Admin Roles¶
Overview¶
Admin Roles are sets of permissions that control who can administrate JustIAM itself. They are distinct from application-level roles (which are handled by App Role Mappings).
Roles are assigned to users directly or via groups. A user's effective permissions are the union of all permissions from all assigned roles.
Note
Users with is_admin = true bypass all permission checks and always have full access, regardless of their role assignments.
Built-in roles¶
JustIAM seeds four built-in roles on startup:
idp:admin¶
Full administration access:
users.view, users.create, users.update, users.sendpasswordreset, users.delete, users.viewaccess, users.managetags, groups.view, groups.create, groups.update, groups.delete, groups.members, groups.viewaccess, groups.managetags, apps.view, apps.create, apps.update, apps.delete, apps.managetags, roles.view, roles.create, roles.update, roles.delete, admin_roles.manage, service_accounts.tokens, audit.view, sessions.view, sessions.revoke, federated.manage, resource_sets.view, resource_sets.manage
idp:group-manager¶
Allows viewing users and groups, updating group metadata, and adding/removing group members:
users.view, groups.view, groups.update, groups.members
idp:viewer¶
Read-only access to users, groups, applications, and app mappings:
users.view, users.viewaccess, groups.view, groups.viewaccess, apps.view, roles.view, resource_sets.view
idp:directory-viewer¶
Read-only access to users and groups (no apps or roles):
users.view, groups.view
Group Membership Manager (system role)¶
Built-in role for delegated group membership management via resource sets. Assign scoped to a resource set to allow a group to manage members of a specific target group:
users.view, groups.view, groups.members
All permissions¶
| Permission | Grants |
|---|---|
users.view |
List and read user details |
users.viewaccess |
View which applications and admin roles a user can access (access summary) |
users.create |
Create new users |
users.update |
Edit users (name, active state, admin flag) |
users.sendpasswordreset |
Send an admin-initiated password reset link to a local account |
users.managetags |
Set and update tags on users (used for resource set scoping) |
users.delete |
Delete users |
groups.view |
List and read groups |
groups.viewaccess |
View which applications and admin roles a group grants access to (access summary) |
groups.create |
Create groups |
groups.update |
Edit group metadata, add/remove managers |
groups.managetags |
Set and update tags on groups (used for resource set scoping) |
groups.delete |
Delete groups |
groups.members |
Add and remove group members |
apps.view |
List and read applications |
apps.create |
Create applications |
apps.update |
Edit applications, manage access lists, regenerate secrets |
apps.managetags |
Set and update tags on applications (used for resource set scoping) |
apps.delete |
Delete applications |
roles.view |
List app mappings and their assignments |
roles.create |
Create app mappings |
roles.update |
Edit app mappings, assign to users/groups |
roles.delete |
Delete app mappings |
admin_roles.manage |
Create, update, delete Admin roles; assign/remove from users and groups |
service_accounts.tokens |
Create and revoke PATs for service accounts |
sessions.view |
List active IDP sessions |
sessions.revoke |
Revoke IDP sessions |
tokens.revoke |
Revoke user JWT tokens |
tokens.manage |
View and revoke PATs and OAuth sessions for all users |
audit.view |
Read the audit log |
dashboard.view |
View analytics and login dashboard |
federated.manage |
Create, update, delete federated providers |
settings.manage |
Manage global platform settings |
tasks.manage |
Create, edit and run scheduled tasks |
messages.manage |
Create and manage system-wide messages |
event_actions.manage |
Configure event-triggered actions |
access_requests.manage |
Manage access request templates |
user_attributes.manage |
Define and manage custom user attributes |
apps.scripts.view |
Read post-render claim/attribute scripts |
apps.scripts.update |
Create and modify post-render claim/attribute scripts |
certificates.manage |
Create, rotate and delete signing certificates; rotate and drop the tenant signing key |
certificates.view |
List certificates and assign them to applications; view signing key status |
proxy_providers.manage |
Create and configure forward-auth / reverse-proxy providers |
proxy_providers.config_read |
Service-account permission: poll proxy provider config (for the proxy-provider binary) |
preset_sources.manage |
Add, edit and remove custom task preset catalog sources |
agent_tokens.view |
List all agent tokens for this tenant |
agent_tokens.manage |
Create and revoke agent tokens for automated task workers |
resource_sets.view |
List resource sets and view their selectors and matched resources |
resource_sets.manage |
Create, edit and delete resource sets |
Creating a custom role¶
UI: Administration → Admin Roles → + Create Role
API:
POST /api/v1/admin-roles
Authorization: Bearer <token>
Content-Type: application/json
{
"name": "App Manager",
"description": "Can create and edit applications",
"permissions": ["apps.view", "apps.create", "apps.update", "apps.managetags"]
}
Assigning a role¶
Roles are assigned to groups — all group members inherit the permissions: