Cloud Services


Hybrid authorization
Published On May 16, 2024 - 1:22 PM

Hybrid authorization

Understand the three types of supported authorization: internal, external, and hybrid authorization.

Types of authorization

authorization, all of the contexts, roles, teams, user data, and user-team relationship information are stored in a Kyndryl Modern Operations Applications database. With
authorization, all data is stored externally with the customer. For
authorization, some data is stored in Kyndryl Modern Operations Applications and some is stored on the customer side.
User-to-team mapping is maintained outside of Kyndryl Modern Operations Applications typically in a customer LDAP or an external IAM solution, and team-to-role mapping is maintained within Kyndryl Modern Operations Applications. (Roles and teams, are stored on a Kyndryl Modern Operations Applications database, and user-team relationships come from the customer database.)

Process flow for user authorization

Following is the process for user authorization.
  1. Access Kyndryl Modern Operations Applications.
  2. Check where IdP user belongs to.
  3. Once user password is verified, the SAML token is given.
  4. Generates SAML and sends groups that the user belongs to.
  5. Maps the groups to teams and uses the team-role mapping in Kyndryl Modern Operations Applications to determine access rights for the users.
  6. User can now access Kyndryl Modern Operations Applications.

User authentication with IdP

IdP generates a SAML token including the user-to-groups information. Kyndryl Modern Operations Applications uses the user-to-groups information to determine the authorization for the user (based on the team-role-context mapping in Kyndryl Modern Operations Applications).


Hybrid Authorization is supported in Kyndryl Modern Operations Applications. Access rights in Kyndryl Modern Operations Applications are based on the user-to-team relationship maintained outside of the application on the client side and the team-role relationship maintained within Kyndryl Modern Operations Applications.
Kyndryl Modern Operations Applications does not have any user information or user-team mapping data.
Authorization for System Users is still performed through the Kyndryl Modern Operations Applications user interface.
Existing functionality related to internal and external authorization remains the same.
When authorization is set to Hybrid, if the configuration setting is set to enable API access for specific users, the user having access to APIs is indicated through a flag when the user logs in. Based on this flag, the user may be provided access to APIs, depending on the SAML claims. SAML claims are registered in Core Plus during application onboarding (similar to role registration).
Core Plus automatically publishes the list of application claims (when the application registers its claims) as Core Lite Claims so that they are made available for configuration by a Core Plus System Administrator.
IdP claims are mapped to Core Lite Claims by a Core Plus system administrator using Core Plus API using Core Lite API internally.
Core Plus System Administrators can perform the following:
  • Verify and switch from
    Authorization to Hybrid Authorization.
  • Verify and switch from
    Authorization to Internal Authorization.
  • With TSA can specify the IdP team name for a Core Plus team when using Hybrid Authorization. Each IdP team is mapped to one and only one Core Plus team. Each Core Plus team is mapped to one and only one IdP team.
Do you have two minutes for a quick survey?
Take Survey