Role mapping

Identity Service adopts the role and group assignments of users from the configured identity provider and makes them available as roles in the account information. By calling the "Self" endpoint /identity/account/self, you can check the assigned roles for the currently logged-in user.

Trusted services can query the roles via the Identity Service and grant or deny access to features accordingly.

Trusted services that evaluate role information of users include components of the following con terra Technologies products:

map.apps, for access to the map.apps Manager, apps and tools.
map.apps SDI, for access to saved app states.
service.monitor, for access to administrative functions and job management.
smart.finder, for access to administrative functions and the search index.
smart.finder SDI, for controlling access to metadata and its management.
security.manager OGC, for defining policies to protected services.

For example, to gain access to the map.apps Manager, users must be assigned to the maAdmin role. In security.manager OGC, you can reference roles when granting access rights to layers.

The roles that the Identity Service transmits for users to trusted services are derived from role and group assignments made in the respective identity provider. The following sections describe how the Identity Service translates these assignments into roles.

ArcGIS Enterprise Portal and ArcGIS Online

The role mapping described here applies when you have configured ArcGIS Enterprise Portal or ArcGIS Online as the identity provider in the Identity Service. Identity Service translates both roles and groups assigned to an ArcGIS account into roles for users.

Read the following sections to learn the rules by which this translation takes place and how you can customize it.

Roles

In ArcGIS Enterprise Portal and ArcGIS Online, users are assigned to a single role. This role is translated as follows:

Role Roles in Identity Service Description

Role	Roles in Identity Service	Description
`org_admin`	`maAdmin`, `solrAdmin`, `mon_Administrator`, `tc_Administrator`	Users with administrative rights in ArcGIS Enterprise Portal and ArcGIS Online automatically receive administrative rights in map.apps, smart.finder, service.monitor and smart.finder SDI through the translation to all mentioned role names.
`org_publisher`	`maEditor`	Publishers are always assigned to the `maEditor` role and thus receive editorial rights in map.apps.
`roleX`	`roleX`	All other roles are adopted without changes.

org_admin

maAdmin, solrAdmin, mon_Administrator, tc_Administrator

Users with administrative rights in ArcGIS Enterprise Portal and ArcGIS Online automatically receive administrative rights in map.apps, smart.finder, service.monitor and smart.finder SDI through the translation to all mentioned role names.

org_publisher

maEditor

Publishers are always assigned to the maEditor role and thus receive editorial rights in map.apps.

roleX

All other roles are adopted without changes.

Groups

In ArcGIS Enterprise Portal and ArcGIS Online, users can belong to multiple groups. The Identity Service also translates these groups into roles. Since different users can create groups with the same title, Identity Service translates groups into a unique role name of the form <group title>::<owner>.

Examples of translating groups into roles
Group	Role in Identity Service
`Forest` (Owner: `user1`)	`Forest::user1`
`Water` (Owner: `user2`)	`Water::user2`

Organization

If the ArcGIS Online account belongs to an organization, the domain name of the organization is translated into a role.

Example: myorganization.maps.arcgis.com

Customize mapping

If needed, you can customize the translation of roles and groups in ArcGIS Enterprise Portal and ArcGIS Online to roles in the Identity Service using the configuration parameter security.oauth.provider.arcgis.roles in the Identity Service.

Keycloak

When you have configured Keycloak as the identity provider in the Identity Service, Identity Service adopts the role names assigned to users in Keycloak. However, you must share the roles in Keycloak via a "Mapper" for the Client ID of the Identity Service.

The following section describes an example of how to create a "maAdmin" role in Keycloak so that it is adopted by the Identity Service.

Setting up roles in Keycloak

Adding roles

Create a role in Keycloak as follows:

Select Clients.
Select identity-service from the list of clients.
Navigate to the Roles tab in the identity-service client view.
Add the role maAdmin, for example, by clicking on Create role.

Creating a mapper

The Identity Service uses the User Information endpoint of Keycloak to query user roles. By creating a mapper, you ensure that the previously created roles are also returned when accessing this endpoint.

Proceed as follows to create a mapper:

Navigate to the Client scopes view.
Click on the roles entry of the OpenID Connect protocol.
In the following Roles view, switch to the Mappers tab.
Click > Add mapper > By configuration > User Client Role.
Now use the following settings for the new mapper:
- Name: identity-service client role mapper
- Client ID: Select identity-service from the client list.
- Client Role prefix: Leave this field empty.
- Multivalued: ON
- Token Claim Name: roles
- Claim JSON Type: String
- Add to userinfo: ON
Click on Save.

Assigning roles

To add roles to a user, proceed as follows:

Click on Users in the Keycloak navigation.
Select a user. The user’s detail page is displayed.
Switch to the Role mapping tab.
Click on the Assign role button and then on Client roles.
Select from the displayed roles those roles that should be assigned to the user (e.g. maAdmin).
Click on Assign.

A message about the successful update should be displayed. The assigned role should be visible in the user’s role list.

Customize role mapping

If needed, you can customize the translation of roles in Keycloak to roles in the Identity Service using the configuration parameter security.oauth.provider.keycloak.roles in the Identity Service.