--- title: Managed roles description: Managed roles are defined like any other managed object, and are granted to users through the relationships mechanism. A managed role can be granted manually, as a static value of the user's roles attribute, or dynamically, as a result of a condition or script. For example, a user might be granted a role such as sales-role dynamically, if that user is in the sales organization. component: pingidm version: 8.1 page_id: pingidm:objects-guide:managed-roles canonical_url: https://docs.pingidentity.com/pingidm/8.1/objects-guide/managed-roles.html keywords: ["Data Object Model", "Roles", "Relationships"] --- # Managed roles | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | For information about internal authorization roles, and how IDM controls authorization to its own endpoints, refer to [Authorization and roles](../auth-guide/authorization-and-roles.html). | *Managed roles* are defined like any other managed object, and are granted to users through the *relationships* mechanism. A managed role can be granted manually, as a static value of the user's `roles` attribute, or dynamically, as a result of a condition or script. For example, a user might be granted a role such as `sales-role` dynamically, if that user is in the `sales` organization. A user's `roles` attribute takes an array of *references* as a value, where the references point to the managed roles. For example, if user bjensen has been granted two roles (`employee` and `supervisor`), the value of bjensen's `roles` attribute would look something like the following: ```json "roles": [ { "_ref": "managed/role/employee", "_refResourceCollection": "managed/role", "_refResourceId": "employee", "_refProperties": { "_grantType": "", "_id": "bb399428-21a9-4b01-8b74-46a7ac43e0be", "_rev": "00000000e43e9ba7" } }, { "_ref": "managed/role/supervisor", "_refResourceCollection": "managed/role", "_refResourceId": "supervisor", "_refProperties": { "_grantType": "", "_id": "9f7d124b-c7b1-4bcf-9ece-db4900e37c31", "_rev": "00000000e9c19d26" } } ] ``` The `_refResourceCollection` is the container that holds the role. The `_refResourceId` is the ID of the role. The `_ref` property is a resource path that is derived from the `_refResourceCollection` and the URL-encoded `_refResourceId`. `_refProperties` provides more information about the relationship. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Some of the examples in this documentation set use client-assigned IDs (such as `bjensen` and `scarter`) for the user objects because it makes the examples easier to read. If you create objects using the admin UI, they are created with server-assigned IDs (such as `55ef0a75-f261-47e9-a72b-f5c61c32d339`). This particular example uses a client-assigned role ID that is the same as the role name. All other examples in this chapter use server-assigned IDs. Generally, immutable server-assigned UUIDs are used for all managed objects in production environments. |