Sources of roles

A user's access roles - in the above example, these are admin and customer - may originate from different sources.

For all further considerations, there is a distinction between user roles and acquired roles.

User roles are roles that a user permanently has, i.e., they belong to the user and are stored with the user record.

• Examples:
• Roles that are stored in the roles attribute of Airlock IAM's default database schema.
• Groups associated with a user in an LDAP directory.
• In the above example, admin and customer are user roles.

User Roles

User roles can be reloaded from the data layer (directory) at any time given the user's ID.

During the authentication process, it is possible to acquire roles from various additional sources.

• Examples:
• Configured string constants can be used as roles.
• Tags collected during successful authentication and verifications steps can be transformed into roles.
• Claims from SSO tickets, OAuth 2.0/OIDC can be transformed into roles.

Acquired roles

Acquired roles cannot be re-loaded from the data layer (directory) and are bound to a session rather than the user.

Acquired roles are roles that a user gets, i.e., acquires by doing something.

• Examples:
• A role is obtained by using a specific authentication token (e.g. all authenticated users may get the role authenticated).
• A role is obtained by doing an authentication step-up.
• A role obtained after successful account self-registration.

Acquired Roles

Acquired roles cannot be re-loaded from the data layer (directory) and are bound to a session rather than the user.

Acquired roles is a concept of the JSP-Loginapp and is only valid in the context of the JSP-Loginapp.

The links provided here are relevant to Loginapp REST API and REST UI.

• See JSP-Loginapp vs. Loginapp REST UI
• See Flow tags and red flags
• See The Generic ID Propagator plugin