---
title: Map roles to external groups
description: A user's access to IDM is based on one or more authorization roles. Authorization roles are cumulative, and are calculated for a user in the following order:
component: pingidm
version: 8.1
page_id: pingidm:objects-guide:groups-and-access-to-idm
canonical_url: https://docs.pingidentity.com/pingidm/8.1/objects-guide/groups-and-access-to-idm.html
keywords: ["Data Object Model", "Roles", "Groups"]
---

# Map roles to external groups

A user's access to IDM is based on one or more *authorization roles*. Authorization roles are cumulative, and are calculated for a user in the following order:

1. Roles set specifically in the user's `userRoles` property

2. Group roles — based on group membership in an external system

   Group roles are controlled with the following properties in the authentication configuration *(tooltip: You can manage the authentication configuration over REST at the config/authentication endpoint, or directly in the conf/authentication.json file.)*:

   * `groupMembership`: the property on the external system that represents group membership. In a DS directory server, that property is `ldapGroups` by default. In an Active Directory server, the property is `memberOf` by default. For example:

     ```json
     "groupMembership" : "ldapGroups"
     ```

     Note that the value of the `groupMembership` property must be the ICF property name defined in the provisioner file, rather than the property name on the external system.

   * `groupRoleMapping`: a mapping between an IDM role and a group on the external system. Setting this property ensures that if a user authenticates through pass-through authentication, they are given specific IDM roles depending on their membership in groups on the external system. In the following example, users who are members of the group `cn=admins,ou=Groups,dc=example,dc=com` are given the internal `openidm-admin` role when they authenticate:

     ```json
     "groupRoleMapping" : {
         "internal/role/openidm-admin" : ["cn=admins,ou=Groups,dc=example,dc=com"]
     }
     ```

   * `groupComparisonMethod`: the method used to check whether the authenticated user's group membership matches one of the groups mapped to an IDM role (in the `groupRoleMapping` property).

     The `groupComparisonMethod` can be one of the following:

     * `equals`: a case-sensitive equality check

     * `caseInsensitive`: a case-insensitive equality check

     * `ldap`: a case-insensitive and whitespace-insensitive equality check. Because LDAP directories do not take case or whitespace into account in group DNs, you must set the `groupComparisonMethod` if you are using pass-through authentication with an LDAP directory.

|   |                                                                                                                                                                              |
| - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | To control access to *external systems*, use *provisioning roles* and assignments, as described in [Use assignments to provision users](working-with-role-assignments.html). |