Skip to main content

Map User Roles

Mapping user roles refers to the process of relating user attributes from an external Identity Provider (IDP) to corresponding roles within the Digital.ai Platform console. This feature allows you to utilize existing roles or group membership in your company's IdP to automatically assign the correct role membership in the Digital.ai Platform.

To achieve this, User role mappers are created within the Identity Provider configuration. These mappers examine user’s attributes role and assign a specific role within the Platform accordingly. For example, suppose your IDP is configured, and it defines a role called System Administrator. This document will show you how to grant the Platform's account-admin role to users who already have the System Administrator role in your IdP. Once the mapping is configured, users signing in through the IdP who have the System Administrator role will automatically be assigned the account-admin role with the Platform.

One common scenario is when organizations want to manage user roles centrally in their corporate IDP. These mappers can be used to ensure IdP roles correctly translate into Platform permissions.

You need to have an IDP configured for your organisation. To configure IDP follow these steps Configure IDP

To Map User Roles

For mapping user roles follow these steps:

  1. On the Mappers page, click the Add dropdown and click Mapper.
  2. In Name, enter something descriptive like allAdmins mapper.
  3. Leave Sync Mode as INHERIT.
note

Sync Mode controls whether an update to a user attribute in your IdP will cause an update in the Platform.

  • FORCE always updates the Platform user when there is a change in your IdP.
  • IMPORT never updates the Platform user after they are created the first time, regardless of changes in your IdP.
  • INHERIT uses the value that has been configured on the Advanced config page of this IdP connection.
  1. In Mapper Type, choose Advanced Claim to Role.
  2. In New Key, enter groups.
note

groups is not a constant value; it can change based on what customer's IdP sends.

  1. In New Value, enter allAdmins (the name of the group coming from the IdP).

  2. In Select Role, choose account-admin (the Platform role that this group's users should belong to)

  3. Click Add mapper.

  4. Repeat the previous step for each group that you want to map to a role.

    In the Select Role dropdown, Below are the available roles you can assign in the mapper:

  • account-admin: Grants full administrative access to the account. Users with this role can manage users and roles, Configure account settings, Perform high-level administrative tasks across all applications.

  • account-analytics-author: Provides access to analytics dashboards and the ability to create or modify reports.

  • account-application-admin: Provides admin-level access to manage applications under the account.

  • account-service: A special service-level role used for automated systems or backend services. Users with this role can authenticate as service accounts, Access APIs or services as per assigned scopes.

  • account-user: The default role for regular users. Users with this role can login to the system, Access features and services permitted by the account’s policy, View their own data or perform user-level tasks.

Summary Page

On the Summary page you can review the configuration details.

Last updated on