Role Mappings
Role Mappings let you automatically assign Guardian Pro permission levels based on the AWS IAM roles your team members use. Instead of manually assigning a Guardian Pro role to every user, you can define mapping rules that determine the appropriate access level based on existing IAM role patterns.
Why Use Role Mappings
In most organisations, AWS IAM roles already reflect team responsibilities:
- Platform engineers assume administrative roles with broad access.
- Security auditors assume read-only roles scoped to security services.
- Developers assume roles with access to specific application resources.
Role Mappings bridges this existing structure into Guardian Pro, so you do not need to maintain a separate access control scheme. When a new user is provisioned through onboarding or invitation, their Guardian Pro role can be automatically determined from their AWS IAM role.
Role Mappings are optional. You can always assign Guardian Pro roles manually through the Users page. Role Mappings simply automate this process for organisations with established IAM role conventions.
Accessing Role Mappings
Navigate to Settings > Role Mappings from the left sidebar. You need the org:read permission to view mappings and org:write to create or modify them.
How Role Mappings Work
A role mapping is a rule that says: "When a user's AWS IAM role matches this pattern, assign them this Guardian Pro role."
Each mapping consists of:
| Field | Description |
|---|---|
| IAM Role Pattern | The AWS IAM role name or ARN pattern to match against |
| Guardian Pro Role | The role to assign: Admin, Standard, or Read-Only |
| Priority | The order in which mappings are evaluated (lower number = higher priority) |
| Description | An optional note explaining the purpose of this mapping |
Pattern Matching
Role Mappings support two matching modes:
- Exact match -- The IAM role name must match exactly (e.g.,
GuardianProAdmin). - Wildcard match -- Use
*as a wildcard to match partial role names (e.g.,SecurityAuditor*matchesSecurityAuditorProd,SecurityAuditorDev, etc.).
Evaluation Order
When a user's IAM role matches multiple mapping rules, the rule with the highest priority (lowest priority number) is used. If no rules match, the user receives the default role configured for your organisation (typically Read-Only).
Priority numbers must be unique. No two mapping rules can have the same priority value.
Creating a Role Mapping
To create a new role mapping:
- Navigate to Settings > Role Mappings.
- Click Add Mapping.
- Enter the IAM role pattern (exact name or wildcard pattern).
- Select the Guardian Pro role to assign.
- Set the priority (lower numbers are evaluated first).
- Optionally, add a description.
- Click Save.
Example Mappings
Here are common mapping configurations:
| IAM Role Pattern | Guardian Pro Role | Priority | Description |
|---|---|---|---|
OrganizationAdmin* | Admin | 1 | Full admin access for org administrators |
PlatformEngineer* | Admin | 2 | Full access for platform team |
SecurityAuditor* | Read-Only | 3 | View-only access for auditors |
Developer* | Standard | 4 | Standard access for development teams |
*ReadOnly* | Read-Only | 5 | View-only for any read-only IAM role |
Be careful with broad wildcard patterns like *Admin*. Ensure your priority ordering is correct so that more specific rules are evaluated before broader ones. A catch-all rule with a wildcard should always have the lowest priority (highest number).
Editing a Role Mapping
To modify an existing mapping:
- Find the mapping in the list.
- Click the Edit icon.
- Update the fields as needed.
- Click Save.
Changes to role mappings apply to future user provisioning and role evaluations. Existing users retain their current roles unless you manually reassign them or trigger a role re-evaluation.
Deleting a Role Mapping
To remove a mapping:
- Find the mapping in the list.
- Click the Delete icon.
- Confirm the deletion.
Deleting a mapping does not change the roles of users who were previously assigned through that mapping. Their current role remains in effect.
Default Role
When no role mapping matches a user's IAM role, the user is assigned the default role. You can configure the default role at the top of the Role Mappings page.
The default role applies to:
- Users whose IAM roles do not match any mapping pattern.
- Users added through direct invitation (if no mapping override is specified).
We recommend setting the default role to Read-Only to follow the principle of least privilege. Users can then be upgraded to higher roles manually or through more specific mapping rules.
Role Mapping and Onboarding
During the onboarding process, Guardian Pro discovers users in your AWS Organization and presents them for provisioning. When role mappings are configured, the suggested Guardian Pro role for each discovered user is automatically populated based on the mapping rules.
You can review and override these suggestions before completing user provisioning.
Testing a Mapping
To verify how your mapping rules will evaluate a specific IAM role:
- On the Role Mappings page, use the Test Mapping tool.
- Enter an IAM role name or ARN.
- Guardian Pro shows which mapping rule would match and what Guardian Pro role would be assigned.
This is useful for validating your configuration before onboarding new users.
Audit Trail
All role mapping changes -- creation, modification, and deletion -- are recorded in the audit trail. This includes who made the change and when, supporting your compliance and change management requirements.
Next Steps
- Roles and Permissions -- Understand what each Guardian Pro role can do.
- Users -- View and manage current user assignments.
- Invitations -- Invite new users (mappings apply during acceptance).
- Organisation -- Manage organisation-level settings.