# Get Shield to recognize the user using PKI auth

I am currently using Shield to auth users with PKI. Currently when a user with a CN: John Doe jdoe navigates to /_search, the exception:

type: security_exception
reason: action [indices:data/read/search] is unauthorized for user [John Doe jdoe]

In the access log, it shows that

access_denied, principal = [John Doe jdoe], action = [indices:data/read/search], indices=[]

How do I create a role for this user and assign it to this user so shield can recognize it and show the appropriate data? I tried to add it in users_roles.yml like below:

You need to edit the `role_mapping.yml` file to add a mapping to a role base on the DN of your certificate. Please see https://www.elastic.co/guide/en/shield/current/pki-realm.html#assigning-roles-pki