Skip to main content

Permissions concept

In Identity Cloud you can manage the Permissions of users by assigning Roles to them.


A permission determines the name of a granular right within one of your applications.

A permission is associated with only one application at a time.

You can create multiple permissions for an application, depending on your business needs. The number of permissions for an application is limited to 50.


A role is a set of permissions.

You can manage the permissions of users by assigning roles to them.

Assigning permissions

You can assign multiple permissions to a role, and the same, one permission to multiple roles.

You can also assign permissions of different applications to the same role.

Define permissions for users

You can only assign roles to users, you cannot assign permissions directly to a user, only through roles.

The rights of users are defined by the permissions configured to the roles that are assigned to users.

When a user logs into one of your applications, all of the permissions that the user has for the specific application are fetched. You can process the user's permissions in your application, and based on them, decide what the user is allowed to do.

Permissions and protocols

When a user logs into your applications

  • with OAuth 2.0/OIDC protocol type, the claim permissions of the issued access token contains the user's permissions.
  • with SAML protocol type, the issued SAML attribute permissions of the SAML assertion contains the user's permissions.