Identity Cloud

Set up administrators

This page is a work in progress and isn’t available for general use. It hasn’t been validated for accuracy, and it’s subject to change at any time.

You are here


Estimated time to complete: 15 minutes

In this use case, you operate as a super administrator and run tasks to view the tenant settings and invite other administrators on Identity Cloud.


After completing this use case, you will know how to do the following:

  • View the tenant settings.

  • Invite other users to be administrators.

Example scenario and have recently merged to form a single, more prominent organization. Each company use multiple repositories to store identities.

The new administrator for, Pat Smith, is tasked with setting up Identity Cloud to consolidate and manage identities across the merged companies using Identity Cloud’s services. has signed contracts with ForgeRock, which has created an Identity Cloud development tenant for initial configuration. The development tenant is where administrators and developers work on configuring, customizing, and testing identity and access management features before putting them into production. ForgeRock has sent a registration invitation to set up Pat Smith as an administrator with super administrator privileges to manage Identity Cloud effectively.


Before you start work on this use case, make sure you have these prerequisites:

  • You have registered your Identity Cloud account and set up two-step verification.

  • You understand how to edit your account profile.

  • You understand the support ticket creation process and the different priority levels.

  • You have read the documentation Getting started with ForgeRock Support.

  • You have an Identity Cloud development tenant.

  • You have set up a test user account with an email you have access to.


Task 1: View tenant settings

  1. In the Identity Cloud admin UI (upper right), open the Tenant menu, and click Tenant settings. The Tenant Settings page displays.

    use case tenant admin tenant settings
  2. Click Details to display your tenant’s information:

    Summary of the tenant’s settings
    Field Description

    Tenant name

    Specifies the identifier assigned to the tenant during onboarding and registration. This identifier is not configurable.


    Specifies the region where your data resides.

    Environment tag

    Describes the type of tenant environment. The possible tags are:

    • Dev. Environment used to build and add new features. The number of identities is limited to 10,000.

    • UAT. User acceptance testing (UAT) is a dedicated environment used for testing applications or capabilities with real users before deploying them into production. The UAT and staging environments are used often in parallel to run different usability, stress, and load tests. The UAT environment is an Identity Cloud add-on capability.

    • Staging. Environment used to test development changes, including stress and scalability tests with realistic deployment settings.

    • Prod. Environment used to deploy applications into operational end-user activity.

    • Other. Environment other than Dev, Staging, or Prod. For example, a demo tenant.

  3. Click the Global Settings to view the specific settings:

    use case tenant admin tenant settings global
    Summary of a tenant’s global settings
    Field Description


    Copy the field value to the clipboard by clicking the icon. The Identity Cloud tenant cookie is a unique, pseudo-random session cookie for the tenant, generated when your tenant is created. You use the tenant cookie in HTTP headers for Identity Cloud API requests.

    Cross-Origin Resource Sharing (CORS)

    View the details, add, edit, deactivate, and delete a CORS configuration. Cross-Origin Resource Sharing (CORS) provides the ability to integrate web applications in one domain and interact with protected resources in another domain. For more information, refer to Configure CORS.

    Environment Secrets & Variables

    View the secrets and variables details. Environment Secrets & Variables (ESVs) are configuration variables letting you set values different from your development, staging, and production environments in the Identity Cloud. For more information, refer to Introduction to ESVs.

    Log API Keys

    Use the log API key and secret to authenticate and access the Identity Cloud REST API endpoints. For more information, refer to Authenticate to Identity Cloud REST API with API key and secret.

    Service Accounts

    View, create, edit, activate or deactivate, delete and regenerate your service account keys. Service accounts let you request access tokens for REST API endpoints. For more information, refer to Service accounts.

    End User UI

    View and manage your hosted UI pages. Hosted UI pages support customizable themes for your Identity Cloud end-user UI. For more information, refer to Identity Cloud hosted pages.

Check in

At this point, you have:

Viewed and taken action on your tenant settings.

Task 2: Invite administrators

  1. In the Identity Cloud admin UI (upper right), open the Tenant menu, and click Invite admins to send invitations to other users to become administrators. You are authorizing them to manage settings in your tenant.

    use case tenant admin invite admins link
    On the tenant menu, you can also click Tenant settings > Admins > Invite Admins to send an invite to other users.
  2. In the Invite Admins dialog box, enter the test user’s email

    use case tenant admin invite admins
  3. Click Tenant Admin to grant privileges to the test user. There are two types of administrator groups on Identity Cloud:

    • Super Admin. An administrator who has full access to all administrative features and can manage every aspect of this tenant, including adding other administrators.

    • Tenant Admin. An administrator who has full access to all administrative features, except the ability to add other administrators.

  4. Click Send Invitations.
    Identity Cloud sends an email to the test user’s address containing instructions to register an administrator account.

Check in

At this point, you have:

Viewed your tenant settings.

Invited a test user to become an administrator.


You have viewed your tenant settings and invited other users to become administrators.

To validate your access:

  1. Log out of your tenant. Click the tenant menu in the top right corner of the Identity Cloud admin UI, and click Sign out.

  2. Log back in with your username and password, and click Next.

    1. Enter the verification code on your ForgeRock Authenticator app, and then click Submit.

    2. If Identity Cloud does not accept the verification code or you don’t have the ForgeRock Authenticator app, click Use recovery code. Enter one of your recovery codes, and then click Next.

    3. If your recovery code is not accepted, enter another recovery code.

    4. If you used all of your recovery codes, you must enter a support ticket to activate your account again. You will need to set up your registration and two-step verification process again.

  3. Once you have gained access to the Identity Cloud admin UI, click the tenant menu in the top right corner of the Identity Cloud admin UI, and click Tenant settings.

    1. Click Details to view your tenant details.

    2. Click Global Settings to view your tenant settings.

  4. Send an invite to the test user to become an administrator.

    1. Find the test user to whom to send the administrator invite.

    2. On the Tenant Settings menu, click the Admins tab, and then click Invite Admins.

    3. Enter the test user’s email address.

    4. Click Tenant Admin.

    5. Click Send Invitations.

    6. Check the test administrator’s email and register the account. Make sure to set up two-step verification.

    7. Log in to Identity Cloud as the new test admin.

    8. Log out as the test administrator, and log back in with your original administrator (super admin) email.

  5. Now, as the super admin, test deactivating, reactivating, and deleting the test admin:

    1. Click Tenant Settings.

    2. Click the Admins tab to view the list of administrators.

      When an invited administrator successfully registers, the status column changes from Invited to Active.
    3. Find the test admin. Click , and then click Deactivate.

    4. For the same test admin, click , and then click Activate.

    5. For the same test admin, click , and then click Delete. Then, click Delete on the confirmation dialog. The test admin no longer displays on the list of administrators.

What’s next?

After registering for Identity Cloud and inviting administrators, Pat takes some time to explore the dashboard layout and features. The next step is to create users and add roles.

Explore further

Reference material

Reference Description

Administrator settings

Procedures to set your administrator settings.

Copyright © 2010-2023 ForgeRock, all rights reserved.