Roles and permissions

A role gives admins specific permissions to manage organizations and tenancies to which they have access. Iris uses this approach to define what an admin can do based on permissions associated with roles.

An admin can have multiple roles for an organization, assigned in different ways. They can be directly assigned roles through an explicit link, inherit roles on descendant organizations of their home organization, or have roles automatically assigned to them by the system through implicit access.

An admin can assign, manage, and adjust roles for other admins providing they have the correct permissions to do so. However, automatically assigned roles for admins with implicit access can’t be changed. If an admin has implicit access, another admin can explicitly link them to the organization with a different role and set of permissions they can use alongside their implicit access. Since you cannot set deny permissions, all the permissions from all the roles become the overall set of permissions that the user has on each tenancy.

Roles and associated permission that you can assign to an admin in Iris include the following:

Reason Cause
Customer manager

A customer manager can create direct descendant child organizations. Available to admins whose home organization is a Distributor or Partner. Iris automatically assigns this role to organization owners Distributor or Partner organizations.

Alternatively, while creating an admin or editing an existing admin, you can also manually assign this role to an admin by selecting Manage child organizations. You must have the role of an organization admin to assign this role to another admin.
Organization admin An organization administrator manages admins, domains, tenancy settings, agreements, and components (IAM Cloud products) associated with default and non-default tenancies under an organization. However, they can’t create new organizations. The admin is associated with the organization's default tenancy and has implicit access to all non-default tenancies. You must have the role of an organization admin to assign this role to another admin.
Tenancy admin A tenancy admin manages admins, domains, tenancy settings, agreements, and components (IAM Cloud products) associated with a specific tenancy under an organization.
IDx admin An IDx admin manages all aspects of IDx (Identity Exchange) for an organization, including products that IDx synchronizes and access to our global code repository for complex sync scenarios.
CDM admin A CDM admin manages all aspects of CDM for an organization except for changing license information.
No access No access means the admin cannot do anything within the tenancy. An admin must have a role for the default tenancy to access other tenancies within an organization. If you invite an admin to a non-default tenancy and they lack access to the default tenancy, Iris automatically assigns them the No access role for the default tenancy. You cannot manually assign this role in Iris.

Organization owner roles

The following are roles automatically assigned to organization owners on the default tenancy of their home organization (explicit link) and all descendant organizations (implicit access):

Distributor owner:

Default tenancy of Automatic role 1 Automatic role 2
Home organization (explicit link) Organization admin Customer manager
Descendent Partner organizations (implicit access) Organization admin Customer manager
Descendent Customer organizations (implicit access) Organization admin  

Partner owner:

Default tenancy of Automatic role 1 Automatic role 2
Home organization (explicit link) Organization admin Customer manager
Descendent Customer organizations (implicit access) Organization admin  

Customer owner:

Default tenancy of Automatic role 1
Home organization (explicit link) Organization admin