--- title: The augmentSecurityContext trigger description: The augmentSecurityContext trigger, defined in the authentication configuration, can reference a script that is executed after successful authentication. These scripts can populate the security context of the authenticated user. If the authenticated user is not found in the resource specified by queryOnResource, the augmentSecurityContext can provide the required authorization map. component: pingoneaic page_id: pingoneaic:idm-scripting:script-variables-augment-security canonical_url: https://docs.pingidentity.com/pingoneaic/idm-scripting/script-variables-augment-security.html --- # The `augmentSecurityContext` trigger The `augmentSecurityContext` trigger, defined in the authentication configuration *(tooltip: You can manage the authentication configuration over REST at the config/authentication endpoint.)*, can reference a script that is executed after successful authentication. These scripts can populate the security context of the authenticated user. If the authenticated user is not found in the resource specified by `queryOnResource`, the `augmentSecurityContext` can provide the required authorization map. These scripts have access to the following bindings: * `security` - includes the `authenticationId` and the `authorization` key, which includes the `moduleId`. The main purpose of an `augmentSecurityContext` script is to modify the `authorization` map that is part of this `security` binding. The authentication module determines the value of the `authenticationId`, and IDM attempts to populate the `authorization` map with the details that it finds, related to that `authenticationId` value. These details include the following: * `security.authorization.component` - the resource that contains the account (by default, this will always be the same as the value of `queryOnResource`). * `security.authorization.id` - the internal `_id` value that is associated with the account. * `security.authorization.roles` - any roles that were determined, either from reading the `userRoles` property of the account or from calculation. * `security.authorization.moduleId` - the authentication module responsible for performing the original authentication. You can use the `augmentSecurityContext` script to change any of these `authorization` values. The script can also add new values to the `authorization` map, which will be available for the lifetime of the session. * `properties` - corresponds to the `properties` map of the related authentication module. * `httpRequest` - a reference to the `Request` object that was responsible for handling the incoming HTTP request. This binding is useful to the augment script because it has access to all of the raw details from the HTTP request, such as the headers. The following code snippet shows how you can access a header using the `httpRequest` binding. This example accesses the `authToken` request header: ```none httpRequest.getHeaders().getFirst('authToken').toString() ``` For more information, refer to [Roles, authentication, and the Security Context](../idm-auth/authentication-and-roles.html#auth-security-context).