I would like the employee role to be assigned to anyone with our domain in their email address.
Has anyone successfully automated the application of a role based on email or any other criteria?
@mhock - Yes, you can do some customisation here:
Below is the reference code:
<#if !user.anonymous>
<#assign userEmail = rest("/users/id/${user.id}/").user />
</#if>
<#list userEmail as getEmail>
<#assign spiltEmail = getEmail.email?split("@") />
<#assign getSplittedEmail = spiltEmail[1]?split(".") />
<#assign SplittedEmail = getSplittedEmail[0] />
</#list>
<#assign getUserRole = restadmin("/users/id/${user.id}/roles").roles.role />
<#assign rolesA = [] />
<#list getUserRole as role >
<#assign rolesA = rolesA + [role.name?js_string] />
</#list>
With the above code, you will get user email and user role, after that use the following query and check if user email contains a particular domain or not.
<#assign addRole = restadmin("/roles/name/[roleName]/users/add?role.user=id/${userID}") />
Please let me know if you have any questions.
Thanks!
As an additional layer of security you would want to assign the role only, if the corporate email in the community profile has also been verified. So only if the following value is true:
<#assign email_verification = rest("/users/self/settings/name/user.email_verified").value />
Otherwise an unverified bogus email ending with the corporate domain could grant malintended visitors access to the staff role.
The above are good solutions.
We do something similar, but because we use SSO we obtain a user profile value representing our Enterprise ID (EID) for each user and then have a bit of an expanded customization to apply/remove various roles via an EID-role mapping list we access within the Admin Console. Fundamentally it is similar to the above code, with some additional customizations to allow us to define additional EIDs-role mappings and remove roles based on EID as well.
Since we know the EID of our internal users, we can apply this role to our employees based on that EID.
We also use this same EID-role mapping to grant access to various customers to beta content and discussions, and other private section by their account EID.
Maybe more complicated an approach than what you need, but it might be useful to think about if you have broader use cases for roles than employees vs everyone else.
We've generally done it via an SSO implementation, which is a bit more of an undertaking, but you can do a lot with it.
JumpCloud Sr Manager, Technical Community
@Payal @sdodds @lolagoetz @ClaudiusH
Thank you ALL so much for chiming in. We have SSO and are a private Community so I will be using this post to see what our development team can produce.
Thanks again and HAPPY Friday!
Melissa
JumpCloud Sr Manager, Technical Community
Welcome to the Technology board!
Curious about our platform? Looking to connect on social technology? You've come to the right place!