--- title: Map external groups to internal authz roles description: A user's access to Advanced Identity Cloud is based on one or more authorization roles. Authorization roles are cumulative, and are calculated for a user in the following order: component: pingoneaic page_id: pingoneaic:idm-objects:groups-and-access-to-idm canonical_url: https://docs.pingidentity.com/pingoneaic/idm-objects/groups-and-access-to-idm.html keywords: ["Data Object Model", "Roles", "Groups", "Authorization"] --- # Map external groups to internal authz roles A user's access to Advanced Identity Cloud is based on one or more [*authorization roles*](roles.html). Authorization roles are cumulative, and are calculated for a user in the following order: 1. Roles set specifically in the user's `userRoles` property 2. Group roles — based on group membership in an external system Group roles are controlled with the following properties in the authentication configuration *(tooltip: You can manage the authentication configuration over REST at the config/authentication endpoint.)*: * `groupMembership`: the property on the external system that represents group membership. In a DS directory server, that property is `ldapGroups` by default. In an Active Directory server, the property is `memberOf` by default. For example: ```json "groupMembership" : "ldapGroups" ``` | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The value of the `groupMembership` property must be the ICF property name defined in the provisioner file, rather than the property name on the external system. For more information on the attributes in connectors, refer to [Connector objects and properties](https://docs.pingidentity.com/openicf/connector-reference/configure-connector.html#object-extensions-ui). | * `groupRoleMapping`: a mapping between an IDM role and a group on the external system. Setting this property ensures that if a user authenticates through pass-through authentication, they are given specific IDM roles depending on their membership in groups on the external system. In the following example, users who are members of the group `cn=admins,ou=Groups,dc=example,dc=com` are given the internal `openidm-admin` role when they authenticate: ```json "groupRoleMapping" : { "internal/role/openidm-admin" : ["cn=admins,ou=Groups,dc=example,dc=com"] } ``` * `groupComparisonMethod`: the method used to check whether the authenticated user's group membership matches one of the groups mapped to an IDM role (in the `groupRoleMapping` property). The `groupComparisonMethod` can be one of the following: * `equals`: a case-sensitive equality check * `caseInsensitive`: a case-insensitive equality check * `ldap`: a case-insensitive and whitespace-insensitive equality check. Because LDAP directories do not take case or whitespace into account in group DNs, you must set the `groupComparisonMethod` if you are using pass-through authentication with an LDAP directory. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | To control access to *external systems*, use *provisioning roles* and assignments, as described in [Use assignments to provision users](working-with-role-assignments.html). |