How Roles Are Assigned to Users

When discussing roles, we distinguish between the raw roles that emanate from the user repository, and the grid roles that are the result of applying the grid role mapping transformation to the raw roles.

Illustration: Role assignment process

During authentication, the grid retrieves raw role information from the user repository. The username is also considered a raw role. The grid role mapping transformation is applied to the raw roles, and the resulting grid or grid application roles are assigned to the grid principal. A grid role may be transformed any number of times to additional grid roles. In other words, once role A has been assigned to a principal, having role A may lead to role B also being assigned, if the role mapping has been set up that way.

At runtime, the grid and its applications can query the grid principal for role membership to make authorization decisions.

For more information about grid principals, see Grid principals and sessions. For details on setting up role mappings, see Defining role mappings.