes   Yes  
Set up Identity Enterprise Agent Yes   Yes  
Was this article helpful?
2 out of 8 found this helpful