---
title: Roles
description: Roles define privileges for user and device identities. Roles let you automatically assign and update privileges in numerous identity profiles. For further information about roles and assignments, refer to Roles and assignments.
component: pingoneaic
page_id: pingoneaic:idm-objects:roles
canonical_url: https://docs.pingidentity.com/pingoneaic/idm-objects/roles.html
keywords: ["Data Object Model", "Roles", "Relationships"]
section_ids:
  role-types: IDM role types
---

# Roles

Roles define privileges for user and device identities. Roles let you automatically assign and update privileges in numerous identity profiles. For further information about roles and assignments, refer to [Roles and assignments](../identities/roles-assignments.html).

The *role* object is a managed object type that uses the [relationships](relationships.html) mechanism to link the role to the managed object to which it applies.

## IDM role types

IDM supports two types of roles:

* *Provisioning roles* : used to specify how objects are provisioned to an external system.

  Provisioning roles are created as managed roles, at the context path `openidm/managed/realm-name_role/role-name`, and are granted to managed users as values of the user's `roles` property.

* *Authorization roles* : used to specify the authorization rights of a managed object internally, within IDM.

  Authorization roles are created as internal roles, at the context path `openidm/internal/role/role-name`, and are granted to managed users as values of the user's `authzRoles` property.

Authorization roles can also be granted statically during authentication with the `defaultUserRoles` property.