Identity Cloud

Manage end users and roles

The topics in this section are for tenants created on or after January 12, 2023. Refer to Application management migration FAQ.

The Users & Roles tab show all end users and roles assigned to an application either through a role or direct assignment.

Use the tab to manage and view the end users in your organization that can access applications. After you establish the server connection, you can use Identity Cloud to add, edit, and remove end users directly from the application. To make it easier to set up access for groups of end users, you can create roles with specific access privileges and assign them to the appropriate end users.

You can also map end users to one or more target system object properties. For more information, refer to Map target system object properties to Identity Cloud.

You can assign a end user or role to an OIDC or SAML 2.0 application without setting up mappings or provisioning.

Add an end user to a target application

You can add a user to a target application if, for example, a new employee joins your organization and should have access to the application.

  1. On the Users & Roles tab, click Users.

  2. Click Assign Users.

  3. In the Members drop-down field, select an end user.

  4. Click Next.

  5. Specify the account details as they should exist in the external system for the end user.

  6. Click Assign.

Manage target applications associated with a user

You can add, edit, or revoke all target applications, including OIDC and SAMLv2 applications associated with a user.

  1. In the Identity Cloud admin UI, navigate to Identities > Manage > Alpha realm - Users.

  2. Click a user.

  3. Click Applications.

  4. To view information about an application, click the application.

  5. To add an application, click + Add Application and follow the steps.

  6. To revoke an application, click the ellipsis (…​) to the right of the application, and select Revoke.

Add a role to an application

You can add a role to the application if, for example, a new role is added to your organization that needs access to the application.

  1. On the Users & Roles tab, click Roles.

  2. Click Assign Roles.

  3. In the Roles drop-down field, choose a role.

  4. If one or more properties are not set as 'user-specific', specify account details as they should exist in the external system. For instructions about how to set or unset a property as 'user-specific', see Add or edit a property.

  5. Click Assign.

View all target applications associated with a role

You can view all target applications associated with a role, including OIDC and SAMLv2 applications.

  1. In the Identity Cloud admin UI, navigate to Identities > Manage > Alpha realm - Roles.

  2. Click a role.

  3. Click Applications.

  4. To view information about an application, click the application.

View an end-user account

The Assignment column shows how a end user is assigned to an application:

  • Direct: The end user is assigned directly to an application.

  • Role-based: The end user is part of a role assigned to the application.

The Assignment column also shows non-account objects that are assigned to a end user. For example, a group. During reconciliation, if a non-account object does not exist, it is created. If it exists, a relationship is established with the object.

You can view information about a end-user account that has access to an application.

  1. On the Users & Roles tab, click Users.

  2. Click an end user.

You cannot directly edit a end user who was added to an application via a role.

Remove an end user from an application

You can remove an end user from an application if, for example, a user leaves your company.

  1. On the Users & Roles tab, click Users.

  2. To the right of the end user, click the ellipsis (...).

  3. Select Revoke.

You cannot directly revoke a end user from an application if the end user was added via a role. In this case, to revoke the end user, remove the end user from the role.

Remove a role from an application

You can remove a role from an application if, for example, the role becomes obsolete.

  1. On the Users & Roles tab, click Roles.

  2. To the right of the role, click the ellipsis (...).

  3. Select Revoke.

Copyright © 2010-2024 ForgeRock, all rights reserved.