Use case overview
With ForgeRock Identity Cloud, users can be added to roles statically or dynamically through conditional rules. Fine-grained role-based permissions are managed through assignments. Role inheritance is managed by conditional rules applied to the roles.
This simple use case demonstrates how to:
- Add users to roles
- Add roles to users
- Manage fine-grained permissions in roles
- Use role inheritance and/or embedded roles
Pre-configuration
For the example in this use case, we have already set up a mapping from Active Directory (AD) to Identity Cloud. See Resource mapping for further information on setting up a mapping between an external resource and Identity Cloud.
Preconfigured roles
We have created the following two roles:
- Users Role
- Promo1 Role (this role will be used for role inheritance)
See Create an external role for further information on creating roles.
Preconfigured assignments
We have created the an assignment called AD Group.
See Create an assignment for further information on creating assignments.
In our example, Users Role includes the AD Group assignment.
See Edit an external role for information on adding assignments to roles.
Add users to roles
-
Sign in to the Identity Cloud admin UI using your admin tenant URL, in the format
https://<tenant-name>/am/XUI/?realm=/#/
. -
Go to Identities > Manage > Alpha realm - Roles > <role_name>. In our example, we’ve selected
Users Role
. -
Click the following tabs to familiarize yourself with the role:
- Managed Assignments. We have set up one managed assignment called AD Group in our example.
- Settings. The following capabilities are provided for conditional or temporal role membership:
- Condition - Allows you to set a flexible conditions filter for the role, based on alpha realm user properties.
- Temporal - Allows you to set temporal constraints to restrict the period that a role is effective.
-
Click Role Members > Add Role Members.
-
Select a user to add to the role.
-
Click Save.
The user is added to the selected role.
Add roles to users
-
In the Identity Cloud admin UI, go to Identities > Manage > Alpha realm - Users.
-
Search for the user you are adding the role to. In our example, we’re searching for
abergin
. -
Click on the user’s name.
-
Click Provisioning Role > Add Provisioning Roles.
-
Select the role that you want to add to the user and click Save.
The role is added to the selected user. In our example, we’ve added
Users Role
.
Manage fine-grained permissions in roles
So far, our example role has added users to a group. You can also manipulate other attributes using assignments for fine-grained permissions.
In the following example, we’ll create an alpha realm assignment called set-division and map this assignment to an attribute stored in an external system. We’ll then add the assignment to a role.
-
In the Identity Cloud admin UI, go to Identities > Manage > Alpha realm - Assignments > New Alpha Realm - Assignment.
-
Enter a name and description for the assignment, and select the mapping.
In our example, the assignment will be applied to the mapping,
managed/alpha_user
>system/AD/account
. -
Click Next.
-
Click Add an attribute.
-
Select an attribute from the drop-down list, and enter a value for the attribute.
The attribute value pair will be synchronized with user accounts in the target data store. In our example, we’re mapping the target system attribute
division
todivision A
. -
Click Save.
-
Click the Managed Roles tab.
-
Click Add Managed Roles and select the role.
-
Click Save.
The new assignment is added to the selected role.
On synchronization, Identity Cloud will map the target system attribute division
to division A
for all members of the selected role.
Use role inheritance and/or embedded roles
You can use conditions to allow for role inheritance or embedded roles.
With role inheritance, members of one role can automatically be members of another role. This is useful if, for example, you have a promotion and want to add all members of one role to this promotion while keeping the promotional access configured separately.
In our example, we have a preconfigured role called Promo1 Role, which will be inherited by Users Role. Promo1 Role has a preconfigured assignment called AD Group Promo1.
To create role inheritance:
-
In the Identity Cloud admin UI, go to Identities > Manage > Alpha realm - Roles > <role-for-inheritance>. In our example, we’re selecting the role
Promo1 Role
. -
Click the Settings tab > Condition / Set up.
-
Select A conditional filter for this role.
-
Click Advanced Editor and enter the query to assign users if they match the inherited role in the following format:
/effectiveRoles[/_ref eq "managed/alpha_role/<role_id>"]
For example:
NOTE: You can get the
role_id
from the browser URL when viewing the role that you want to inherit, or by looking at theeffectiveRoles
in the raw JSON of one of the role members. -
Click Save
-
Click the Role Members tab.
Notice that the inheriting role members are now members of the inherited role. For example:
-
Got to Identities > Manage > Alpha realm - Roles > <inheriting role>. In our example, this is the role
Users Role
. -
Click the Role Members tab and remove a member.
-
Go to Identities > Manage > Alpha realm - Roles > <inherited role>.
Notice that the user is also removed from the inherited role.
Additional resources
Documentation:
- Roles and assignments
- Manipulate roles
- Assignment mapped to attribute
- Use assignments to provision users
- Sync identities
- Identity Mappings
Training videos: