Identity Cloud

Assign roles to users dynamically

This page is a work in progress and isn’t available for general use. It hasn’t been validated for accuracy and is subject to change at any time.

You are here


Estimated time to complete: 10 minutes

In the previous use case, you created two users and a role and then assigned the role users to the users. In this use case, you are going to:

  • Assign an inactive status to one of the users

  • Add a condition to the role so that it applies only to active users


After completing this use case, you will know how to:

  • Change the properties of a user

  • Add a condition to a role

Example scenario

Pat knows that roles can be used to give users access to applications and grant privileges. Pat wants to understand how to assign users to a role dynamically based on their user profile. Pat wants to configure a role with a condition and confirm that the role is assigned dynamically only to users that meet the condition.


Before you start, make sure you have:

  • A basic understanding of these ForgeRock concepts:

    • Identity Cloud admin UI

    • Identity Cloud End User UI

  • Completed the use case in Create users and roles


Task 1: Assign an inactive status to a user

In this task, you select one of the users you created in Create users and roles and change their status to inactive.

  1. In the Identity Cloud admin UI, go to people Identities > Manage > people Alpha realm - Users.

  2. Click on the user acruse.

  3. On the user details page, change the Status from the default value active to inactive and save the change.

Task 2: Add a condition to a role

In this task, you create a condition so that the role applies only to active users.

  1. In the Identity Cloud admin UI, go to people Identities > Manage > assignment_ind Alpha Realm - Roles.

  2. Click on the employee role and then click on Settings.

    role settings
  3. In the Condition panel, click on Set up to create the following condition for the role and save the condition:

    Field Value

    A conditional filter for this role


    Assign to alpha_user if Any keyboard_arrow_down conditions are met


    Alpha_user properties keyboard_arrow_down


    contains keyboard_arrow_down




    role condition
  4. (Optional) Click on add Add Rule to add another condition and take a moment to browse the other conditions that can apply to roles.

Check in

At this point, you:

Made a user inactive

Added a condition to a role


In Create users and roles, you created the employee role and manually assigned it to braman and acruse. To validate this use case, make sure the role is no longer assigned to acruse.

  1. In the Identity Cloud admin UI, go to people Identities > Manage > Role Members.

  2. Make sure braman is in the list but acruse is not.

  3. Change the status of braman to inactive and acruse to active, then make sure acruse is in the list but braman is not.

What’s next?

The users in Pat’s organization vary by type; some users are contractors and some are employees. In the next use case, Pat creates organizations to administer different types of user.

Explore further

Reference material

Reference Description


Information about roles

Grant roles dynamically

Information about how to assign roles over REST

Copyright © 2010-2023 ForgeRock, all rights reserved.