12.2.1.2. Sources of roles

A user's access roles - in the above example, these are admin and customer - may originate from different sources.

For all further considerations, there is a distinction between user roles and acquired roles.

User roles

User roles are roles that a user permanently has, i.e., they belong to the user and are stored with the user record.

  • Examples:
  • Roles that are stored in the roles attribute of Airlock IAM's default database schema.
  • Groups associated with a user in an LDAP directory.
  • In the above example, admin and customer are user roles.

User Roles

User roles can be reloaded from the data layer (directory) at any time given the user's ID.

Acquired Roles

During the authentication process, it is possible to acquire roles from various additional sources.

  • Examples:
  • Configured string constants can be used as roles.
  • Tags collected during successful authentication and verifications steps can be transformed into roles.
  • Claims from SSO tickets, OAuth 2.0/OIDC can be transformed into roles.

Acquired roles

Acquired roles cannot be re-loaded from the data layer (directory) and are bound to a session rather than the user.

Acquired roles (JSP-Loginapp)

Acquired roles are roles that a user gets, i.e., acquires by doing something.

  • Examples:
  • A role is obtained by using a specific authentication token (e.g. all authenticated users may get the role authenticated).
  • A role is obtained by doing an authentication step-up.
  • A role obtained after successful account self-registration.

Acquired Roles

Acquired roles cannot be re-loaded from the data layer (directory) and are bound to a session rather than the user.

Acquired roles is a concept of the JSP-Loginapp and is only valid in the context of the JSP-Loginapp.

Further information and links

The links provided here are relevant to Loginapp REST API and REST UI.