Roles

The managed role object is a default managed object type that uses the relationships mechanism. You should understand how relationships work before you read about Identity Cloud roles.

In the ForgeRock Identity Cloud®, the default role object is named alpha_role.

Identity Cloud Role Types

Identity Cloud supports two types of roles:

  • Provisioning roles : used to specify how objects are provisioned to an external system.

    Provisioning roles are created as managed roles, at the context path openidm/managed/realm-name_role/role-name, and are granted to managed users as values of the user’s roles property.

  • Authorization roles : used to specify the authorization rights of a managed object internally, within Identity Cloud.

    Authorization roles are created as internal roles, at the context path openidm/internal/role/role-name, and are granted to managed users as values of the user’s authzRoles property.

Provisioning roles and authorization roles use relationships to link the role to the managed object to which it applies. Authorization roles can also be granted statically, during authentication, with the defaultUserRoles property.