Authorize By Role

Overview

Use the Authorize By Role policy to authorize a request based on a role associated with the client. All of the APIM authentication policies define how the user is authenticated and which role is authorized. You need to configure the Authorize by Role policy to indicate which of those roles should be authorized. If the role is not called out by this policy, the request is not processed. Unauthorized requests are rejected with a '403 Forbidden' error.

Policy Execution Order

This Authorize By Role policy executes after the request has been authenticated.

Authorization Flow

The Authentication Policy tells the policy owner who the user is by your user id and your role. Authentication is always completed first, and an HTTP 401 response code is returned if the authentication policy criteria are not satisfied. After the Authentication policies run, the authorization policy runs. The Authorize by Role policy uses the info from the Authentication policies, to grant or deny permission to run the API. By default, the specified roles are checked against the role set in the policy.

You can also add additional conditions to refine the access. The first condition, true by default, has a role that the user is part of to grant access (if not a 403 is returned).

Both the User Id and Role field values are required (except for anonymous, the default role in the Anonymous Authenticator policy. You use a role to grant access by role: the Role value is for authorization, and the User id (in other words, the IP address for anonymously authenticated users) is used to count your rate limiting. Additionally, you can use the remoteUser function to pass into the pipeline automatically with a pipeline parameter.

You can use the IsUserinRole function to define the ServiceTier Conditions in the Client Throttling policy. The authentication policies define the role, and the Authorization by Role policy performs a check against the ServiceTiers. The following table lists the policies that invoke the Role.

Policy

Field that references Authorize by Role policy

Policy

Field that references Authorize by Role policy

Anonymous Authenticator

Role

Generic OAuth2

Role

Callout Authenticator

Roles Expression

JWT Token

Roles Expression

All other policies

By reference using an APIM Expression Language function

Settings

Parameter Name

Description

Default Value

Example

Parameter Name

Description

Default Value

Example

Label

Required. The name for the API policy.

Authorize By Role

Task authorize by role

When this policy should be applied

An expression enabled field that determines the condition to be fulfilled for the API policy to execute.

For example, if the value in this field is request.method == "POST", the API policy is executed only if the request method is a POST.

True

request.method == "POST"

Roles

The list of role names that should be authorized to access tasks. If the client is in any of these roles, the request is allowed to continue.

N/A

N/A

Role

The name of the role that should be allowed access.

N/A

anonymous

Condition

An expression that checks additional conditions that must be true before the request will be authorized.

N/A

request.method matches “HEAD”|”GET”

Status

Indicates whether the API policy is enabled or disabled. 

Enabled

Disabled

Related Content