---
title: Roles
description: The managed role object is a default managed object type that uses the relationships mechanism. You should understand how relationships work before you read about IDM roles.
component: pingidm
version: 8.1
page_id: pingidm:objects-guide:roles
canonical_url: https://docs.pingidentity.com/pingidm/8.1/objects-guide/roles.html
keywords: ["Data Object Model", "Roles", "Relationships"]
section_ids:
  role-types: IDM role types
---

# Roles

The managed *role* object is a default managed object type that uses the [relationships](relationships.html) mechanism. You should understand how relationships work before you read about IDM roles.

## IDM role types

IDM supports two types of roles:

* *Provisioning roles* : used to specify how objects are provisioned to an external system.

  Provisioning roles are created as managed roles, at the context path `openidm/managed/role/role-name`, and are granted to managed users as values of the user's `roles` property.

* *Authorization roles* : used to specify the authorization rights of a managed object internally, within IDM.

  Authorization roles are created as internal roles, at the context path `openidm/internal/role/role-name`, and are granted to managed users as values of the user's `authzRoles` property.

Provisioning roles and authorization roles use [relationships](relationships.html) to link the role to the managed object to which it applies. Authorization roles can also be granted statically, during authentication, with the `defaultUserRoles` property.

For more information, refer to [Authentication and roles](../auth-guide/authentication-and-roles.html).