Roles
The Identity Hub supports Role Based Access Security (RBAC) for applications and services that authenticate using The Identity Hub.
Roles can flow from the Account Providers (assigned to Users) via The Identity Hub to the Apps.
Roles can also be assigned in The Identity Hub UI unrelated to the Roles received from Account Providers.
Optionally user (identity) roles can be translated to app roles.
Create a Role
See Create a Role
Assign a Role to an App
See Roles per App
Assign a Role to a User
See Roles per User
Flow Roles from Account Providers to an App
To let Roles flow from an Account Provider to the App take the following steps:
- Create the Roles in The Identity Hub. Roles that are not defined in The Identity Hub cannot be mapped, linked or (manually) assigned to users.
- Assign the Roles to the App. Apps will not receive the Roles of a User if those Roles are not assigned to the App.
- Map the Roles in the Account Provider (claim mappings).
The following out-of-the box Account Providers support mapping roles for authenticating users:
- SAMLP Account Provider: You need to map the incoming roles.
Make sure the IDP sends the roles.
For ADFS see How To: Configure The Identity Hub to use ADFS as Account Provider
For Entra ID see How To: Configure The Identity Hub to use Entra ID as SAML-P Account Provider - WS-FED Account Provider: You need to map the incoming roles.
Make sure the IDP sends the roles.
For ADFS see How To: Configure The Identity Hub to use ADFS as Account Provider - Office 365 Account Provider: You need to map the incoming roles.
For other Account Providers roles need to be assigned inside The Identity Hub UI.
Custom Account Providers and Custom Claim Providers can also supply Roles for authenticating Users.