Sources of roles

A user's access roles - in the above example, these are admin and customer - may originate from different sources.

For all further considerations, there is a distinction between user roles and acquired roles.

User roles

User roles are roles that a user permanently has, i.e., they belong to the user and are stored with the user record.

  • Examples:
  • Roles that are stored in the roles attribute of Airlock IAM's default database schema.
  • Groups associated with a user in an LDAP directory.
  • In the above example, admin and customer are user roles.

User Roles

User roles can be reloaded from the data layer (directory) at any time given the user's ID.

Acquired Roles

During the authentication process, it is possible to acquire roles from various additional sources.

  • Examples:
  • Configured string constants can be used as roles.
  • Tags collected during successful authentication and verification steps can be transformed into roles.
  • Claims from SSO tickets and OAuth 2.0/OIDC can be transformed into roles.

Acquired roles

Acquired roles cannot be re-loaded from the data layer (directory) and are bound to a session rather than the user.