Role Admin and Role Sub-Admin User Levels

Role Admin and Role Sub-Admin User Levels

It can be beneficial for enterprises to securely hand off certain responsibilities to specific individuals within their organization. Sharing responsibilities ensures that administrators do not have too much responsibility or power over governance actions.

A user with role admin permissions can perform the following actions:

  • Create, manage, and edit roles.
  • Access the Access Modeling service which includes Role Discovery and Role Insights.
  • Save, subscribe to, and download CSV reports on accessible pages in IdentityNow.
  • Search

To utilize sub-admin user levels, the source and the user must be associated with a governance group

Role sub-admins can create, manage, and edit only for roles with access profiles on sources that are associated with the governance groups they are members of. Role sub-admins have the same permissions as role admins for search and reports. Role sub-admins do not have access to Role Discovery or Role Insights.

For information about other user levels, see IdentityNow User Level Access Matrix.

For information on how to grant and remove user levels, see Granting and Removing User Level Permissions.


  • Users cannot grant themselves user levels – only IdentityNow admins can grant and remove user levels.
  • Users can be assigned multiple user levels. Users will have the combined access of all levels assigned to them.
  • If you grant someone a user level, this will appear in certifications as an entitlement that the reviewer can grant or revoke.


Access and Actions


Role admins can see the following pages and perform the following actions in IdentityNow.

IdentityNow Page If you want to... See...
Search >

Build queries to search for data in your system.

How do I use Search in IdentityNow?

Download default and custom reports from Search.

Downloading Reports from the Search Interface

Search >
Role Discovery

Access Modeling customers can discover potential roles. 

(Role sub-admins cannot access Role Discovery.)

Discovering Roles

Admin > Access >

Create, manage, and edit roles.

(Role sub-admins can perform these actions only for roles with access profiles on sources associated with the governance groups they are members of.)

What are roles and how do I work with them?
    Role Insights

Access Modeling customers can view suggested changes to existing roles to make them more secure.

(Role sub-admins cannot access Role Insights.)

Improving Roles with Role Insights 
Admin > Global >

View audit and other reports within IdentityNow.

How can I see audit reports about activity in IdentityNow?
Admin > Dashboard >

    System Activity

Track recent changes to the IdentityNow system How do I monitor my IdentityNow system activity?
View the changes that administrators have made to the applications in your system How can I view a report of configuration changes made to an app?


View and download the tasks that were assigned to managers in your organization Where can I view the tasks assigned to managers?



Version history
Revision #:
14 of 14
Last update:
‎Jan 06, 2021 08:08 AM
Updated by: