Identity Cloud

Set up administrators

While this use case was validated for accuracy, it can always be improved. To provide feedback, click thumb_up or thumb_down in the top right of this page (you must be logged into Backstage).


Estimated time to complete: 15 minutes

In this use case, you operate as a super administrator and run tasks to view the tenant settings and invite other administrators on Identity Cloud.


After completing this use case, you will know how to do the following:

  • View the tenant settings.

  • Invite other users to be administrators.


Before you start work on this use case, make sure you have these prerequisites:

  • A basic understanding of:

    • The Identity Cloud admin UI

    • The tenant environments

    • The support ticket creation process and the different priority levels. For more information, read Getting started with ForgeRock Support.

  • You have received an email from ForgeRock Support to set up your administrator account for your tenant environments.

  • You have registered your Identity Cloud account and set up two-step verification in all environments (development, staging, and production).

  • Access to your development environment as an administrator.

  • To test creating a test administrator, an additional email you have access to.


Task 1: View tenant settings

  1. In the Identity Cloud admin UI (upper right), open the Tenant menu, and click Tenant settings. The Tenant Settings page displays.

    Tenant settings detail page
  2. Click Details to display your tenant’s information:

    Field Description

    Tenant name

    Specifies the identifier assigned to the tenant during onboarding and registration. This identifier is not configurable.


    Specifies the region where your data resides.

    Environment tag

    Describes the type of tenant environment. The possible tags are:

    • Dev. Environment used to build and add new features. The number of identities is limited to 10,000.

    • UAT. User acceptance testing (UAT) is a dedicated environment used for testing applications or capabilities with real users before deploying them into production. The UAT and staging environments are used often in parallel to run different usability, stress, and load tests. The UAT environment is an Identity Cloud add-on capability.

    • Staging. Environment used to test development changes, including stress and scalability tests with realistic deployment settings.

    • Prod. Environment used to deploy applications into operational end-user activity.

    • Other. Environment other than Dev, Staging, or Prod. For example, a demo tenant.

  3. Click the Global Settings to view the specific settings:

    Identity Cloud global settings
    Field Description


    Copy the field value to the clipboard by clicking the icon. The Identity Cloud tenant cookie is a unique, pseudo-random session cookie for the tenant, generated when your tenant is created. You use the tenant cookie in HTTP headers for Identity Cloud API requests.

    Cross-Origin Resource Sharing (CORS)

    View the details, add, edit, deactivate, and delete a CORS configuration. Cross-Origin Resource Sharing (CORS) provides the ability to integrate web applications in one domain and interact with protected resources in another domain. For more information, refer to Configure CORS.

    Environment Secrets & Variables

    View the secrets and variables details. Environment Secrets & Variables (ESVs) are configuration variables letting you set values different from your development, staging, and production environments in the Identity Cloud. For more information, refer to Introduction to ESVs.

    IP Addresses

    ForgeRock allocates outbound static IP addresses to each of your development, staging, and production tenant environments (and to any sandbox[1] and UAT[2] tenant environments). This lets you identify network traffic originating from Identity Cloud and from individual environments within Identity Cloud.

    Log API Keys

    Use the log API key and secret to authenticate and access the Identity Cloud REST API endpoints. For more information, refer to Authenticate to Identity Cloud REST API with API key and secret.

    Service Accounts

    View, create, edit, activate or deactivate, delete and regenerate your service account keys. Service accounts let you request access tokens for REST API endpoints. For more information, refer to Service accounts.

    End User UI

    View and manage your hosted UI pages. Hosted UI pages support customizable themes for your Identity Cloud end-user UI. For more information, refer to Identity Cloud hosted pages.

Check in

At this point, you have:

Viewed your tenant details and global settings.

Task 2: Invite administrators

  1. In the Identity Cloud admin UI (upper right), open the Tenant menu, and click Invite admins to send invitations to other users to become administrators. You are authorizing them to manage settings in your tenant.

    Invite admins link on the tenant menu
    From the tenant menu, you can add other administrators by clicking Tenant settings > Admins > Invite Admins.
  2. In the Invite Admins dialog box, enter the test user’s email.

  3. Click Tenant Admin to grant privileges to the test user. There are two types of administrator groups on Identity Cloud:

    • Super Admin — An administrator who has full access to all administrative features and can manage every aspect of this tenant, including adding other administrators.

    • Tenant Admin — An administrator who has full access to all administrative features, except the ability to add other administrators.

  4. Click Send Invitations.
    Identity Cloud sends an email to the test user’s address containing instructions to register an administrator account.

    Invite others to become an administrator.
Check in

At this point, you have:

Viewed your tenant settings.

Invited a test user to become an administrator.


You have viewed your tenant settings and invited other users to become administrators. Now, validate adding another administrator by registering and logging in as the additional administrator.

Register test administrator

  1. Access the email of the test administrator.

  2. Click on the email from Identity Cloud.

  3. Click Complete Registration.

  4. Fill out the fields to register the test administrator.

  5. Click Next.

  6. Select your region of residence, agree to the privacy policy, and click Next.

  7. Click Set up and register for 2-step verification. The Identity Cloud admin UI displays.

  8. Log out as the test administrator, and log back in with your original administrator (super admin) account.

Manage other administrators

  1. As the super admin, test deactivating, reactivating, and deleting the test administrator:

  2. Click Tenant Settings.

  3. Click the Admins tab to view the list of administrators.

    When an invited administrator successfully registers, the status column changes from Invited to Active.
  4. Find the test admin. Click the ellipsis icon (), and then click Deactivate.

  5. For the same test admin, click the ellipsis icon (), and then click Activate.

  6. For the same test admin, click the ellipsis icon (), and then click Delete. Then, click Delete on the confirmation dialog. The test admin no longer displays on the list of administrators.

Explore further

Reference material

Reference Description

Administrator settings

Procedures to set your administrator settings.

Tenant environments

Learn about the Identity Cloud’s tenant environments.

The ForgeRock Authenticator application

Download the ForgeRock Authenticator application to use for MFA.

Copyright © 2010-2024 ForgeRock, all rights reserved.