IMIO · remdub · Dec 10, 2025 · Dec 5, 2025 · Dec 10, 2025 · Dec 10, 2025
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,12 +1,11 @@
 ## 1.4.2 (unreleased)
 
-
-- Nothing changed yet.
+- Set administrator role for users in group iA.Smartweb-admin with an imio address.
+  [bsuttor]
 
 
 ## 1.4.1 (2025-11-25)
 
-
 - WEB-4331 : Set Allowed Groups with environment variable
   [remdub]
 
@@ -28,7 +27,6 @@
 
 ## 1.3.1 (2025-09-30)
 
-
 - Do not gave administrator role for users in group iA.Smartweb.
   [bsuttor]
 

diff --git a/src/pas/plugins/kimug/plugin/__init__.py b/src/pas/plugins/kimug/plugin/__init__.py
@@ -7,6 +7,7 @@
 from zope.interface import implementer
 
 import jwt
+import os
 
 
 # from jwt.algorithms import RSAAlgorithm
@@ -71,11 +72,16 @@ class KimugPlugin(OIDCPlugin):
     @security.private
     def getRolesForPrincipal(self, user, request=None):
         """Fulfill RolesPlugin requirements"""
-        # app_id = os.environ.get("application_id", "smartweb")
+        app_id = os.environ.get("application_id", "iA.Smartweb")
+        admin_group = f"{app_id}-admin"
         roles = ["Member"]
-        # if app_id in user.getGroups():
-        #     roles.append("Manager")
-        #     return tuple(roles)
+        if (
+            app_id
+            and admin_group in user.getGroups()
+            and user.getProperty("email").endswith("@imio.be")
+        ):
+            roles.append("Manager")
+            return tuple(roles)
         return tuple(roles)
 
     @security.private