> For the complete documentation index, see [llms.txt](https://ztrust.gitbook.io/ztrust-documentation/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ztrust.gitbook.io/ztrust-documentation/user-manual-ztrust-v4.1/4.-admin-manual/4.23-role-specific-attribute-based-access-control-at-client-level.md).

# 4.23 Role-Specific Attribute Based Access Control at client level

1. ## Use Case

At the role level we have attributes, these role attributes are used to render the few functions in the target applications.

2. Prerequisites

* The roles need to be at the client level for requesting the role at registration time.
* The role need to have at least one sub role (i.e composite role)&#x20;
* If role attributes are creating, mapper need to create for that attribute, to those attributes in the token
* Based upon the role attributes and role, target application need to render
* SMTP email configuration need to be configured

3. Configuration
   1. Create a client at realm, for example here iventura-chart  client is created
   2. Client  iventura-chart   is having few role like below

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXcxJrZ4CQHMJ0KTggwN5e01XmxtWsyW_E-WFYbW2X7iExtdnD4ojnugX4M1JLr-j-HbzkL2945jiP3EkfleisiuTI_sK7cFnjlGM61PxvP9YK9wEcJR4GQ1ziUoTDHyEA-CqHr_gt6Phg8ZVPaYlLP8RGAa?key=HGhezhG4OsyA12OoId9NqQ" alt=""><figcaption><p>Fig 4.22.a: Client roles</p></figcaption></figure>

3. Along with those roles, admin role need to be created. For that role create an attribute adminEmail . If registration is happening at this client level, the configured admin email will get notified.

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXcMGK9_Scmed3ho3N1HvXlC2jUtqirynfTinqxnS71jjjEkFkslA01_yUE_8HhjTudGFCKNd_cAi5H44aOJYTTt2YDqtlaJTjqhsDBStZ9VbEmupRXZ1OnvwFSRFUuKfe95zmr0ERdxslcyaa9j6YUvgXc?key=HGhezhG4OsyA12OoId9NqQ" alt=""><figcaption><p>Fig 4.22.b: Admin Role attribute</p></figcaption></figure>

4. Then select the roles and create attributes for that role like below. Here attributes are added for the DATA\_ADMIN role.

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXdaKWZ0YngCgilDbz-swHm1hxf7lBKH4mdJ2nCmrI7NgCI5SJM9Ds-ZeNPN0mW39C54QIUcobT4QC9liGykRRKe9Zh3qlwVsDyjwHn6aJoSNNHoIsQHGoY6u_3EByStjoISeKmvFfQd-Eyr37GIlp2vMYgq?key=HGhezhG4OsyA12OoId9NqQ" alt=""><figcaption><p>Fig 4.22.c: Data admin role attributes</p></figcaption></figure>

5. Create a mapper to add the attributes in the token. For that go for client (iventura-chart) and client scopes -> iventura-chart-dedicated.

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXelp0JnqbNcURqyYL3wF0D6hLHEHgz1wrhdC2a9rgdKi36kX0hDx-2AcfhvIkbjXUjqnORwEqmO6b_VQVBRqPmqdtvZRHNtBd9lFxTz-PuCP_uxJ7bW2-NIjSBCLZQ-CMgMSDeo87t87j5md2Y3u4SBRGA?key=HGhezhG4OsyA12OoId9NqQ" alt=""><figcaption><p>Fig 4.22.d: Navigating to Client scopes under client</p></figcaption></figure>

6. Then click on configure an new mapper as shown below<br>

   <figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXekat3DboGd1ye3V7TdYWzmL_6KiiuhZKxVqfwj2hhTdxSI_Bp3RKA0CczDcbZAhyTQdMqFIuBT_uGjSspcfD7IsJeSdF_wBuHPGPCiuwQIRWd84EYmE9AuqttyohAeK9qUP0__edBlH5qg1oz2ikgwbBxJ?key=HGhezhG4OsyA12OoId9NqQ" alt=""><figcaption><p>Fig 4.22.e: Configure a new mapper</p></figcaption></figure>
7. One model will appear, then select client role attribute from those

   <br>

   <figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXeIy-l7falU31Lgu5c30CVD-6KEy5FN49YOAI5MAUVjfzD8NVEcN2miHdn-eRXH-Poe-f-5gkiykQcFEEEvDmrCe-OzV9_0wvn7WUkVxDp_VDOd0sZomQh5CwB_5jA77HaNsFSC-Bd23WDJ44e7BjevOEg?key=HGhezhG4OsyA12OoId9NqQ" alt=""><figcaption><p>Fig 4.22.f: Select mapper to configure</p></figcaption></figure>
8. Fill ip the fields like below, here Token Claim Name need to configure exactly like here how configured\
   ${client\_id}.${role\_name}.attributes.${attribute\_name}

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXe1QoEL25O3-ONDXhrzR70TIyvb1IOTS6tjE72hLyiFsDIji0kH_HEX0LwmLUUyIkEHAFd9Eg7sVSLlL1-VNEul8szMDbHiHzFiWmf7INtQZAbcGuHfKuYGH0r0oXwrXbfI8amnHQC59yuLYuf7bgh0N-Va?key=HGhezhG4OsyA12OoId9NqQ" alt=""><figcaption><p>Fig 4.22.g: Mapper configuration</p></figcaption></figure>

9. How many attributes are there that many mappers need to create like below<br>

   <figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXfPVH6jy2fmga4xF21TNzxh0OSaK72X9YorYbn9AYCRXa9xjjMuM7NdKOOU8YFeahiLI-ZNe5gbWedPNQ78ahHzHKS06w4gi8014Qu6xl9L2eXDOIe1HfyQrzA5ymM1uuy9n43GQ684ql8TuEJlxnLNx7U?key=HGhezhG4OsyA12OoId9NqQ" alt=""><figcaption><p>Fig 4.22.h: List of custom attributes</p></figcaption></figure>
10. At last go to the authentication section, then to required actions tab, switch on the client role request like below.

    <figure><img src="/files/mNc0YcfoMhAs2l1dVfgS" alt=""><figcaption><p>Fig 4.22.i: Navigate to Authentication section in side bar, and required actions</p></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://ztrust.gitbook.io/ztrust-documentation/user-manual-ztrust-v4.1/4.-admin-manual/4.23-role-specific-attribute-based-access-control-at-client-level.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
