Hi Dawid, I didn't know it's not possible to re-open ticket, I will leave this one 'in-progress' :). Please take a look to script I've written to you in previous ticket. Actually mapping is inside "if" statement: hasRole('Manager') or hasRole('Viewer'). It is mapping you need, isn't it? It is mapping for "view" scope. So for "edit" scope you would probably (not sure about your requirements) need another script which would allow to edit only Manager role: hasRole('Manager') We don't have built-in hasRole() function, so you would probably need to implement it on your own (or ask official Gluu support). Thanks, Yuriy

Sure understood - anyway such functionality must be added as extension as I said primarily. The same regarding storing such info in ldap. That's why we would like to use already existing groups in gluu to simulate roles - that was my point - and then I can create functionality like hasRole but users will be assigned to groups (roles) which can be stored already in ldap - the name of the group will be in fact like a scope within particular protected resource. Otherwise I would have to create new Role entity with ldap persistence and then add functionality to assign scopes to roles and finally assign roles to user profiles as a custom attribute. Is my reasoning rational? Which way would you choose? I wonder is such functionality is possibly interesting to you as a part of gluu? Thanks, Dawid

I wonder if such functionality would be interesting for you as a part of gluu server anyway?

It seems we are talking about the same thing but in different words. Sounds rational to me.