Identity Role Search

Creating a Role Assignment based on an Identity Role requires you to know the role names that will be returned from the identity system during login. This role name will be presented to the PolicyServer runtime in a “role” claim.

PolicyServer provides a Role Search feature that enables you to select from a list of identity roles to create a Role Assignment using the selected role name.

Role Search Endpoint

If your license supports Role Search, you can provide a a Web API endpoint to support searching and paging through identity roles from your back end user store or identity system.

The Management UI calls the Management API role search endpoint if the feature is enabled. To enable the feature, the Management API must be configured to point at your role search Web API endpoint. From there, your Web API is responsible for responding to role search requests and return the appropriate list of identity roles according to the request parameters.

../_images/ui-rolesearch-components.png

Note

PolicyServer samples include a sample Role Search API implementation (/management/CustomManagementSearch) to provide a starting point for the implementation.

Configuration

The Management API configuration for PolicyServer indicated by the management{} section, provides a setting for the base path to your role search Web API endpoint.

"management": {
  "roleSearchUrl": "http://HOST/rolesearch",
}

The Management API will use the specified Web API endpoint to satisfy requests to its Role Search endpoint. As such, when the Management UI enables the Role Search feature, the identity roles returned will be under your control.

Role Search Feature

When you select Role Search from the navigation menu, you are taken to a page that will display a paged list of identity roles from the configured Role Search API endpoint you’ve configured. By default the results are not filtered by any search criteria. For each identity role, a role identifier and name are presented.

../_images/ui-rolesearch-nofilter.png

Filtering and Paging

When you type search criteria into the search text box, the Role Search API endpoint is called passing this criteria. It is up to your implementation of the Role Search API to determine how to use the search criteria to filter results. The goal of the filter is to reduce the number of identity roles to page through to a reasonable number manageable to the end user.

../_images/ui-rolesearch-filtered.png

From the paging area, you can navigate to the first, last, previous or next page in the results. The Role Search API is presented with the filter, and the page number to return so that it can respond accordingly. Ultimately the Management UI is presenting exactly what is returned from the request including the page navigation parameters.

Selecting Identity Roles from the Application Role

When managing a policy, you may want to select identity roles for an Application Role assignment, while managing that Application Role. From the Manage Application Role page you can select Select Roles to initiate this workflow.

../_images/ui-noidentityroleassignments.png

This takes you to the Role Search in the context of an Application Role so that all identity role selections will be assigned to that Application Role when you complete the workflow. You can enter search criteria, filter the identity role results, and page through those results - selecting roles as you go. Those roles will be listed in the select roles list.

../_images/ui-selectrole-listselection.png

To complete the workflow and create the new Role Assignments for each selected identity role, select Assign to [RoleName] Role where the RoleName is tailored to the current context.

../_images/ui-selectrole-listselection-complete.png