Overview
Role created by an application can be shared with another application, allowing them to use those role for assigning to users or other entities. This is especially useful for assigning roles to a user.
Where can this be used?
If your organization has multiple applications—like a project management tool, billing system, and reporting dashboard—that all need common roles such as “Project Manager”, “Accountant”, or “Viewer”, you can define these roles once in a central IAM application and share them with other applications. This ensures:
- Consistent permissions and responsibilities across all applications
- Reduced duplication and easier management
Example:
A user assigned the “Project Manager” role in both the project management tool and the reporting dashboard will have the same permissions and responsibilities in both, even though the role is managed centrally.
This approach is valuable for:
- Organizations with multiple products or microservices needing unified access control
- Ensuring compliance and auditability by standardizing role definitions
- Reducing administrative overhead and risk of misconfiguration
How is this achieved?
As like permission sharing, role sharing also follows a similar mechanism of using a group as a container. Once the group is created, you can share role with the group, and add multiple applications to which you want to share your role. Once shared, the application can use them for role assignment.
- Create a role using the application spec
- Create a group spec using the same application
- You need certain permission to create a group. If your application doesn’t have the required permission, raise a support ticket
- Now use the group uuid as a container to share the role with the given application(s) using the role sharing endpoint spec
- Once the role is shared, the receiving application can use the shared role to assign to users
- To get list of application(s) to which a particular role is shared, use this endpoint spec