OpenIDM sets up the following roles by default:
- openidm-reg
-
Role for users accessing OpenIDM with the default anonymous account
- openidm-admin
-
OpenIDM administrator role
- openidm-authorized
-
Default role for any user authenticated with a user name and password
- openidm-cert
-
Default role for any user authenticated with mutual SSL authentication
A user's roles are fetched after authentication.
If no roles are defined in the user profile, the
defaultUserRoles are applied. You can configure
the default roles that are assigned to successfully authenticated users by
setting the defaultUserRoles property in
openidm/conf/authentication.json, which
takes a list. The default value is openidm-authorized.
{
"queryId": "credential-query",
"queryOnResource": "managed/user",
"defaultUserRoles": [
"openidm-authorized"
]
}A managed user who does not have a role of openidm-authorized
can authenticate but is unable to access certain system resources,
according to the access control configured in the access.js
file. Requests on a resource for which access is denied return a 403 error.
For more information, see the following section covering
Section 13.4, “Authorization”.
