6.2.3 Creating Roles

To implement RBAC, first define all roles within your organization and the permissions attached to each role. A collection of users requiring the same access can be assigned to a single role. Each user can also be assigned to one or more roles and receive the collective rights associated with the assigned roles. A role policy consists of one or more rules, and each rule consists of one or more conditions and an action.

  1. Click Policies > Policies.

  2. Select the policy container, then click New.

  3. Specify a name for the policy, then select Identity Server: Roles for the type of policy.

  4. Specify the following details:

    Description: (Optional) Describe the purpose of this rule. If your role policy contains multiple rules, use the description to identify the purpose of each rule.

    Priority: Specify the order in which a rule is applied in the policy, when the policy has multiple rules. The highest priority is 1 and 10 is the lowest.

  5. To create a condition for a policy rule, click New in the Condition Group 1 section, then select one of the following:

    • Authenticating IDP: Specifies the identity provider that authenticated the current user. To use this condition, you must have set up a trusted relationship with more than one identity provider. See Authenticating IDP Condition.

    • Authentication Contract: Specifies the contract used to authenticate the current user. The selections in this list are defined in Identity Server configuration. See Authentication Contract Condition.

    • Authentication Method: Specifies the method used to authenticate the current user. See Authentication Method Condition.

    • Authentication Type: Compares a selected authentication type to the authentication types used to authenticate the current user. See Authentication Type Condition.

    • Credential Profile: Requires the user to use the specified credential for authentication. Only values used at authentication time are available for this comparison. See Credential Profile Condition.

    • LDAP Group: Specifies a group in which the authenticating user is evaluated for membership. See LDAP Group Condition.

    • LDAP OU: Specifies an OU against which the authenticating user's container is evaluated for containment. See LDAP OU Condition.

    • LDAP Attribute: Specifies an attribute from the user object of an authenticated user. By default, the selection values include those defined for the InetOrgPerson class. See LDAP Attribute Condition.

    • Liberty User Profile: Specifies any one of a number of data values that have been mapped to a Liberty Profile attribute. See Liberty User Profile Condition.

    • Roles from Identity Provider: Specifies a role that has been assigned to the user by an identity provider. See Roles from Identity Provider Condition.

    • User Store: Compares a selected user store to the user store where the current user is authenticated. See User Store Condition.

    • Virtual Attribute: Specifies a virtual attribute. The virtual attribute is used to store the transformed attribute values in the user’s session. See Virtual Attribute Condition

    • Condition Extension: (Conditional) If you have loaded and configured a role condition extension, this option specifies a condition that is evaluated by an outside source. See the documentation that came with the extension for information about what is evaluated.

    • Data Extension: (Conditional) If you have loaded and configured a role data extension, this option specifies the value that the extension retrieves. You can then select to compare this value with an LDAP attribute, a Liberty User Profile attribute, a Data Entry Field, or another Data Extension. For more information, see the documentation that came with the extension.

    NOTE:To improve the policy's performance, configure the LDAP Attributes, Credential Profile, and Liberty User Profile attributes to be sent with authentication. For more information, seeConfiguring the Attributes Set with Authentication.

  6. (Conditional) To add multiple conditions, repeat Step 5.

    For more information about using multiple conditions in a rule, see Using Multiple Conditions.

  7. In the Actions section, select one of the following:

    • Activate Role: Select this option to specify a name for the role. If you are creating a role that needs to be injected into an HTTP header, use the capitalization format that the web server expects.

    • Activate Selected Role: Select this option to obtain the role value from an external source.

    For more information about specifying a role or roles to activate, see Selecting an Action.

  8. Click OK > OK.

  9. Click Apply Changes.

  10. To enable the role for an Identity Server configuration, see Enabling and Disabling Role Policies.