Skip to main content

Mapping an IAM Role to System Permissions

Overview

The Desk UI makes it easy to map your IAM system's roles to Procivis One permissions.

Prerequisites

  • Access to the "Roles" and "Access control" applications
  • The exact name of the IAM role you want to map

Steps

  1. Navigate to Roles

  • Click "Roles" in the left sidebar
  • Click "+ New Role"

  1. Setup new role

  • Provide a name for the role
  • Select the permissions you want this role to have
  • Click "Next step" → "Save"

  1. Navigate to Access control

  • Click "Access control" in the left sidebar
  • Click "+ New access"

  1. Map the IAM Role

  • Provide the IAM Role Name exactly as it is in your IAM system
  • Click "Next step"
  • Choose the organization you want to map the role to
  • Choose the role you created in Step 2
  • Repeat for any other organization you want to map the role to
  • Click "Next step" → "Save"

Finished

Now users with the IAM role you chose in Step 4 are mapped to the desired system permissions.

Related guide: Permissions - Deep Dive

Mapping a delegated permission

For technical users that require delegation, follow the steps above with one additional configuration when selecting permissions in Step 2.

For each permission the service should only exercise on behalf of a user:

  • Select the permission(s)
  • Click Advanced options
  • Toggle Restrict role to delegation
  • Configure permissions:
    • If the service should be able to exercise the permission on behalf of any authenticated user, leave the permissions list empty
    • If the service should only be able to exercise the permission on behalf of users with specific permissions, select those end user permissions
  • Continue the remaining steps above
note

All permissions within a role share the same delegation configuration. If a service requires both delegated and non-delegated permissions, or different delegation conditions for different operations, create a separate role for each configuration and assign all roles to the service's IAM role in Access control.

For an explanation of when and why to use delegation, see Technical Users and Delegation.