Role Assignments

A Role Assignment associates a user to an Application Role during policy evaluation. This section explains the following ways that a Role Assignment can be created:

  • User ID assignment

  • Identity Role assignment

  • Claims Evaluation assignment

Manage Role

When you select a Role for a Policy or Child Policy, you are taken to the Manage Role page. From this page you can create one or more role assignments.

../_images/ui-manageapplicationrole.png

Select one of Permission Assignments, User ID Assignments, Role Assignments or Claims Evaluation Assignments to view the existing assignments or create new assignments.

Permission Assignments

Shows a list for all permissions available in the selected role and can be assigned to role by clicking on the checkbox and then Save Assignment button.

../_images/ui.permissionassignment.png

Inherited permission assignments

If the permission is assigned to a role in a parent policy then it cannot be unassigned in child Policy as it will be disabled and labeled as inherited from perent polciy

../_images/ui-inheritedpermissionassignment.png

If the permission is created on a parent policy but not assigned on role, then it can be assigned to roles in child policy

../_images/ui-inheritedpermissionunassigned.png

User ID Assignments

../_images/ui-useridassignments.png

A User ID Assignment associates a user, by their user ID, to an Application Role. From the User ID Assignments view, you can select the Add User link to add a User ID assignment to the Application Role.

../_images/ui-nouseridassignments.png

Add User ID Assignment

The assignment can be to grant or deny the role. By default the user will be granted the role, unless you check the Deny checkbox. The assignment will be applied to the user from the point in the policy hierarchy it is created unless a subsequent grant lower in the hierarchy overrides it.

../_images/ui-adduseridassignment.png

Press Enter or select the check mark icon to add the association. The new User ID association will appear in the list.

../_images/ui-useridassignmentlist.png

Edit User ID Assignment

If you need to edit the User ID to fix a mistake while creating the association, you can select the edit icon to update the entry. This preserves the Role Assignment record and simply updates the value of the User ID for that assignment.

../_images/ui-edituseridassignment.png

Delete User ID Assignment

To remove a User ID assignment, select the delete icon from the User ID Assignments listing.

../_images/ui-deleteuseridassignmentconfirm.png

Identity Role Assignments

An Identity Role Assignment associates a user, by their identity role, to an Application Role. From the Identity Role Assignments view, you can select the Add Role link to add an Identity Role assignment to the Application Role.

../_images/ui-noidentityroleassignments.png

Add Identity Role Assignment

After clicking Add Role, an edit field will be presented for you to enter a role name. This is a string value that must match what will be presented as one of the roles during policy evaluation (the “roles” claim).

../_images/ui-addidentityroleassignment.png

Press Enter or select the check mark icon to add the association. The new identity role association will appear in the list.

../_images/ui-identityroleassignmentlist.png

The Select Role button is only present if the Role Search feature is configured. . More on Role Search

Edit Identity Role Assignment

If you need to edit the Identity Role name to fix a mistake while creating the association, you can select the edit icon to update the entry. This preserves the Role Assignment record and simply updates the value of the Identity Role name for that assignment.

../_images/ui-editidentityroleassignment.png

Delete Identity Role Assignment

To remove an Identity Role assignment, select the delete icon from the Identity Role Assignments listing.

../_images/ui-deleteidentityroleassignmentconfirm.png

Claims Evaluation Assignments

A Claims Evaluation Assignment associates a user, by one or more identity claims, to an Application Role - by way of an expression. From the Identity Role Assignments view, you can select the Add Expression button to add a Claims Evaluation assignment to the Application Role.

../_images/ui-noclaimsassignments.png

Add Claims Evaluation Assignment

After clicking Add Expression, you will be taken to the Add Evaluation Assignment page to create an expression for the assignment. The expression presumes the use of a C# expression that relies on a hydrated “user” object that has one or more claims. Examples of valid expressions are shown below.

../_images/ui-addclaimsassignment.png

Select Add Expression to add the association and return to the list of Claims Evaluation Assignments. The new assignment will appear in the list.

../_images/ui-claimsassignmentlist.png

Delete Claims Evaluation Assignment

To remove a Claims Evaluation assignment, select the delete icon from the Claims Evaluation Assignments listing. You can recreate an alternate expression by adding a new assignment.

../_images/ui-claimsassignmentdeleteconfirm.png