{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":[]},"redocly_category":"Guides","product":"Identity Management","type":"markdown"},"seo":{"title":"Create app role groups","description":"Everything about Mosaic Journeys, SDKs, and APIs","siteUrl":"https://developer.transmitsecurity.com/","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"create-app-role-groups","__idx":0},"children":["Create app role groups"]},{"$$mdtype":"Tag","name":"blockquote","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This page is the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["detail"]}," for ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/user/b2b/b2b_setup-overview#step-4-create-app-role-groups"},"children":["Setup overview — Step 4: Create app role groups"]},"."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Bundle member roles into ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["role groups"]}," and — when using a parent–child hierarchy — control which bundles parent organizations expose to their managed children."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"understand-role-groups","__idx":1},"children":["Understand role groups"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Use the same ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/user/b2b/b2b_main-concepts"},"children":["holiday booking platform and travel agencies"]}]}," story as in ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/user/b2b/b2b_define_app_roles#understand-roles"},"children":["Define app roles — Understand roles"]},". You already defined the application-level ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["member roles"]}," for the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Holiday booking platform"]},". In this guide set, the main example follows one parent organization, ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Retail travel agency"]},", and one managed child organization, ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["New York branch"]},"."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["At this step, you organize those application roles into ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["role groups"]},". Each role group is a named bundle of member roles that you will later assign to a specific organization."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["In the running example, the parent organization needs a broader bundle for head-office staff, while the managed child organization needs a narrower bundle for branch staff."]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"b2b-wip-table-wrap"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"b2b-wip-bordered-table"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{},"children":["Example organization"]},{"$$mdtype":"Tag","name":"th","attributes":{},"children":["Member roles in org"]},{"$$mdtype":"Tag","name":"th","attributes":{},"children":["Example role group"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Retail travel agency"]}," (parent org / head office)"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Booking agent"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["After-sales specialist"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Invoice reviewer"]}]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Retail storefront"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["New York branch"]}," (managed child organization)"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Booking agent"]}]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Retail sales only"]}]}]}]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This is the same app-level role catalog, but divided into bundles that match real business scope. The parent organization can receive ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Retail storefront"]},", while New York branch can be limited to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Retail sales only"]},"."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"configure-role-groups","__idx":2},"children":["Configure role groups"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["In ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Admin Portal"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["B2B Identity"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Roles"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Role groups"]}," tab, select the application from the selector at the top of the page."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For each ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["role group"]},", you set a ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["name"]},", ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["value"]},", and optional ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["description"]},", and you attach ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["one or more"]}," of the ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/user/b2b/b2b_define_app_roles"},"children":["member roles"]}," you defined for the application. A member role must sit in ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["at least one"]}," role group before it can be assigned to members at all."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["After role groups are created, they are ready to be assigned to organizations. You’ll complete this in a later step (see ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/user/b2b/b2b_configure_org_roles_auth"},"children":["Configure org roles & auth"]},")."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"understand-parentchild-role-group-relationships","__idx":3},"children":["Understand parent–child role group relationships"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Staying with the same travel booking example, the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Retail travel agency"]}," is the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["parent organization"]}," and ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["New York branch"]}," is a ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["managed child organization"]},". Head-office members in the parent organization need the broader ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Retail storefront"]}," bundle. Branch members in New York branch should be limited to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Retail sales only"]},"."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This distinction matters because the next configuration step is not only to create role groups, but also to decide which ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["parent"]}," role groups may expose which ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["child-facing"]}," role groups. Later, when you configure organizations, the parent will receive its own role groups and the child will be limited to the role groups the parent exposed for managed organizations."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["A managed child may have ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["more than one"]}," parent; each parent contributes its own list of exposed role groups."]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"b2b-wip-table-wrap"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"b2b-wip-bordered-table"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{},"children":["Travel story"]},{"$$mdtype":"Tag","name":"th","attributes":{},"children":["Mosaic"]},{"$$mdtype":"Tag","name":"th","attributes":{},"children":["What you configure"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Retail travel agency"]}," operates the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["head office"]}," and provisions ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["New York branch"]}," as a managed branch."]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Organization"]}," (parent)"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Assign roles"]},": give the parent the bundle its own staff need, here ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Retail storefront"]},". On that parent role group, set ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Select managed orgs role groups"]}," to include ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Retail sales only"]}," so admins can attach that narrower bundle to New York branch."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["A ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["New York branch"]}," employee works with branch-level permissions only."]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Managed organization"]}," (child)"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Assign roles"]}," on the child: choose the bundle exposed by the parent, here ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Retail sales only"]},". For each ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["member"]},", assign only app-level roles that belong to that group, here ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Booking agent"]},"."]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"configure-parentchild-role-group-relationships","__idx":4},"children":["Configure parent–child role group relationships"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The steps below follow the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Retail travel agency"]}," example: create ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Retail sales only"]}," for managed branches first, then ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Retail storefront"]}," for the parent, then configure the mapping and later assign the groups to organizations (see ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/user/b2b/b2b_setup-overview#step-4-create-app-role-groups"},"children":["Setup overview — Step 4"]},")."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["In ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Admin Portal"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["B2B Identity"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Roles"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Role groups"]}," tab:"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Create the role groups for managed children"]},". ",{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]}," You need these groups in the catalog before they can be selected in ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Select managed orgs role groups"]},". For example, create ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Retail sales only"]}," with ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Booking agent"]}," and add the required ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["member roles"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Create the role groups for parent organizations"]},". ",{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]}," Each role group must contain ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["at least one"]}," member role, including groups mainly used to drive child exposure. For example, create ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Retail storefront"]}," with ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Booking agent"]},", ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["After-sales specialist"]},", and ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Invoice reviewer"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["For each parent role group, expose the role groups that managed children can use"]},". ",{"$$mdtype":"Tag","name":"br","attributes":{},"children":[]}," In ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Select managed orgs role groups"]},", select the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["child-facing"]}," role groups from step 1, such as ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Retail sales only"]},", that managed children like ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["New York branch"]}," can receive."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Once role groups and their mappings are in place, they are ready to be assigned to organizations. You’ll complete this in a later step (see ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/user/b2b/b2b_configure_org_roles_auth"},"children":["Configure org roles & auth"]},")."]},{"$$mdtype":"Tag","name":"style","attributes":{},"children":["\n    /* Blockquote intro block */\n    [data-component-name=\"Markdown/Markdown\"] blockquote {\n        border-left: 4px solid #BBC5FF !important;\n        border-radius: 2px;\n        background-color: #F1F2FF !important;\n        padding: 20px 10px 15px 10px;\n        margin: 10px 1px;\n    }\n\n    /* Create role groups — bordered example table (same pattern as Define app roles).\n       Theme globals set th/td border-left/right: 0 !important. */\n    .b2b-wip-table-wrap {\n        margin: 10px 0;\n        border-radius: 5px;\n        overflow: hidden;\n        border: 1px solid #ededf2;\n    }\n\n    table.b2b-wip-bordered-table {\n        border-collapse: collapse;\n        width: 100%;\n        margin: 0;\n    }\n\n    table.b2b-wip-bordered-table th,\n    table.b2b-wip-bordered-table td {\n        border: 1px solid #ededf2 !important;\n        padding: 10px;\n        text-align: left;\n        vertical-align: top;\n    }\n\n    table.b2b-wip-bordered-table thead th {\n        background-color: #f5f5f5 !important;\n        color: #000000 !important;\n        font-weight: 600 !important;\n    }\n\n    table.b2b-wip-bordered-table ul {\n        margin: 0;\n        padding-left: 1.25em;\n    }\n"]}]},"headings":[{"value":"Create app role groups","id":"create-app-role-groups","depth":1},{"value":"Understand role groups","id":"understand-role-groups","depth":2},{"value":"Configure role groups","id":"configure-role-groups","depth":2},{"value":"Understand parent–child role group relationships","id":"understand-parentchild-role-group-relationships","depth":2},{"value":"Configure parent–child role group relationships","id":"configure-parentchild-role-group-relationships","depth":2}],"frontmatter":{"markdown":{"toc":{"depth":2}},"navigation":{"previousButton":{"text":"Previous:","hide":false,"label":"Define app roles","link":"/guides/user/b2b/b2b_define_app_roles"},"nextButton":{"text":"Next:","hide":false,"label":"Create organizations","link":"/guides/user/b2b/b2b_create_organization"}},"seo":{"title":"Create app role groups"}},"lastModified":"2026-05-07T12:32:01.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/guides/user/b2b/b2b_create_role_groups","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}