Permissions

In Identity Cloud you can configure and manage the permissions that users have for your applications.

The Permission concept provides an overview of how permissions, applications, roles, and users are connected.

On the Permissions tab of an application, you have the following options to configure permissions and their attributes:

• View permissions
• Create permissions
• Edit permissions
• Delete permissions

Permission concept

A Permission determines the name of a more granular right within one of your applications. A permission is associated with only one application. You can create multiple permissions for an application depending on your business needs.

You can create roles to logically group permissions. A Role is a set of permissions. You can assign multiple permissions to a role. You can assign permissions of different applications to the same role.

You can assign a role to multiple users. The permissions of a user are defined by the permissions contained in the roles assigned to the user. You cannot directly assign a permission to a user.

When a user logs in to one of your applications all the permissions that the user has for this application are fetched. You can process the user's permissions in your application and decide what the user is allowed to do.

info

If a user logs in to an application of protocol type

• OAuth 2.0/OIDC, then the claim permissions of the issued access token contains the user's permissions.
• SAML, then the issued SAML attribute permissions of the SAML assertion contains the user's permissions.

View permissions

On the Permissions tab of an application, all associated permissions are listed.

Permissions are ordered by the date of last modification. The number of permissions for an application is limited to 50.

Create permissions

To create a permission for an application:

1. Go to Application management > Applications and select the application.
2. Switch to the Permissions tab.
3. Click Create permission.
4. Provide a valid Name and optionally provide a Description to identify the permission.
5. Click Create.

Edit permissions

To edit a permission of an application:

1. Go to Application management > Applications and select the application.
2. Switch to the Permissions tab.
3. Select a permission and click Edit.
4. In the dialog adapt the Name and/or the Description.
5. Click Save.

Delete permissions

To delete a permission of an application:

1. Go to Application management > Applications and select the application.
2. Switch to the Permissions tab.
3. Select a permission and click Delete.
4. In the dialog confirm that you want to delete the permission.
5. Click Delete permission.

info

If you delete a permission from an application, then the permission is also removed from all roles it is assigned to.

Permission attributes

• Name: The name of the permission. The permission Name is mandatory and has to be unique within the application. It can contain alphanumeric characters and underscore only. The length of the Name is at most 30 characters.

  note

  For an application of protocol type OAuth 2.0/OIDC, the permission name is added to the claim permissions of the issued access token. You can see a preview of the claim in OAuth claim preview when creating or editing a permission.

  For an application of protocol type SAML, the permission name is added to the issued SAML attribute permissions of the SAML assertion. You can see a preview of the claim in SAML assertion preview when creating or editing a permission.

  Make sure the permission name you configure in Identity Cloud matches to what your application expects.

• Description: You can optionally set a description to provide further information about the permission. The length of the Description is at most 120 characters.