Authorize by Role rule

To authorize a request based on a role associated with the client

Authorizes a request based on the role associated with the client. Authentication rules validate the caller's identity and this rule authorizes access based on their role. If the caller's role isn't defined in this rule, the Snaplex rejects the request with a 403 Forbidden error.

Rule execution order

This rule executes after authentication.

Authorization flow

An Authentication rule includes a User id and Role. Authentication runs first, and returns an HTTP 401 response code if all authentication rule criteria aren't satisfied. After the Authentication rules run, the authorization rule runs. The Authorize by Role rule uses the info from the Authentication policies to grant or deny permission to run the API.

You can add additional conditions to refine access. The first condition, true by default, requires a role that belongs to the user to grant access. If not, the request returns a 403 error.

All authentication rules, except for Anonymous Authenticator, require both the User Id and the Role. The role is for authorization, and the user ID (or the IP address for anonymously authenticated users) counts against rate limiting.

You can use the remoteUser function to pass into the pipeline automatically with a pipeline parameter. You can use the IsUserinRole function to define the ServiceTier Conditions in the Client Throttling policy. The authentication policies define the role, and the Authorization by Role policy performs a check against the ServiceTiers. The following table lists the rules that invoke the Role.


Rule	Field that references Authorize by Role policy
Anonymous Authenticator	Role
Generic OAuth2	Role
Callout Authenticator	Roles Expression
JWT Token	Roles Expression
All other policies	By reference using an APIM Expression Language function


Field	Description
When this rule should be applied	An expression that defines one or more conditions that must be true for the rule to execute. Default value: True Example: The expression `request.method == "DELETE"` causes the rule to execute only on `DELETE` requests.
Roles	One or more roles and the condition in which they apply. Both the role and the condition can be an expression.
Role	The role name.
Condition	An expression that checks additional conditions that must be true before the request will be authorized. Example: `request.method matches “HEAD”\|”GET”`
Description	Default value: `Authorizing requests only for specified roles`