How Role Mappings Are Resolved

Once role mappings have been set up, the grid will have a set of application defined roles that are linked to each user's roles, either the synthetic session provider defined roles or the other session provider defined roles. How the grid resolves the mapping of these roles depends on the specific mappings, of course, but also on whether the roles are configured to exclude or include access.

Exclusion Versus Inclusion

Role mappings may be including or excluding. Including role mappings are the normal intuitive ones where you say such things as: everyone in the session provider role A should belong to (be included in) the application defined role B. Excluding role mappings are the opposite. In this case, you explicitly say that if a user is a member of role C, that user is excluded from role D.

Including role mappings are always resolved first. When all including role mappings have been examined and a set of roles have been formed, a final examination of excluding role mappings is performed. If matched roles are found, the mapped roles will be removed from the set. Normally you work with including role mappings but at times it is helpful to be able to express exceptions in the form of excluding role mappings. For example, if you want to achieve the result that everyone working at the Germany office should be able to use and administer an application except if they work for the sales organization, you may do that by defining two mappings:

  1. First, an including mapping saying that all members of the session provider group "Germany-Office" should be included in the application defined role applicationName/app-admin

  2. Second, an excluding mapping saying that all members of the session provider group "Sales-Department" should be excluded from the application defined role applicationName/app-admin

The Role Mapping Process

The process of finding the set of application roles is as follows:

  1. The session provider reports a set of session provider defined roles for an authenticated user.

  2. The Lawson Grid adds the synthetic roles described above to that list.

  3. Given this list of roles, the defined (including) role mappings are examined to find other (application defined) roles that are mapped from any of the existing roles in the list. Roles that have a matching mapping are added to the list and a new pass over the list will try to find even more matching mappings (based on the added roles). This process repeats until no new roles are found and added.

  4. At this point, the excluding role mappings are examined and roles are removed from the list if there is a matching mapping.