User Role Attribution
User Role Attribution allows AppSentinels to map user roles from API requests and associate them with user sessions. This helps in understanding role-based access patterns, detecting Broken Role-Based Access Control (RBAC) issues, and auto-learning application roles.
Why It Matters
- Identifies whether users are admin, user, superadmin, etc.
- Helps detect misused privileges (e.g., a regular user accessing admin endpoints).
- Enables learning of role-to-function mappings to build RBAC policy models.
- Supports alerting on role escalation or horizontal privilege misuse.
How It Works
AppSentinels parses the role information from headers, cookies, or tokens (e.g., JWT) and links that to the session and user context.
Custom User Role Attribution
You can configure your own logic to extract user role by clicking + New Custom Attribution.
| Field | Description |
|---|---|
| Field Location | Specifies where to extract the role from. Options include: Req.Header, Req.Cookie, Resp.Body, etc. |
| Field sublocation |
The key within the selected location. Example: authorization, x-role, or
user-info.
|
| Type (optional) |
Use bearer.jwt if the role is inside a JWT token.
AppSentinels will parse the token and extract the desired field.
|
| Field to extract session identifier |
(Required only for JWT type) Specify the JWT claim path that contains the user role (e.g., role, user.role,
data.role).
|
| Regex (optional) | Toggle ON to match APIs using regex patterns. |
| APIs | Select the APIs this rule applies to. With Regex enabled, the value will be treated as a URI pattern. |
Example Configuration
| Field | Example Value |
|---|---|
| Field Location | Req.Header |
| Field sublocation | authorization |
| Type | bearer.jwt |
| Field to Extract Identifier | data.role |
| Regex | Off |
| APIs | All |
This setup tells AppSentinels to extract the user's role from a JWT present in the Authorization header and associate it with the session and user for access control evaluation.