Add Roles and Permissions
Add Role-Based Access Control (RBAC) for organisations and users within an ecosystem. Define Authorisation Domain Roles, granting permissions to chosen participants within by using Role Metadata.
For more explanation on how to successfully model an ecosystem/federation to fully reflect its needs and requirements, see the Modeling Ecosystems article.
- Authorisation Domain available and configured within the platform. Add Authorisation Domain if there is not one available already.
- Access Token with Write Access and with the directory:website scope - if you want to create or manage Authorisation Domain Roles and their Metadata using Connect's APIs.
Authorisation Domain Roles can be created only for an already existing authorisation domain. A role cannot exist by itself -- it needs to be associated with a domain.
Select Reference Data > Domains and Roles.
Using the dropdown button, expand an Authorisation Domain for which you want to add a role.
Select + Add Role.
Fill in all the required fields and save.
Field Name | Description |
Authorisation Domain Name | Common name of the issuing Authorisation Domain |
Authorisation Domain Role Name | Name of the role |
Authorisation Domain Role Type | Type of the Authorisation Domain Role Federation: Defining how an organisation client application's software statement is presented to the broader ecosystem. Federation roles influence the interaction pattern between the client application and the ecosystem. It shapes the client endpoint behavior and its relations with Authorisation Servers. Directory: Directory roles determine the manner in which an organisation's client applications communicate with the Connect's APIs. Modifications to Directory roles are applied across all client applications registered within a framework. |
Is this role exclusive? | Controls whether an organisation can have other roles assigned. If an organisation has an exclusive role assigned, it cannot have any other role assigned. |
Description | Description of the Authorisation Domain Role |
Field Name | Field description |
Authorisation Domain Role Name | Enter the authorisation domain role name |
Type* | Type of the authorisation domain role metadata |
Name* | Name of the authorisation domain role metadata |
Select Reference Data > Authorisation Domains and Roles.
Using the dropdown button, expand an Authorisation Domain for which you want to configure a role by defining its metadata.
Select the role for which you wish to add metadata.
Select Authorisation Domain Roles Metadata in the left navigation tree.
Select New Authorisation Domain Role Metadata.
Fill in the fields:
- Type: the type of the role metadata:
- claim: Specific pieces of information requested by organisation's client applications to be included within the requested access and/or ID tokens to convey information about the client, user, or authentication event. Example: name, family_name
- claim_in_verified_claims: Specific and verified pieces of information requested by organisation's client applications to be included within the requested access and/or ID tokens to convey information about the client, user, or authentication event. Verified claims differ from regular claims by enabling strong assurance of a claim according to the OpenID Connect Specification for Identity Assurance. For example of how verified claims look like, see the OIDC for Identity Assurance specification section #5.
- scope: OAuth access scope are used by client applications to specify the access scopes the client requests from the authorisation server. It is considered a best practice to always limit the scopes requested only to the absolute necessary ones for security purposes. If you are adding metadata to a role of the directory type and wish to enable client applications to access Connect's APIs, Raidiam's OAuth Authorisation Server accepts three values: directory:website, directory:software, and directory:admin. Within Connect, all client applications are by default assigned the directory:software scope to enable them to access the platform's APIs.
- response_type: Determines the response type the client application expects while making requests to the Authorisation Server's /authorization and /token endpoints. One of: code, code token, code id_token, id_token token, code id_token token For more information about response types and their detailed descriptions, see the OAuth 2.0 Multiple Response Type Encoding Practices specification section #5.
- grant_type: Specifies the OAuth grant type (flow) the client application uses while requesting authorisation from the user or token from the authorisation server. If you are adding metadata to a role of the directory type and wish to enable client applications to access Connect's APIs, Raidiam's OAuth Authorisation Server accepts two values: authorization_code, or client_credentials. Within Connect, all client applications are by default assigned the client_credentials flow to enable them to access the platform's APIs.
- is_resource_server: Specifies whether the client application represents a resource server or not. One of: true, false
- authorization_details_type: Enables client applications to specify their fine-grained authorization requirements while using the OAuth 2.0 Rich Authorization Requests (RAR) grant type. Example: payments, accounts
- Name: Defines the name/value of the field. Example for grant_type: authorization_code
Save new role metadata.
For security purposes, Raidiam enables Global Administrators only to soft-delete Authorisation Domain Roles by disabling them.
You can disable an Authorisation Domain Role by selecting the Disable button (access forbidden sign under Actions) or by using the Update Authorisation Domain Role and setting the role's status to inactive.
Raidiam Connect allows organisations to integrate with the following APIs for Authorisation Domain Management:
For Metadata, you can integrate with the following APIs:
Assign roles to organisations.