Roles
The Identity Hub supports Role Based Access Security (RBAC) for applications and services that authenticate using The Identity Hub.
Roles can flow via the Account Providers (assigned to Users) via The Identity Hub to the Apps.
Roles can also be assigned in The Identity Hub UI unrelated to the Roles received from Account Providers.
Create a Role
See Create a Role
Assign a Role to an App
See Roles per App
Assign a Role to a User
See Roles per User
Flow Roles from Account Providers to an App
To let Roles flow from an Account Provider to the App take the following steps:
- Create the Roles in The Identity Hub. Roles that are not defined in The Identity Hub cannot be mapped.
- Assign the Roles to the App. Apps will not receive the Roles of a User if those Roles are not assigned to the App.
- Map the Roles in the Account Provider.
The following out-of-the box Account Providers support mapping roles for authenticating users:
- SAMLP Account Provider: You need to map the incoming roles. Make sure the IDP sends the roles. For ADFS see How To: Configure The Identity Hub to use ADFS as Account Provider
- WS-FED Account Provider: You need to map the incoming roles. Make sure the IDP sends the roles. For ADFS see How To: Configure The Identity Hub to use ADFS as Account Provider
- Office 365 Account Provider: You need to map the incoming roles.
For other Account Providers roles need to be assigned inside The Identity Hub UI.
Custom Account Providers and Custom Claim Providers can also supply Roles for authenticating Users.