Skip to main content
Administrators are the people who can sign in to the Iru dashboard and manage Iru Identity - your directory, applications, policies, and settings. What each administrator can do is governed by the role assigned to them. You manage both under Access in the Iru dashboard, on the Administrators and Roles tabs.
This page is about administering the Iru console. It is distinct from the end users in your directory, who sign in to reach their assigned apps but do not administer Iru. An administrator is a directory user who has also been granted an administrative role.

How access is structured

Permissions are not granted to people directly. Instead, a role is a named bundle of permissions, and you grant a person access by assigning them a role. Manage roles once, and every administrator who holds a role inherits its permissions.

Administrators

The Administrators tab lists everyone who can administer Iru Identity, with their name, username, email, status, and assigned role. Add an administrator to grant a person access to the console, and open any administrator to review or change their role.
One user is designated the tenant’s account owner - its primary owner. An administrator sets the account owner from a user’s record.

Add an administrator

On the Administrators tab, choose to add an administrator and enter their details, including the email and user principal name they sign in with.

Assign a role

Choose the role that matches what the person needs to do. The role determines their permissions across the console.

Review and adjust over time

Revisit assignments as responsibilities change, and remove access promptly when someone no longer needs it.
An administrator’s status follows the same lifecycle as any directory user
  • pending, active, or suspended. Suspending a user blocks their access, including their ability to administer Iru, without deleting their record. See Users.

Roles

The Roles tab lists every role in your tenant. Each role has a display name, a short slug that identifies it, an indication of whether it is a default or custom role, and the permissions it grants.

Default roles

Iru Identity ships with a set of built-in default roles that cover common administrative needs. They are marked Default in the roles list, and their permissions are managed by Iru.
RoleIntended for
AdminFull administration of Iru Identity. Reserve this for the small number of people who need to manage everything.
StandardDay-to-day administration - managing users, their authenticators and devices, and sending invitations - without the most sensitive controls.
Help DeskFront-line support, such as viewing devices and sending invitations, without broad configuration access.
AuditorRead-only visibility for review and oversight, without the ability to make changes.
Secrets AuditorRead-only oversight that extends to sensitive secret material, separated from general auditing.
Default roles cannot have their permissions edited - they are maintained by Iru so their behavior stays consistent. Assign a default role when it fits the job, and define a custom role when you need a different combination of permissions.

Custom roles

Custom roles are coming soon. Today you assign the built-in default roles above; creating your own roles with a tailored set of permissions is on the way.
A custom role will let you grant exactly the permissions a job needs and nothing more, with each role’s permissions grouped by area and described individually. Until then, pick the default role that best fits each administrator and follow the least-privilege guidance below.

How permissions are expressed

Each permission pairs a resource with an action - written as resource.action. For example, a permission on the user resource for the view action lets a role see users. A role’s full capability is the set of permissions it carries.
Some areas of identity data are governed by attribute-level permissions: a role that can view users can also see the underlying profile attributes for those users. Grant view access deliberately. See Schema.

Least-privilege guidance

Roles exist so you can give each person only the access their work requires. A few practices keep administrative access tight:
Assign the most limited role that lets someone do their job, and widen access only when a concrete need appears. It is easier to grant a missing permission than to notice an unused one.
Full administration is powerful. Limit the number of people with the Admin role and prefer more focused roles - such as Help Desk or Auditor - for everyone else.
When a person needs to review activity but not change it, an auditing role gives them visibility without the ability to make changes.
Periodically check who holds which role and remove access that is no longer needed - especially the most privileged roles. The activity log records role and permission changes so you can see how access has shifted over time.
Administrators reach sensitive controls, so make sure they are covered by strong authentication policies and phishing-resistant authenticators.

Activity log

Review who did what in the console, including changes to roles and administrator access.

Authentication policies

Set the device-trust conditions enforced when people sign in to your apps.

Users

Manage the directory users that administrators are drawn from.

Security and privacy

How Iru isolates and protects your tenant and its data.