Skip to content

Configure Leap Role Mapping

There are 3 roles that must be configured for proper access to Leap: "Administrative Users", "EditApplicationUsers", and "UseApplicationUsers".

  • Administrative Users can access the admin UI, create and use applications.
  • EditApplicationUsers can create and use application.
  • UseApplicationUsers can use applications.

The Edit and Use roles support an extra property that adds all authenticated users to the role. Valid values are true and false.

These properties are defined in the .yaml file. Below is a basic example of mapping users to the roles.

configuration:
  leap:
    roleMapping:
       AdministrativeUsers:
         MappedUsers:
          - leapadmin
       EditApplicationsUsers:
         AllAuthenticated: false
         MappedUsers:
          - leapadmin
       UseApplicationsUsers:
         AllAuthenticated: true

Reference a User/Group from LDAP

To reference a specific user or group from a connected LDAP requires specific syntax, "realmName/userOrGroupId". The realmName referenced here is the property from the ldapRegistry object, refer to Connect Leap to LDAP.

Mapping a user from LDAP

configuration:
  leap:
    roleMapping:
       AdministrativeUsers:
         MappedUsersAccessIDs:
          - acmeRealm/cn=Admin,o=Acme

Mapping a group from LDAP

configuration:
  leap:
    roleMapping:
       AdministrativeUsers:
         MappedGroupsAccessIDs:
          - acmeRealm/cn=Sales,o=Acme