Assigning permissions using roles and groups

Roles and groups have a similar purpose, which is to give users access and permissions to use applications. Groups are a collection of users to which you apply roles and attributes. Roles define specific applications permissions and access control.

Creating a realm role

Realm-level roles are a namespace for defining your roles. To see the list of roles, click Realm Roles in the menu.

Procedure

1. Click Create Role.
2. Enter a Role Name.
3. Enter a Description.
4. Click Save.

The description field can be localized by specifying a substitution variable with ${var-name} strings. The localized value is configured to your theme within the themes property files.

Client roles

Client roles are namespaces dedicated to clients. Each client gets its own namespace. Client roles are managed under the Roles tab for each client. You interact with this UI the same way you do for realm-level roles.

Converting a role to a composite role

Any realm or client level role can become a composite role. A composite role is a role that has one or more additional roles associated with it. When a composite role is mapped to a user, the user gains the roles associated with the composite role. This inheritance is recursive so users also inherit any composite of composites. However, we recommend that composite roles are not overused.

Procedure

1. Click Realm Roles in the menu.

2. Click the role that you want to convert.

3. From the Action list, select Add associated roles.

The role selection UI is displayed on the page and you can associate realm level and client level roles to the composite role you are creating.

Assigning role mappings

You can assign role mappings to a user through the Role Mappings tab for that user.

Procedure

1. Click Users in the menu.
2. Click the user that you want to perform a role mapping on.
3. Click the Role mappings tab.
4. Click Assign role.
5. Select the role you want to assign to the user from the dialog.
6. Click Assign.

Using default roles

Use default roles to automatically assign user role mappings when a user is created or imported through Identity Brokering.

Procedure

1. Click Realm settings in the menu.
2. Click the User registration tab.

Below screen shows that some that some default roles already exist.

Role scope mappings

On creation of an OIDC access token or SAML assertion, the user role mappings become claims within the token or assertion. Applications use these claims to make access decisions on the resources controlled by the application. SafeNet Access Exchange digitally signs access tokens and applications re-use them to invoke remotely secured REST services. However, these tokens have an associated risk. An attacker can obtain these tokens and use their permissions to compromise your networks. To prevent this situation, use Role Scope Mappings.

Role Scope Mappings limit the roles declared inside an access token. When a client requests a user authentication, the access token they receive contains only the role mappings that are explicitly specified for the client’s scope. The result is that you limit the permissions of each individual access token instead of giving the client access to all the users permissions.

By default, each client gets all the role mappings of the user. You can view the role mappings for a client.

Procedure

1. Click Clients in the menu.
2. Click the client to go to the details.
3. Click the Client scopes tab.
4. Click the link in the row with Dedicated scope and mappers for this client
5. Click the Scope tab.

Full Scope

By default, the effective roles of scopes are every declared role in the realm. To change this default behavior, toggle Full Scope Allowed to OFF and declare the specific roles you want in each client. You can also use client scopes to define the same role scope mappings for a set of clients.

Partial scope

Groups

Groups in SafeNet Access Exchange manage a common set of attributes and role mappings for each user. Users can be members of any number of groups and inherit the attributes and role mappings assigned to each group. To manage groups, click Groups in the menu.

Groups are hierarchical. A group can have multiple subgroups but a group can have only one parent. Subgroups inherit the attributes and role mappings from their parent. Users inherit the attributes and role mappings from their parent as well.

To add a group:

1. Click the group.

2. Click Create group.

3. Enter a group name.

4. Click Create.

5. Click the group name.

The group management page is displayed.

Attributes and role mappings you define are inherited by the groups and users that are members of the group.

To add a user to a group:

1. Click Users in the menu.

2. Click the user that you want to perform a role mapping on. If the user is not displayed, click View all users.

3. Click Groups.

   

4. Click Join Group.

5. Select a group from the dialog.
6. Select a group from the Available Groups tree.
7. Click Join.

To remove a group from a user:

1. Click Users in the menu.

2. Click the user to be removed from the group.

3. Click Leave on the group table row.