Authorize By Role Policy

To authorize a request based on a role associated with the client

Important: This page describes Classic APIM. For APIM 3.0, refer to API Management 3.0.
Authorizes a request based on the role associated with the client. Authentication policies validate the caller's identity and this policy authorizes access based on their role. If the caller's role isn't defined in this policy, the Snaplex rejects the request with a 403 Forbidden error.

Policy execution order

This policy executes after authentication.

Authorization flow

An Authentication policy includes a User id and Role. Authentication runs first, and returns an HTTP 401 response code if all authentication policy criteria aren't satisfied. After the Authentication policies run, the authorization policy runs. The Authorize by Role policy uses the info from the Authentication policies to grant or deny permission to run the API.

You can add additional conditions to refine access. The first condition, true by default, requires a role that belongs to the user to grant access. If not, the request returns a 403 error.

All authentication policies, except for Anonymous Authenticator, require both the User Id and the Role. The role is for authorization, and the user ID (or the IP address for anonymously authenticated users) counts against rate limiting.

You can use the remoteUser function to pass into the pipeline automatically with a pipeline parameter. You can use the IsUserinRole function to define the ServiceTier Conditions in the Client Throttling policy. The authentication policies define the role, and the Authorization by Role policy performs a check against the ServiceTiers. The following table lists the policies that invoke the Role.

Rule

Field that references Authorize by Role policy

Anonymous Authenticator Role
Generic OAuth2 Role
Callout Authenticator Roles Expression
JWT Token Roles Expression
All other policies By reference using an APIM Expression Language function
Field/Field set Description
When this policy should be applied An expression that defines one or more conditions that must be true for the policy to execute.

Default value: True

Example: The expression request.method == "DELETE" causes the policy to execute only on DELETE requests.

Roles One or more roles and the condition in which they apply. Both the role and the condition can be an expression.
Role The role name.
Condition An expression that checks additional conditions that must be true before the request will be authorized. Example: request.method matches “HEAD”|”GET”
Description

Default value: Authorizing requests only for specified roles