The CertificateAuthenticationLoginModule does not extract role information. If MBOs and MBO operations have roles assigned, stack login modules to get roles for the user.
- HttpAuthenticationLoginModule – username and password credentials are supplied by the user. If these credentials go to an LDAP/AD EIS, add an LDAPAuthorizer with appropriate properties to look up the LDAP subject and retrieve LDAP groups as roles. You can also use the csi-userrole authorizer; but role-mapping maintenance is onerous with a large user base.
- CertificateAuthenticationLoginModule – use the csi-userrole provider to map logical roles to physical roles named user:subject where subject matches the common name (CN=xxx) from the X.509 certificate.
See Configuring an LDAP Authentication Module in Sybase Control Center online help.