---
title: Roles and assignments
description: Roles and assignments let you create an entitlements structure that fits the needs of each realm in PingOne Advanced Identity Cloud.
component: pingoneaic
page_id: pingoneaic:identities:roles-assignments
canonical_url: https://docs.pingidentity.com/pingoneaic/identities/roles-assignments.html
keywords: ["Identities", "Roles", "Assignments", "User Profiles", "Provisioning"]
page_aliases: ["pingoneaic::concepts-roles-assignments.adoc"]
section_ids:
  roles: Roles
  internal_roles: Internal roles
  external_roles: External roles
  assignments: Assignments
  assignment_linked_to_role: Assignment linked to role
  assignment_mapped_to_attribute: Assignment mapped to attribute
  how_provisioning_works: How provisioning works
---

# Roles and assignments

[Roles](#roles) and [assignments](#assignments) let you create an entitlements structure that fits the needs of each [realm](../realms/alpha-bravo-realms.html) in PingOne Advanced Identity Cloud.

Identity architects usually build the entitlements structure, and can also use the [admin console](manage-object-types.html) to put more complex entitlements in place.

Once your entitlements structure is in place, you can use the Advanced Identity Cloud admin console to:

* Add new user profiles, device profiles, or roles

* Add assignments to roles

* Make changes to existing user profiles, device profiles, roles, or assignments

* Provision identities with role-based permissions

## Roles

Roles define privileges for user and device identities. Roles let you automatically update privileges in numerous identity profiles. All role members receive the same permissions you've defined for the role. When you change the privileges for that role, you change the permissions for all role members.

When you add a role to an identity profile, the user or device becomes a member of the role. A user or device can belong to many roles.

A role won't work until you link it to at least one [assignment](#assignments). During the authorization process, Advanced Identity Cloud evaluates permissions based on:

* Roles a user or device belongs to

* Assignments attached to their roles

![binaandsam2](_images/binaandsam2.png)

### Internal roles

Internal roles, also called *authorization roles*, control access to your identity platform. You use internal roles to authorize administrators to manage your tenant or identities contained in it.

### External roles

External roles, also called *provisioning roles*, give users and devices the permissions they need to access apps and services. You use external roles to let employees access intranet applications. You can also use external roles to let your customers and their end users access web services and mobile apps in your tenant.

## Assignments

You create an assignment when you want to give a user or device permission to access a *resource* they need to do a job. A resource might be any application or service, data contained in a document or a database, or a device such as a printer or cell phone.

An assignment won't work without a role. A role-assignment relationship is not fully formed until you do two things:

### Assignment linked to role

Link an assignment to a [role](#roles). Advanced Identity Cloud grants the permissions defined in the assignment to all members of the linked role.

### Assignment mapped to attribute

Map your tenant assignment to an attribute stored in an external system. An external system can be, for example, an intranet Reporting App with its own database of user accounts.

![map2app2](_images/map2app2.png)

In this illustration, Bina's Accountant II role links to three assignments. During data store sync, Advanced Identity Cloud provisions her Reporting App user account based on assignment-attribute mappings:

| Mapping From Assignment Attribute | Mapping To Reporting App | Description and Provisioning Outcome                                                                                                                      |
| --------------------------------- | ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Assignments: Reporting App        | UserName                 | The mapping sets the value of Bina's Name ("Bina Raman") in the UserName attribute in the Reporting App. This gives Bina access to the app itself.        |
| Assignments: Operations Reports   | Reports: Operations      | The mapping adds the value "Operations" to the Reports attribute in the Reporting App. This gives Bina access to Operations reports in the Reporting App. |
| Assignments: Sales Reports        | Reports: Sales           | The mapping adds the value "Sales" to the Reports attribute in the Reporting App. This gives Bina access to Sales reports.                                |

You can create any number of assignments in your tenant. You can link an assignment to one or more [external roles](#external_roles). You cannot link assignments to [internal roles](#internal_roles).

## How provisioning works

When you add a user or device to a role, Advanced Identity Cloud updates the user or device profile with the role information. The update gives, or *provisions*, the user or device with the permissions that come with the [role](#roles) and its [assignments](#assignments).

Here's a simple entitlement schema example:

* Roles

  Accountant-I\
  Accountant-II

* Accountant-I Assignments

  Reporting App\
  Operations Reports

* Accountant-II Assignments

  Reporting App\
  Operations Reports\
  Sales Reports

Sam and Bina are co-workers. Their identity profiles are provisioned with permissions based on the entitlements schema example.

* Sam is a member of the Accountant I role.\
  The Accountant I role assignments give Sam permission to use the Reporting app to access only Operations Reports.

* Bina is a member of the Accountant II role.\
  The Accountant II role assignments give Bina permission to use the Reporting app to access both Operations Reports and Sales Reports.

|   |                                                                                                                                                                                                                                                  |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|   | For a deep dive, learn more in the following documents:* [Managed objects](../idm-objects/managed-objects.html)

* [Roles](../idm-objects/roles.html)

* [Use assignments to provision users](../idm-objects/working-with-role-assignments.html) |