Role Mapping is created to assign roles to users based on their SAML attributes. Through this, the particular role will be applied to users once they meet the specified conditions when logging into Joomla via authentication.
This feature allows you to provide user capabilities based on their IdP attribute values.
Joomla has 8 pre-defined roles:
- Public
- Registered
- Author
- Editor
- Publisher
- Manager
- Administrator
- Guest
Your custom roles, if added any, will also be displayed in the role mapping section.
To use this feature you have to map Group coming from your IdP in the Group field.
Now you can use these Role values to configure role mapping.
Let’s say we an organization “SCHOOL” and for that, we have the following groups at the IDP side –
- Principle
- HODs
- Teachers
- Students
- Mentors
- Workers
- Backloggers
- Peon
We have assigned those groups to a particular role.
We can even assign multiple groups in a single role by Semi-colon (;) separated. As we have assigned Students and Workers group to Public role.
Role Mapping has the following features:-
- Option to select the default role to assign to users.
- This feature is used to set a default role to users who are not mapped here. It will by default set the selected role. You can choose any of the roles listed to be set as default.
- Do not update the existing user’s roles. (Newly mapped roles will not be added)
- This feature can be enabled if the admin wants the existing user’s given role should not be changed.
- Now we have a scenario where a Teacher gets upgraded to HOD, but since the Teacher was the editor and admin does not want to change the role of Teacher from editor to author (since HOD’s are author). This feature can be used.
- Do not update the existing user’s roles and add newly mapped roles.
- This feature can be enabled if the admin wants the existing user’s given role should not be changed but he can add newly mapped roles.
- Do not auto-create users if roles are not mapped.
- If the admin wants to create the users at the Joomla site only if they are mapped, then this feature can be enabled. This won’t allow users which are not mapped to access the site.
- By enabling this feature, people not associated with any of the above groups will not be able to access the site.
- Do not allow users to login with particular roles.
- If the admin wants users of a particular role(s) not log in to the site, this feature can be enabled by providing the group/role value.
- This feature can be used where we have a group of students having backlogs. They have been assigned a group of ‘Backloggers’ and the admin does not want those users to access the site.