User Role Attribution

User Role Attribution allows AppSentinels to map user roles from API requests and associate them with user sessions. This helps in understanding role-based access patterns, detecting Broken Role-Based Access Control (RBAC) issues, and auto-learning application roles.

Why It Matters

How It Works

AppSentinels parses the role information from headers, cookies, or tokens (e.g., JWT) and links that to the session and user context.

Custom User Role Attribution

You can configure your own logic to extract user role by clicking + New Custom Attribution.

Field Description
Field Location Specifies where to extract the role from. Options include: Req.Header, Req.Cookie, Resp.Body, etc.
Field sublocation The key within the selected location.
Example: authorization, x-role, or user-info.
Type (optional) Use bearer.jwt if the role is inside a JWT token. AppSentinels will parse the token and extract the desired field.
Field to extract session identifier (Required only for JWT type)
Specify the JWT claim path that contains the user role (e.g., role, user.role, data.role).
Regex (optional) Toggle ON to match APIs using regex patterns.
APIs Select the APIs this rule applies to. With Regex enabled, the value will be treated as a URI pattern.

Example Configuration

Field Example Value
Field Location Req.Header
Field sublocation authorization
Type bearer.jwt
Field to Extract Identifier data.role
Regex Off
APIs All

This setup tells AppSentinels to extract the user's role from a JWT present in the Authorization header and associate it with the session and user for access control evaluation.