Use case: Manage a role-based access control (RBAC) framework for ForgeRock Identity Cloud

Use case overview

With ForgeRock Identity Cloud, users can be added to roles statically or dynamically through conditional rules. Fine-grained role-based permissions are managed through assignments. Role inheritance is managed by conditional rules applied to the roles.

This simple use case demonstrates how to:


For the example in this use case, we have already set up a mapping from Active Directory (AD) to Identity Cloud. See Resource mapping for further information on setting up a mapping between an external resource and Identity Cloud.

Preconfigured roles

We have created the following two roles:

  • Users Role
  • Promo1 Role (this role will be used for role inheritance)

See Create an external role for further information on creating roles.

Preconfigured assignments

We have created the an assignment called AD Group.

See Create an assignment for further information on creating assignments.

In our example, Users Role includes the AD Group assignment.

See Edit an external role for information on adding assignments to roles.

Add users to roles

  1. Sign in to the Identity Cloud admin UI using your admin tenant URL, in the format https://<tenant-name>/am/XUI/?realm=/#/.

  2. Go to Identities > Manage > Alpha realm - Roles > <role_name>. In our example, we’ve selected Users Role.

  3. Click the following tabs to familiarize yourself with the role:

    • Managed Assignments. We have set up one managed assignment called AD Group in our example.

    • Settings. The following capabilities are provided for conditional or temporal role membership:
      • Condition - Allows you to set a flexible conditions filter for the role, based on alpha realm user properties.
      • Temporal - Allows you to set temporal constraints to restrict the period that a role is effective.

  4. Click Role Members > Add Role Members.

  5. Select a user to add to the role.

  6. Click Save.

    The user is added to the selected role.

Add roles to users

  1. In the Identity Cloud admin UI, go to Identities > Manage > Alpha realm - Users.

  2. Search for the user you are adding the role to. In our example, we’re searching for abergin.

  3. Click on the user’s name.

  4. Click Provisioning Role > Add Provisioning Roles.

  5. Select the role that you want to add to the user and click Save.

    The role is added to the selected user. In our example, we’ve added Users Role.

Manage fine-grained permissions in roles

So far, our example role has added users to a group. You can also manipulate other attributes using assignments for fine-grained permissions.

In the following example, we’ll create an alpha realm assignment called set-division and map this assignment to an attribute stored in an external system. We’ll then add the assignment to a role.

  1. In the Identity Cloud admin UI, go to Identities > Manage > Alpha realm - Assignments > New Alpha Realm - Assignment.

  2. Enter a name and description for the assignment, and select the mapping.

    In our example, the assignment will be applied to the mapping, managed/alpha_user > system/AD/account.

  3. Click Next.

  4. Click Add an attribute.

  5. Select an attribute from the drop-down list, and enter a value for the attribute.

    The attribute value pair will be synchronized with user accounts in the target data store. In our example, we’re mapping the target system attribute division to division A.

  6. Click Save.

  7. Click the Managed Roles tab.

  8. Click Add Managed Roles and select the role.

  9. Click Save.

    The new assignment is added to the selected role.

On synchronization, Identity Cloud will map the target system attribute division to division A for all members of the selected role.

Use role inheritance and/or embedded roles

You can use conditions to allow for role inheritance or embedded roles.

With role inheritance, members of one role can automatically be members of another role. This is useful if, for example, you have a promotion and want to add all members of one role to this promotion while keeping the promotional access configured separately.

In our example, we have a preconfigured role called Promo1 Role, which will be inherited by Users Role. Promo1 Role has a preconfigured assignment called AD Group Promo1.

To create role inheritance:

  1. In the Identity Cloud admin UI, go to Identities > Manage > Alpha realm - Roles > <role-for-inheritance>. In our example, we’re selecting the role Promo1 Role.

  2. Click the Settings tab > Condition / Set up.

  3. Select A conditional filter for this role.

  4. Click Advanced Editor and enter the query to assign users if they match the inherited role in the following format:

    /effectiveRoles[/_ref eq "managed/alpha_role/<role_id>"]

    For example:

    NOTE: You can get the role_id from the browser URL when viewing the role that you want to inherit, or by looking at the effectiveRoles in the raw JSON of one of the role members.

  5. Click Save

  6. Click the Role Members tab.

    Notice that the inheriting role members are now members of the inherited role. For example:

  7. Got to Identities > Manage > Alpha realm - Roles > <inheriting role>. In our example, this is the role Users Role.

  8. Click the Role Members tab and remove a member.

  9. Go to Identities > Manage > Alpha realm - Roles > <inherited role>.

    Notice that the user is also removed from the inherited role.

Additional resources


Training videos: