Skip to content

Configure Leap Role Mapping

There are 3 roles that must be configured for proper access to Leap: "Administrative Users", "EditApplicationUsers", and "UseApplicationUsers".

  • AdministrativeUsers can access the admin configuration page, admin dashboard, edit existing applications, create and use applications.
  • SuperAdminUsers can access the admin dashboard, and edit all Leap applications. They do not have access to application data. To access the data, a user must be added to a role within the application and the application must be redeployed.
  • EditApplicationUsers can create and use application.
  • UseApplicationUsers can use applications.

The Edit and Use roles support an extra property that adds all authenticated users to the role. Valid values are true and false.

These properties are defined in the .yaml file. Below is a basic example of mapping users to the roles.

configuration:
  leap:
    . . .
    roleMapping:
       AdministrativeUsers:
         MappedUsers:
          - leapadmin
       SuperAdminUsers:
         MappedUsers:
          - appsuper
       EditApplicationsUsers:
         AllAuthenticated: false
         MappedUsers:
          - leapadmin
       UseApplicationsUsers:
         AllAuthenticated: true

Reference a User/Group from LDAP

To reference a specific user or group from a connected LDAP requires specific syntax, "realmName/userOrGroupId". The realmName referenced here is the property from the ldapRegistry object, refer to Connect Leap to LDAP.

Mapping a user from LDAP

configuration:
  leap:
    . . .
    roleMapping:
       AdministrativeUsers:
         MappedUsersAccessIDs:
          - acmeRealm/cn=Admin,o=Acme

Mapping a group from LDAP

configuration:
  leap:
    . . .
    roleMapping:
       AdministrativeUsers:
         MappedGroupsAccessIDs:
          - acmeRealm/cn=Sales,o=Acme

Parent topic: Preparation