This page is the detail for Setup overview — Step 4: Create app role groups.
Bundle member roles into role groups and — when using a parent–child hierarchy — control which bundles parent organizations expose to their managed children.
Use the same holiday booking platform and travel agencies story as in Define app roles — Understand roles. You already defined the application-level member roles for the Holiday booking platform. In this guide set, the main example follows one parent organization, Retail travel agency, and one managed child organization, New York branch.
At this step, you organize those application roles into role groups. Each role group is a named bundle of member roles that you will later assign to a specific organization.
In the running example, the parent organization needs a broader bundle for head-office staff, while the managed child organization needs a narrower bundle for branch staff.
| Example organization | Member roles in org | Example role group |
|---|---|---|
| Retail travel agency (parent org / head office) |
| Retail storefront |
| New York branch (managed child organization) |
| Retail sales only |
This is the same app-level role catalog, but divided into bundles that match real business scope. The parent organization can receive Retail storefront, while New York branch can be limited to Retail sales only.
In Admin Portal > B2B Identity > Roles > Role groups tab, select the application from the selector at the top of the page.
For each role group, you set a name, value, and optional description, and you attach one or more of the member roles you defined for the application. A member role must sit in at least one role group before it can be assigned to members at all.
After role groups are created, they are ready to be assigned to organizations. You’ll complete this in a later step (see Configure org roles & auth).
Staying with the same travel booking example, the Retail travel agency is the parent organization and New York branch is a managed child organization. Head-office members in the parent organization need the broader Retail storefront bundle. Branch members in New York branch should be limited to Retail sales only.
This distinction matters because the next configuration step is not only to create role groups, but also to decide which parent role groups may expose which child-facing role groups. Later, when you configure organizations, the parent will receive its own role groups and the child will be limited to the role groups the parent exposed for managed organizations.
A managed child may have more than one parent; each parent contributes its own list of exposed role groups.
| Travel story | Mosaic | What you configure |
|---|---|---|
| The Retail travel agency operates the head office and provisions New York branch as a managed branch. | Organization (parent) | Assign roles: give the parent the bundle its own staff need, here Retail storefront. On that parent role group, set Select managed orgs role groups to include Retail sales only so admins can attach that narrower bundle to New York branch. |
| A New York branch employee works with branch-level permissions only. | Managed organization (child) | Assign roles on the child: choose the bundle exposed by the parent, here Retail sales only. For each member, assign only app-level roles that belong to that group, here Booking agent. |
The steps below follow the Retail travel agency example: create Retail sales only for managed branches first, then Retail storefront for the parent, then configure the mapping and later assign the groups to organizations (see Setup overview — Step 4).
In Admin Portal > B2B Identity > Roles > Role groups tab:
- Create the role groups for managed children.
You need these groups in the catalog before they can be selected in Select managed orgs role groups. For example, create Retail sales only with Booking agent and add the required member roles. - Create the role groups for parent organizations.
Each role group must contain at least one member role, including groups mainly used to drive child exposure. For example, create Retail storefront with Booking agent, After-sales specialist, and Invoice reviewer. - For each parent role group, expose the role groups that managed children can use.
In Select managed orgs role groups, select the child-facing role groups from step 1, such as Retail sales only, that managed children like New York branch can receive.
Once role groups and their mappings are in place, they are ready to be assigned to organizations. You’ll complete this in a later step (see Configure org roles & auth).