A role mapping resource has the following properties:
enabled
enabled
set to false
are ignored when role
mapping is performed.
metadata
metadata
object, keys beginning with _
are reserved for
system usage.
roles
rules
(object) The rules that determine which users should be matched by the mapping. A rule is a logical condition that is expressed by using a JSON DSL. The DSL supports the following rule types:
any
true
.
all
true
.
field
except
all
rule. If
its child is false
, the except
is true
.
The field
rule is the primary building block for a role mapping expression.
It takes a single object as its value and that object must contain a single
member with key F and value V. The field rule looks up the value of F
within the user object and then tests whether the user value matches the
provided value V.
The value specified in the field rule can be one of the following types:
Type | Description |
|
Simple String | Exactly matches the provided value. |
|
Wildcard String | Matches the provided value using a wildcard. |
|
Regular Expression | Matches the provided value using a Lucene regexp. |
|
Number | Matches an equivalent numerical value. |
|
Null | Matches a null or missing value. |
|
Array | Tests each element in the array in accordance with the above definitions. If any of elements match, the match is successful. |
|
The user object against which rules are evaluated has the following fields:
username
"username": "jsmith"
.
dn
"dn": "cn=jsmith,ou=users,dc=example,dc=com",
.
groups
"groups" : [ "cn=admin,ou=groups,dc=example,dc=com","cn=esusers,ou=groups,dc=example,dc=com ]
.
metadata
"metadata": { "cn": "John Smith" }
.
realm
"realm": { "name": "ldap1" }
.
The groups
field is multi-valued; a user can belong to many groups. When a
field
rule is applied against a multi-valued field, it is considered to match
if at least one of the member values matches. For example, the following rule
matches any user who is a member of the admin
group, regardless of any
other groups they belong to:
{ "field" : { "groups" : "admin" } }
For additional realm-specific details, see Mapping Users and Groups to Roles.