idP User Grant by Mapped Roles


Is it possible to assign user grant based on the role mapping? We use security level rules that have to run a script to get the roles and then compare. While powerful, it is quite cumbersome.

If we could a assign a user (role?) grant to roles as returned from attribute mapping, this will give a great GUI to manage the assigned levels.

Right now I only see grants for username and ID. Is a role possible?


We have no plans to add a User Grant by role.

If your role attribute mapper is configured, all roles should manifest as child security levels under the Authenticated/Roles parent security level. You could configure your security level permissions to require one of these roles in addition to other security levels.

Something else that might help: in 8.1.5 we added the {user:X} special object reference to security level rules which allows you to re-use attributes that you already mapped to the user. For example: {user:roles} will return the roles mapped to the user. This should help you avoid the redundant parsing of the roles from the IdP response document, which is usually already taken care of in the attribute mapper.