Configure Leap Role Mapping
There are 3 roles that must be configured for proper access to Leap: "Administrative Users", "EditApplicationUsers", and "UseApplicationUsers".
- AdministrativeUsers can access the admin configuration page, admin dashboard, edit existing applications, create and use applications.
- SuperAdminUsers can access the admin dashboard, and edit all Leap applications. They do not have access to application data. To access the data, a user must be added to a role within the application and the application must be redeployed.
- EditApplicationUsers can create and use application.
- UseApplicationUsers can use applications.
The Edit and Use roles support an extra property that adds all authenticated users to the role. Valid values are true and false.
These properties are defined in the .yaml file. Below is a basic example of mapping users to the roles.
configuration:
leap:
. . .
roleMapping:
AdministrativeUsers:
MappedUsers:
- leapadmin
SuperAdminUsers:
MappedUsers:
- appsuper
EditApplicationsUsers:
AllAuthenticated: false
MappedUsers:
- leapadmin
UseApplicationsUsers:
AllAuthenticated: true
Reference a User/Group from LDAP
To reference a specific user or group from a connected LDAP requires specific syntax, "realmName/userOrGroupId". The realmName referenced here is the property from the ldapRegistry object, refer to Connect Leap to LDAP.
Mapping a user from LDAP
configuration:
leap:
. . .
roleMapping:
AdministrativeUsers:
MappedUsersAccessIDs:
- acmeRealm/cn=Admin,o=Acme
Mapping a group from LDAP
configuration:
leap:
. . .
roleMapping:
AdministrativeUsers:
MappedGroupsAccessIDs:
- acmeRealm/cn=Sales,o=Acme
Parent topic: Preparation