Authentication and Roles

When a user authenticates, they are given a set of default internal roles. These roles determine how much access the user has to Identity Cloud. Identity Cloud includes a number of default internal roles, on the openidm/internal/roles endpoint. You can configure additional internal roles to customize how you restrict access to the server.

The following internal roles are defined by default (in conf/repo.init.json):


Identity Cloud administrator role, excluded from the reauthorization required policy definition by default.


Default role for any user who authenticates with a username and password.


Default role for any user who authenticates with mutual SSL authentication.

This role applies only to mutual authentication. The shared secret (certificate) must be adequately protected. The openidm-cert role is excluded from the reauthorization required policy definition by default.


Assigned to users who access Identity Cloud with the default anonymous account.

The openidm-reg role is excluded from the reauthorization required policy definition by default.


Role for users who can be assigned to workflow tasks.


Role for platform provisioning access. If you are not planning to run AM and Identity Cloud together as a platform, you can safely remove this role.

When a user authenticates, Identity Cloud calculates that user's roles as follows:

  • Each authentication module includes a defaultUserRoles property. Depending on how the user authenticates, Identity Cloud assigns the roles listed in that module's defaultUserRoles property to the user on authentication. The defaultUserRoles property is specified as an array. For most authentication modules, the user obtains the openidm-authorized role on authentication. For example:

        "name" : "MANAGED_USER",
        "properties" : {
            "defaultUserRoles" : [
  • The userRoles property in an authentication module maps to an attribute (or list of attributes) in a user entry that contains that user's authorization roles. This attribute is usually authzRoles, unless you have changed how user roles are stored.

    Any internal roles that are conditionally applied are also calculated and included in the user's authzRoles property at this point.

  • If the authentication module includes a groupRoleMapping, groupMembership, or groupComparison property, Identity Cloud can assign additional roles to the user, depending on the user's group membership on an external system. For more information, see "Use Groups to Control Access to Identity Cloud".


The roles calculated in sequence are cumulative. Roles with temporal restrictions are not included in that list if the current time is outside of the time assigned to the role.

Dynamic Role Calculation

By default, Identity Cloud calculates a user's roles only on authentication. You can configure Identity Cloud to recalculate a user's roles dynamically, with each request, instead of only when the user reauthenticates. To enable this feature, set enableDynamicRoles to true in the JWT_SESSION session module in authentication.json:

To enable dynamic role calculation through the Admin UI, select Configure > Authentication > Session > Enable Dynamic Roles.

Roles, Authentication, and the Security Context

The Security Context (, consists of a principal (defined by the authenticationId property) and an access control element (defined by the authorization property).

If authentication is successful, the authentication framework sets the principal. Identity Cloud stores that principal as the authenticationId.

The authorization property includes an id, an array of roles, and a component, that specifies the resource against which authorization is validated.

Read a different version of :