If you are using roles in your authorization policies, you need to ensure that the role is enabled for Identity Server configuration. You can create roles and authorization policies independently of assigning them to protect a resource or to an Identity Server configuration.
If you have not enabled the role, users are not assigned the role when they log in, even when they meet all the criteria for the role.
If the Authorization Policy is an Allow policy, the users might be denied access because they haven’t been assigned the role.
If the Authorization Policy is a Deny policy, the users might be allowed access because they haven’t been assigned the role.
Whenever an Authorization Policy is not producing the expected results and the policy contains a role, the first troubleshooting step should always be to check whether the role has been enabled for Identity Server configuration. On the Home page, click Identity Servers > [cluster name] > Edit > Roles. If the role is not enabled, Identity Server cannot assign the role to the user.
The second step should be to ensure that the roles are transferred from for Identity Server to the Embedded Service Provider using the Web Service Provider API (https://<admin-console-host>:<admin-console-port>/nps/swagger-ui.html). The Authentication Profile needs to be enabled in order for Embedded Service Providers to evaluate roles in policies. This profile is enabled by default, but it can be disabled. When it is disabled, all devices assigned to use this Identity Server cluster configuration cannot determine which roles a user has been assigned, and the devices evaluate policies as if the user has no roles.