---
title: Managed roles
description: Managed roles are intended to be collections of assignments for easier provisioning.
component: pingoneaic
page_id: pingoneaic:idm-objects:managed-roles
canonical_url: https://docs.pingidentity.com/pingoneaic/idm-objects/managed-roles.html
keywords: ["Data Object Model", "Roles", "Relationships", "Assignments"]
---

# Managed roles

*Managed roles* are intended to be collections of assignments for easier provisioning.

|   |                                                                                                                                                                     |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | For information about roles, and how IDM controls authorization to its own endpoints, refer to [Authorization and roles](../idm-auth/authorization-and-roles.html). |

*Managed roles* are defined like any other managed object, and are granted to users through the *relationships* mechanism. A managed role can be granted manually, as a static value of the user's `roles` attribute, or dynamically, as a result of a condition or script. For example, a user might be granted a role such as `asia-sales-role` dynamically, if a user in the `sales` organization is located in Asia region.

A user's `roles` attribute takes an array of *references* as a value, where the references point to the managed roles. For example, if user bjensen has been granted two roles (`employee` and `supervisor`), the value of bjensen's `roles` attribute would look something like the following:

```json
"roles": [
  {
    "_ref": "managed/realm-name_role/employee",
    "_refResourceCollection": "managed/realm-name_role",
    "_refResourceId": "employee",
    "_refProperties": {
      "_grantType": "",
      "_id": "bb399428-21a9-4b01-8b74-46a7ac43e0be",
      "_rev": "00000000e43e9ba7"
    }
  },
  {
    "_ref": "managed/realm-name_role/supervisor",
    "_refResourceCollection": "managed/realm-name_role",
    "_refResourceId": "supervisor",
    "_refProperties": {
      "_grantType": "",
      "_id": "9f7d124b-c7b1-4bcf-9ece-db4900e37c31",
      "_rev": "00000000e9c19d26"
    }
  }
]
```

The `_refResourceCollection` container holds each role. The `_refResourceId` is the ID of the role. The `_ref` property is a resource path that is derived from the `_refResourceCollection` and the URL-encoded `_refResourceId`. `_refProperties` provides more information about the relationship.