diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/types.ts b/x-pack/plugins/enterprise_search/public/applications/app_search/types.ts
index cda3ab213fb87..e763264a041de 100644
--- a/x-pack/plugins/enterprise_search/public/applications/app_search/types.ts
+++ b/x-pack/plugins/enterprise_search/public/applications/app_search/types.ts
@@ -6,5 +6,5 @@
  */
 
 export * from '../../../common/types/app_search';
-export { Role, RoleTypes, AbilityTypes } from './utils/role';
+export { Role, RoleTypes, AbilityTypes, ASRoleMapping } from './utils/role';
 export { Engine } from './components/engine/types';
diff --git a/x-pack/plugins/enterprise_search/public/applications/app_search/utils/role/index.ts b/x-pack/plugins/enterprise_search/public/applications/app_search/utils/role/index.ts
index 3c75d34e6cdc9..6e0a2f8e2adf2 100644
--- a/x-pack/plugins/enterprise_search/public/applications/app_search/utils/role/index.ts
+++ b/x-pack/plugins/enterprise_search/public/applications/app_search/utils/role/index.ts
@@ -5,6 +5,8 @@
  * 2.0.
  */
 
+import { RoleMapping } from '../../../shared/types';
+import { Engine } from '../../components/engine/types';
 import { Account } from '../../types';
 
 export type RoleTypes = 'owner' | 'admin' | 'dev' | 'editor' | 'analyst';
@@ -103,3 +105,11 @@ export const getRoleAbilities = (role: Account['role']): Role => {
 
   return Object.assign(myRole, topLevelProps, abilities);
 };
+
+export interface ASRoleMapping extends RoleMapping {
+  accessAllEngines: boolean;
+  engines: Engine[];
+  toolTip?: {
+    content: string;
+  };
+}
diff --git a/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/__mocks__/roles.ts b/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/__mocks__/roles.ts
new file mode 100644
index 0000000000000..6e9c867b15679
--- /dev/null
+++ b/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/__mocks__/roles.ts
@@ -0,0 +1,68 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export const asRoleMapping = {
+  id: null,
+  attributeName: 'role',
+  attributeValue: ['superuser'],
+  authProvider: ['*'],
+  roleType: 'owner',
+  rules: {
+    role: 'superuser',
+  },
+  accessAllEngines: true,
+  engines: [],
+  toolTip: {
+    content: 'Elasticsearch superusers will always be able to log in as the owner',
+  },
+};
+
+export const wsRoleMapping = {
+  id: '602d4ba85foobarbaz123',
+  attributeName: 'username',
+  attributeValue: 'user',
+  authProvider: ['*', 'other_auth'],
+  roleType: 'admin',
+  rules: {
+    username: 'user',
+  },
+  allGroups: true,
+  groups: [
+    {
+      id: '602c3b475foobarbaz123',
+      name: 'Default',
+      createdAt: '2021-02-16T21:38:15Z',
+      updatedAt: '2021-02-16T21:40:32Z',
+      contentSources: [
+        {
+          id: '602c3bcf5foobarbaz123',
+          name: 'National Parks',
+          serviceType: 'custom',
+        },
+      ],
+      users: [
+        {
+          id: '602c3b485foobarbaz123',
+          name: 'you_know_for_search',
+          email: 'foo@example.com',
+          initials: 'E',
+          pictureUrl: null,
+          color: '#ffcc13',
+        },
+        {
+          id: '602c3bf85foobarbaz123',
+          name: 'elastic',
+          email: null,
+          initials: 'E',
+          pictureUrl: null,
+          color: '#7968ff',
+        },
+      ],
+      usersCount: 2,
+    },
+  ],
+};
diff --git a/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/add_role_mapping_button.test.tsx b/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/add_role_mapping_button.test.tsx
new file mode 100644
index 0000000000000..a02f6c43225c0
--- /dev/null
+++ b/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/add_role_mapping_button.test.tsx
@@ -0,0 +1,22 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+
+import { shallow } from 'enzyme';
+
+import { EuiButtonTo } from '../react_router_helpers';
+
+import { AddRoleMappingButton } from './add_role_mapping_button';
+
+describe('AddRoleMappingButton', () => {
+  it('renders', () => {
+    const wrapper = shallow(<AddRoleMappingButton path="/foo" />);
+
+    expect(wrapper.find(EuiButtonTo)).toHaveLength(1);
+  });
+});
diff --git a/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/add_role_mapping_button.tsx b/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/add_role_mapping_button.tsx
new file mode 100644
index 0000000000000..0ae9f16ea2f9b
--- /dev/null
+++ b/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/add_role_mapping_button.tsx
@@ -0,0 +1,22 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+
+import { EuiButtonTo } from '../react_router_helpers';
+
+import { ADD_ROLE_MAPPING_BUTTON } from './constants';
+
+interface Props {
+  path: string;
+}
+
+export const AddRoleMappingButton: React.FC<Props> = ({ path }) => (
+  <EuiButtonTo to={path} fill color="secondary">
+    {ADD_ROLE_MAPPING_BUTTON}
+  </EuiButtonTo>
+);
diff --git a/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/attribute_selector.test.tsx b/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/attribute_selector.test.tsx
new file mode 100644
index 0000000000000..bc31732527b0e
--- /dev/null
+++ b/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/attribute_selector.test.tsx
@@ -0,0 +1,167 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+
+import { shallow, ShallowWrapper } from 'enzyme';
+
+import { EuiComboBox, EuiFieldText } from '@elastic/eui';
+
+import { AttributeSelector, AttributeName } from './attribute_selector';
+import { ANY_AUTH_PROVIDER, ANY_AUTH_PROVIDER_OPTION_LABEL } from './constants';
+
+const handleAttributeSelectorChange = jest.fn();
+const handleAttributeValueChange = jest.fn();
+const handleAuthProviderChange = jest.fn();
+
+const baseProps = {
+  attributeName: 'username' as AttributeName,
+  attributeValue: 'Something',
+  attributes: ['a', 'b', 'c'],
+  availableAuthProviders: ['ees_saml', 'kbn_saml'],
+  selectedAuthProviders: ['ees_saml'],
+  elasticsearchRoles: ['whatever'],
+  multipleAuthProvidersConfig: true,
+  disabled: false,
+  handleAttributeSelectorChange,
+  handleAttributeValueChange,
+  handleAuthProviderChange,
+};
+
+describe('AttributeSelector', () => {
+  it('renders', () => {
+    const wrapper = shallow(<AttributeSelector {...baseProps} />);
+
+    expect(wrapper.find('[data-test-subj="AttributeSelector"]').exists()).toBe(true);
+  });
+
+  it('renders disabled panel with className', () => {
+    const wrapper = shallow(<AttributeSelector {...baseProps} disabled />);
+
+    expect(wrapper.find('[data-test-subj="AttributeSelector"]').prop('className')).toEqual(
+      'euiPanel--disabled'
+    );
+  });
+
+  describe('Auth Providers', () => {
+    const findAuthProvidersSelect = (wrapper: ShallowWrapper) =>
+      wrapper.find('[data-test-subj="AuthProviderSelect"]');
+
+    it('will not render if "availableAuthProviders" prop has not been provided', () => {
+      const wrapper = shallow(
+        <AttributeSelector {...baseProps} availableAuthProviders={undefined} />
+      );
+
+      expect(findAuthProvidersSelect(wrapper)).toHaveLength(0);
+    });
+
+    it('handles fallback props', () => {
+      const wrapper = shallow(
+        <AttributeSelector
+          {...baseProps}
+          attributeValue={undefined}
+          selectedAuthProviders={undefined}
+        />
+      );
+
+      const select: ShallowWrapper = findAuthProvidersSelect(wrapper);
+
+      expect(select.prop('selectedOptions')).toEqual([
+        {
+          label: ANY_AUTH_PROVIDER_OPTION_LABEL,
+          value: ANY_AUTH_PROVIDER,
+        },
+      ]);
+    });
+
+    it('renders a list of auth providers from the "availableAuthProviders" prop including an "Any" option', () => {
+      const wrapper = shallow(
+        <AttributeSelector {...baseProps} availableAuthProviders={['ees_saml', 'kbn_saml']} />
+      );
+      const select = findAuthProvidersSelect(wrapper) as any;
+
+      expect(select.props().options).toEqual([
+        {
+          label: expect.any(String),
+          options: [{ label: ANY_AUTH_PROVIDER_OPTION_LABEL, value: '*' }],
+        },
+        {
+          label: expect.any(String),
+          options: [
+            { label: 'ees_saml', value: 'ees_saml' },
+            { label: 'kbn_saml', value: 'kbn_saml' },
+          ],
+        },
+      ]);
+    });
+
+    it('the "selectedAuthProviders" prop should be used as the selected value', () => {
+      const wrapper = shallow(
+        <AttributeSelector
+          {...baseProps}
+          availableAuthProviders={['ees_saml', 'kbn_saml']}
+          selectedAuthProviders={['kbn_saml']}
+        />
+      );
+      const select = findAuthProvidersSelect(wrapper) as any;
+
+      expect(select.props().selectedOptions).toEqual([{ label: 'kbn_saml', value: 'kbn_saml' }]);
+    });
+
+    it('should call the "handleAuthProviderChange" prop when a value is selected', () => {
+      const wrapper = shallow(<AttributeSelector {...baseProps} />);
+      const select = findAuthProvidersSelect(wrapper);
+      select.simulate('change', [{ label: 'kbn_saml', value: 'kbn_saml' }]);
+
+      expect(handleAuthProviderChange).toHaveBeenCalledWith(['kbn_saml']);
+    });
+
+    it('should call the "handleAttributeSelectorChange" prop when a value is selected', () => {
+      const wrapper = shallow(<AttributeSelector {...baseProps} />);
+      const select = wrapper.find('[data-test-subj="ExternalAttributeSelect"]');
+      const event = { target: { value: 'kbn_saml' } };
+      select.simulate('change', event);
+
+      expect(handleAttributeSelectorChange).toHaveBeenCalledWith(
+        'kbn_saml',
+        baseProps.elasticsearchRoles[0]
+      );
+    });
+
+    it('handles fallback when no "handleAuthProviderChange" provided', () => {
+      const wrapper = shallow(
+        <AttributeSelector {...baseProps} handleAuthProviderChange={undefined} />
+      );
+
+      expect(wrapper.find(EuiComboBox).prop('onChange')!([])).toEqual(undefined);
+    });
+
+    it('should call the "handleAttributeSelectorChange" prop when field text value is changed', () => {
+      const wrapper = shallow(<AttributeSelector {...baseProps} />);
+      const input = wrapper.find(EuiFieldText);
+      const event = { target: { value: 'kbn_saml' } };
+      input.simulate('change', event);
+
+      expect(handleAttributeSelectorChange).toHaveBeenCalledWith(
+        'kbn_saml',
+        baseProps.elasticsearchRoles[0]
+      );
+    });
+
+    it('should call the "handleAttributeSelectorChange" prop when attribute value is selected', () => {
+      const wrapper = shallow(<AttributeSelector {...baseProps} attributeName="role" />);
+      const select = wrapper.find('[data-test-subj="ElasticsearchRoleSelect"]');
+      const event = { target: { value: 'kbn_saml' } };
+      select.simulate('change', event);
+
+      expect(handleAttributeSelectorChange).toHaveBeenCalledWith(
+        'kbn_saml',
+        baseProps.elasticsearchRoles[0]
+      );
+    });
+  });
+});
diff --git a/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/attribute_selector.tsx b/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/attribute_selector.tsx
new file mode 100644
index 0000000000000..60d660a2f6862
--- /dev/null
+++ b/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/attribute_selector.tsx
@@ -0,0 +1,189 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+
+import {
+  EuiComboBox,
+  EuiComboBoxOptionOption,
+  EuiFieldText,
+  EuiFlexGroup,
+  EuiFlexItem,
+  EuiFormRow,
+  EuiPanel,
+  EuiSelect,
+  EuiSpacer,
+  EuiTitle,
+} from '@elastic/eui';
+
+import {
+  ANY_AUTH_PROVIDER,
+  ANY_AUTH_PROVIDER_OPTION_LABEL,
+  AUTH_ANY_PROVIDER_LABEL,
+  AUTH_INDIVIDUAL_PROVIDER_LABEL,
+  ATTRIBUTE_SELECTOR_TITLE,
+  AUTH_PROVIDER_LABEL,
+  EXTERNAL_ATTRIBUTE_LABEL,
+  ATTRIBUTE_VALUE_LABEL,
+} from './constants';
+
+export type AttributeName = keyof AttributeExamples | 'role';
+
+interface Props {
+  attributeName: AttributeName;
+  attributeValue?: string;
+  attributes: string[];
+  selectedAuthProviders?: string[];
+  availableAuthProviders?: string[];
+  elasticsearchRoles: string[];
+  disabled: boolean;
+  multipleAuthProvidersConfig: boolean;
+  handleAttributeSelectorChange(value: string, elasticsearchRole: string): void;
+  handleAttributeValueChange(value: string): void;
+  handleAuthProviderChange?(value: string[]): void;
+}
+
+interface AttributeExamples {
+  username: string;
+  email: string;
+  metadata: string;
+}
+
+interface ParentOption extends EuiComboBoxOptionOption<string> {
+  label: string;
+  options: ChildOption[];
+}
+
+interface ChildOption extends EuiComboBoxOptionOption<string> {
+  value: string;
+  label: string;
+}
+
+const attributeValueExamples: AttributeExamples = {
+  username: 'elastic,*_system',
+  email: 'user@example.com,*@example.org',
+  metadata: '{"_reserved": true}',
+};
+
+const getAuthProviderOptions = (availableAuthProviders: string[]) => {
+  return [
+    {
+      label: AUTH_ANY_PROVIDER_LABEL,
+      options: [{ value: ANY_AUTH_PROVIDER, label: ANY_AUTH_PROVIDER_OPTION_LABEL }],
+    },
+    {
+      label: AUTH_INDIVIDUAL_PROVIDER_LABEL,
+      options: availableAuthProviders.map((authProvider) => ({
+        value: authProvider,
+        label: authProvider,
+      })),
+    },
+  ];
+};
+
+const getSelectedOptions = (selectedAuthProviders: string[], availableAuthProviders: string[]) => {
+  const groupedOptions: ParentOption[] = getAuthProviderOptions(availableAuthProviders);
+  const childOptions: ChildOption[] = [];
+  const options = groupedOptions.reduce((acc, n) => [...acc, ...n.options], childOptions);
+  return options.filter((o) => o.value && selectedAuthProviders.includes(o.value));
+};
+
+export const AttributeSelector: React.FC<Props> = ({
+  attributeName,
+  attributeValue = '',
+  attributes,
+  availableAuthProviders,
+  selectedAuthProviders = [ANY_AUTH_PROVIDER],
+  elasticsearchRoles,
+  disabled,
+  multipleAuthProvidersConfig,
+  handleAttributeSelectorChange,
+  handleAttributeValueChange,
+  handleAuthProviderChange = () => null,
+}) => {
+  return (
+    <EuiPanel
+      data-test-subj="AttributeSelector"
+      paddingSize="l"
+      className={disabled ? 'euiPanel--disabled' : ''}
+    >
+      <EuiTitle size="s">
+        <h3>{ATTRIBUTE_SELECTOR_TITLE}</h3>
+      </EuiTitle>
+      <EuiSpacer />
+      {availableAuthProviders && multipleAuthProvidersConfig && (
+        <EuiFlexGroup alignItems="stretch">
+          <EuiFlexItem>
+            <EuiFormRow label={AUTH_PROVIDER_LABEL} fullWidth>
+              <EuiComboBox
+                data-test-subj="AuthProviderSelect"
+                selectedOptions={getSelectedOptions(selectedAuthProviders, availableAuthProviders)}
+                options={getAuthProviderOptions(availableAuthProviders)}
+                onChange={(options) => {
+                  handleAuthProviderChange(options.map((o) => (o as ChildOption).value));
+                }}
+                fullWidth
+                isDisabled={disabled}
+              />
+            </EuiFormRow>
+          </EuiFlexItem>
+          <EuiFlexItem />
+        </EuiFlexGroup>
+      )}
+      <EuiFlexGroup alignItems="stretch">
+        <EuiFlexItem>
+          <EuiFormRow label={EXTERNAL_ATTRIBUTE_LABEL} fullWidth>
+            <EuiSelect
+              name="external-attribute"
+              data-test-subj="ExternalAttributeSelect"
+              value={attributeName}
+              required
+              options={attributes.map((attribute) => ({ value: attribute, text: attribute }))}
+              onChange={(e) => {
+                handleAttributeSelectorChange(e.target.value, elasticsearchRoles[0]);
+              }}
+              fullWidth
+              disabled={disabled}
+            />
+          </EuiFormRow>
+        </EuiFlexItem>
+        <EuiFlexItem>
+          <EuiFormRow label={ATTRIBUTE_VALUE_LABEL} fullWidth>
+            {attributeName === 'role' ? (
+              <EuiSelect
+                value={attributeValue}
+                name="elasticsearch-role"
+                data-test-subj="ElasticsearchRoleSelect"
+                required
+                options={elasticsearchRoles.map((elasticsearchRole) => ({
+                  value: elasticsearchRole,
+                  text: elasticsearchRole,
+                }))}
+                onChange={(e) => {
+                  handleAttributeValueChange(e.target.value);
+                }}
+                fullWidth
+                disabled={disabled}
+              />
+            ) : (
+              <EuiFieldText
+                value={attributeValue}
+                name="attribute-value"
+                placeholder={attributeValueExamples[attributeName]}
+                onChange={(e) => {
+                  handleAttributeValueChange(e.target.value);
+                }}
+                fullWidth
+                disabled={disabled}
+              />
+            )}
+          </EuiFormRow>
+        </EuiFlexItem>
+      </EuiFlexGroup>
+    </EuiPanel>
+  );
+};
diff --git a/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/constants.ts b/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/constants.ts
new file mode 100644
index 0000000000000..1fbbc172dcf69
--- /dev/null
+++ b/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/constants.ts
@@ -0,0 +1,109 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { i18n } from '@kbn/i18n';
+
+export const ANY_AUTH_PROVIDER = '*';
+
+export const ANY_AUTH_PROVIDER_OPTION_LABEL = i18n.translate(
+  'xpack.enterpriseSearch.roleMapping.anyDropDownOptionLabel',
+  {
+    defaultMessage: 'Any',
+  }
+);
+
+export const ADD_ROLE_MAPPING_BUTTON = i18n.translate(
+  'xpack.enterpriseSearch.roleMapping.addRoleMappingButtonLabel',
+  {
+    defaultMessage: 'Add mapping',
+  }
+);
+
+export const AUTH_ANY_PROVIDER_LABEL = i18n.translate(
+  'xpack.enterpriseSearch.roleMapping.anyAuthProviderLabel',
+  {
+    defaultMessage: 'Any current or future Auth Provider',
+  }
+);
+
+export const AUTH_INDIVIDUAL_PROVIDER_LABEL = i18n.translate(
+  'xpack.enterpriseSearch.roleMapping.individualAuthProviderLabel',
+  {
+    defaultMessage: 'Select individual auth providers',
+  }
+);
+
+export const ATTRIBUTE_SELECTOR_TITLE = i18n.translate(
+  'xpack.enterpriseSearch.roleMapping.attributeSelectorTitle',
+  {
+    defaultMessage: 'Attribute mapping',
+  }
+);
+
+export const ROLE_LABEL = i18n.translate('xpack.enterpriseSearch.roleMapping.roleLabel', {
+  defaultMessage: 'Role',
+});
+
+export const ALL_LABEL = i18n.translate('xpack.enterpriseSearch.roleMapping.allLabel', {
+  defaultMessage: 'All',
+});
+
+export const AUTH_PROVIDER_LABEL = i18n.translate(
+  'xpack.enterpriseSearch.roleMapping.authProviderLabel',
+  {
+    defaultMessage: 'Auth provider',
+  }
+);
+
+export const EXTERNAL_ATTRIBUTE_LABEL = i18n.translate(
+  'xpack.enterpriseSearch.roleMapping.externalAttributeLabel',
+  {
+    defaultMessage: 'External attribute',
+  }
+);
+
+export const ATTRIBUTE_VALUE_LABEL = i18n.translate(
+  'xpack.enterpriseSearch.roleMapping.attributeValueLabel',
+  {
+    defaultMessage: 'Attribute value',
+  }
+);
+
+export const DELETE_ROLE_MAPPING_TITLE = i18n.translate(
+  'xpack.enterpriseSearch.roleMapping.deleteRoleMappingTitle',
+  {
+    defaultMessage: 'Remove this role mapping',
+  }
+);
+
+export const DELETE_ROLE_MAPPING_DESCRIPTION = i18n.translate(
+  'xpack.enterpriseSearch.roleMapping.deleteRoleMappingDescription',
+  {
+    defaultMessage: 'Please note that deleting a mapping is permanent and cannot be undone',
+  }
+);
+
+export const DELETE_ROLE_MAPPING_BUTTON = i18n.translate(
+  'xpack.enterpriseSearch.roleMapping.deleteRoleMappingButton',
+  {
+    defaultMessage: 'Delete mapping',
+  }
+);
+
+export const FILTER_ROLE_MAPPINGS_PLACEHOLDER = i18n.translate(
+  'xpack.enterpriseSearch.roleMapping.filterRoleMappingsPlaceholder',
+  {
+    defaultMessage: 'Filter roles...',
+  }
+);
+
+export const MANAGE_ROLE_MAPPING_BUTTON = i18n.translate(
+  'xpack.enterpriseSearch.roleMapping.manageRoleMappingButtonLabel',
+  {
+    defaultMessage: 'Manage',
+  }
+);
diff --git a/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/delete_mapping_callout.test.tsx b/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/delete_mapping_callout.test.tsx
new file mode 100644
index 0000000000000..c7556ee20e26a
--- /dev/null
+++ b/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/delete_mapping_callout.test.tsx
@@ -0,0 +1,31 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+
+import { shallow } from 'enzyme';
+
+import { EuiButton, EuiCallOut } from '@elastic/eui';
+
+import { DeleteMappingCallout } from './delete_mapping_callout';
+
+describe('DeleteMappingCallout', () => {
+  const handleDeleteMapping = jest.fn();
+  it('renders', () => {
+    const wrapper = shallow(<DeleteMappingCallout handleDeleteMapping={handleDeleteMapping} />);
+
+    expect(wrapper.find(EuiCallOut)).toHaveLength(1);
+    expect(wrapper.find(EuiButton).prop('onClick')).toEqual(handleDeleteMapping);
+  });
+
+  it('handles button click', () => {
+    const wrapper = shallow(<DeleteMappingCallout handleDeleteMapping={handleDeleteMapping} />);
+    wrapper.find(EuiButton).simulate('click');
+
+    expect(handleDeleteMapping).toHaveBeenCalled();
+  });
+});
diff --git a/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/delete_mapping_callout.tsx b/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/delete_mapping_callout.tsx
new file mode 100644
index 0000000000000..cb3c27038c566
--- /dev/null
+++ b/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/delete_mapping_callout.tsx
@@ -0,0 +1,29 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+
+import { EuiButton, EuiCallOut } from '@elastic/eui';
+
+import {
+  DELETE_ROLE_MAPPING_TITLE,
+  DELETE_ROLE_MAPPING_DESCRIPTION,
+  DELETE_ROLE_MAPPING_BUTTON,
+} from './constants';
+
+interface Props {
+  handleDeleteMapping(): void;
+}
+
+export const DeleteMappingCallout: React.FC<Props> = ({ handleDeleteMapping }) => (
+  <EuiCallOut color="danger" iconType="alert" title={DELETE_ROLE_MAPPING_TITLE}>
+    <p>{DELETE_ROLE_MAPPING_DESCRIPTION}</p>
+    <EuiButton color="danger" fill onClick={handleDeleteMapping}>
+      {DELETE_ROLE_MAPPING_BUTTON}
+    </EuiButton>
+  </EuiCallOut>
+);
diff --git a/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/index.ts b/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/index.ts
new file mode 100644
index 0000000000000..e6320dbb7feef
--- /dev/null
+++ b/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/index.ts
@@ -0,0 +1,12 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export { AddRoleMappingButton } from './add_role_mapping_button';
+export { AttributeSelector } from './attribute_selector';
+export { DeleteMappingCallout } from './delete_mapping_callout';
+export { RoleMappingsTable } from './role_mappings_table';
+export { RoleSelector } from './role_selector';
diff --git a/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/role_mappings_table.test.tsx b/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/role_mappings_table.test.tsx
new file mode 100644
index 0000000000000..22498bbc50c21
--- /dev/null
+++ b/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/role_mappings_table.test.tsx
@@ -0,0 +1,90 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+
+import { shallow } from 'enzyme';
+
+import { EuiFieldSearch, EuiTableRow } from '@elastic/eui';
+
+import { wsRoleMapping, asRoleMapping } from './__mocks__/roles';
+
+import { ALL_LABEL, ANY_AUTH_PROVIDER_OPTION_LABEL } from './constants';
+
+import { RoleMappingsTable } from './role_mappings_table';
+
+describe('RoleMappingsTable', () => {
+  const getRoleMappingPath = jest.fn();
+  const roleMappings = [
+    {
+      ...wsRoleMapping,
+      accessItems: [
+        {
+          name: 'foo',
+        },
+      ],
+    },
+  ];
+
+  const props = {
+    accessItemKey: 'groups' as 'groups' | 'engines',
+    accessHeader: 'access',
+    roleMappings,
+    addMappingButton: <button />,
+    shouldShowAuthProvider: true,
+    getRoleMappingPath,
+  };
+
+  it('renders', () => {
+    const wrapper = shallow(<RoleMappingsTable {...props} />);
+
+    expect(wrapper.find(EuiFieldSearch)).toHaveLength(1);
+    expect(wrapper.find(EuiTableRow)).toHaveLength(1);
+  });
+
+  it('renders auth provider display names', () => {
+    const wrapper = shallow(<RoleMappingsTable {...props} />);
+
+    expect(wrapper.find('[data-test-subj="AuthProviderDisplay"]').prop('children')).toEqual(
+      `${ANY_AUTH_PROVIDER_OPTION_LABEL}, other_auth`
+    );
+  });
+
+  it('handles input change', () => {
+    const wrapper = shallow(<RoleMappingsTable {...props} />);
+    const input = wrapper.find(EuiFieldSearch);
+    const value = 'Query';
+    input.simulate('change', { target: { value } });
+
+    expect(wrapper.find(EuiTableRow)).toHaveLength(0);
+  });
+
+  it('shows default message when "accessAllEngines" is true', () => {
+    const wrapper = shallow(
+      <RoleMappingsTable {...props} roleMappings={[asRoleMapping as any]} accessItemKey="engines" />
+    );
+
+    expect(wrapper.find('[data-test-subj="AccessItemsList"]').prop('children')).toEqual(ALL_LABEL);
+  });
+
+  it('handles display when no items present', () => {
+    const noItemsRoleMapping = { ...asRoleMapping };
+    noItemsRoleMapping.accessAllEngines = false;
+
+    const wrapper = shallow(
+      <RoleMappingsTable
+        {...props}
+        roleMappings={[noItemsRoleMapping as any]}
+        accessItemKey="engines"
+      />
+    );
+
+    expect(wrapper.find('[data-test-subj="AccessItemsList"]').children().children().text()).toEqual(
+      '—'
+    );
+  });
+});
diff --git a/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/role_mappings_table.tsx b/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/role_mappings_table.tsx
new file mode 100644
index 0000000000000..b6110d692bc99
--- /dev/null
+++ b/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/role_mappings_table.tsx
@@ -0,0 +1,176 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React, { Fragment, useState } from 'react';
+
+import {
+  EuiFieldSearch,
+  EuiFlexGroup,
+  EuiFlexItem,
+  EuiIconTip,
+  EuiSpacer,
+  EuiTable,
+  EuiTableBody,
+  EuiTableHeader,
+  EuiTableHeaderCell,
+  EuiTableRow,
+  EuiTableRowCell,
+  EuiTextColor,
+} from '@elastic/eui';
+import { i18n } from '@kbn/i18n';
+
+import { ASRoleMapping } from '../../app_search/types';
+import { WSRoleMapping } from '../../workplace_search/types';
+import { EuiLinkTo } from '../react_router_helpers';
+import { RoleRules } from '../types';
+
+import {
+  ANY_AUTH_PROVIDER,
+  ANY_AUTH_PROVIDER_OPTION_LABEL,
+  ROLE_LABEL,
+  ALL_LABEL,
+  AUTH_PROVIDER_LABEL,
+  EXTERNAL_ATTRIBUTE_LABEL,
+  ATTRIBUTE_VALUE_LABEL,
+  FILTER_ROLE_MAPPINGS_PLACEHOLDER,
+  MANAGE_ROLE_MAPPING_BUTTON,
+} from './constants';
+
+interface AccessItem {
+  name: string;
+}
+
+interface SharedRoleMapping extends ASRoleMapping, WSRoleMapping {
+  accessItems: AccessItem[];
+}
+
+interface Props {
+  accessItemKey: 'groups' | 'engines';
+  accessHeader: string;
+  roleMappings: Array<ASRoleMapping | WSRoleMapping>;
+  addMappingButton: React.ReactNode;
+  accessAllEngines?: boolean;
+  shouldShowAuthProvider?: boolean;
+  getRoleMappingPath(roleId: string): string;
+}
+
+const MAX_CELL_WIDTH = 24;
+
+const noItemsPlaceholder = <EuiTextColor color="subdued">&mdash;</EuiTextColor>;
+
+const getAuthProviderDisplayValue = (authProvider: string) =>
+  authProvider === ANY_AUTH_PROVIDER ? ANY_AUTH_PROVIDER_OPTION_LABEL : authProvider;
+
+export const RoleMappingsTable: React.FC<Props> = ({
+  accessItemKey,
+  accessHeader,
+  roleMappings,
+  addMappingButton,
+  getRoleMappingPath,
+  shouldShowAuthProvider,
+}) => {
+  const [filterValue, updateValue] = useState('');
+
+  // This is needed because App Search has `engines` and Workplace Search has `groups`.
+  const standardizeRoleMapping = (roleMappings as SharedRoleMapping[]).map((rm) => {
+    const _rm = { ...rm } as SharedRoleMapping;
+    _rm.accessItems = rm[accessItemKey];
+    return _rm;
+  });
+
+  const filterResults = (result: SharedRoleMapping) => {
+    const values = Object.values(result);
+    const regexp = new RegExp(filterValue, 'i');
+    return values.filter((x) => regexp.test(x)).length > 0;
+  };
+
+  const filteredResults = standardizeRoleMapping.filter(filterResults);
+  const getFirstAttributeName = (rules: RoleRules): string => Object.entries(rules)[0][0];
+  const getFirstAttributeValue = (rules: RoleRules): string => Object.entries(rules)[0][1];
+
+  return (
+    <>
+      <EuiFlexGroup justifyContent="spaceBetween">
+        <EuiFlexItem>
+          <EuiFieldSearch
+            value={filterValue}
+            placeholder={FILTER_ROLE_MAPPINGS_PLACEHOLDER}
+            onChange={(e) => updateValue(e.target.value)}
+          />
+        </EuiFlexItem>
+        <EuiFlexItem grow={false}>{addMappingButton}</EuiFlexItem>
+      </EuiFlexGroup>
+      <EuiSpacer />
+      {filteredResults.length > 0 ? (
+        <EuiTable>
+          <EuiTableHeader>
+            <EuiTableHeaderCell>{EXTERNAL_ATTRIBUTE_LABEL}</EuiTableHeaderCell>
+            <EuiTableHeaderCell>{ATTRIBUTE_VALUE_LABEL}</EuiTableHeaderCell>
+            <EuiTableHeaderCell>{ROLE_LABEL}</EuiTableHeaderCell>
+            <EuiTableHeaderCell>{accessHeader}</EuiTableHeaderCell>
+            {shouldShowAuthProvider && (
+              <EuiTableHeaderCell>{AUTH_PROVIDER_LABEL}</EuiTableHeaderCell>
+            )}
+            <EuiTableHeaderCell />
+          </EuiTableHeader>
+          <EuiTableBody>
+            {filteredResults.map(
+              ({ id, authProvider, rules, roleType, accessAllEngines, accessItems, toolTip }) => (
+                <EuiTableRow key={id}>
+                  <EuiTableRowCell>{getFirstAttributeName(rules)}</EuiTableRowCell>
+                  <EuiTableRowCell style={{ maxWidth: MAX_CELL_WIDTH }}>
+                    {getFirstAttributeValue(rules)}
+                  </EuiTableRowCell>
+                  <EuiTableRowCell>{roleType}</EuiTableRowCell>
+                  <EuiTableRowCell
+                    data-test-subj="AccessItemsList"
+                    style={{ maxWidth: MAX_CELL_WIDTH }}
+                  >
+                    {accessAllEngines ? (
+                      ALL_LABEL
+                    ) : (
+                      <>
+                        {accessItems.length === 0
+                          ? noItemsPlaceholder
+                          : accessItems.map(({ name }) => (
+                              <Fragment key={name}>
+                                {name}
+                                <br />
+                              </Fragment>
+                            ))}
+                      </>
+                    )}
+                  </EuiTableRowCell>
+                  {shouldShowAuthProvider && (
+                    <EuiTableRowCell data-test-subj="AuthProviderDisplay">
+                      {authProvider.map(getAuthProviderDisplayValue).join(', ')}
+                    </EuiTableRowCell>
+                  )}
+                  <EuiTableRowCell>
+                    {id && (
+                      <EuiLinkTo to={getRoleMappingPath(id)}>
+                        {MANAGE_ROLE_MAPPING_BUTTON}
+                      </EuiLinkTo>
+                    )}
+                    {toolTip && <EuiIconTip position="left" content={toolTip.content} />}
+                  </EuiTableRowCell>
+                </EuiTableRow>
+              )
+            )}
+          </EuiTableBody>
+        </EuiTable>
+      ) : (
+        <p>
+          {i18n.translate('xpack.enterpriseSearch.roleMapping.moResults.message', {
+            defaultMessage: "No results found for '{filterValue}'",
+            values: { filterValue },
+          })}
+        </p>
+      )}
+    </>
+  );
+};
diff --git a/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/role_selector.test.tsx b/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/role_selector.test.tsx
new file mode 100644
index 0000000000000..cceac99430bb6
--- /dev/null
+++ b/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/role_selector.test.tsx
@@ -0,0 +1,56 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+
+import { shallow } from 'enzyme';
+
+import { EuiRadio, EuiCallOut } from '@elastic/eui';
+
+import { RoleSelector } from './role_selector';
+
+describe('RoleSelector', () => {
+  const onChange = jest.fn();
+
+  const props = {
+    disabled: false,
+    disabledText: 'Disabled',
+    roleType: 'user',
+    roleTypeOption: 'option',
+    description: 'This a thing',
+    onChange,
+  };
+
+  it('renders', () => {
+    const wrapper = shallow(<RoleSelector {...props} />);
+
+    expect(wrapper.find(EuiRadio)).toHaveLength(1);
+  });
+
+  it('calls method on change', () => {
+    const wrapper = shallow(<RoleSelector {...props} />);
+    const radio = wrapper.find(EuiRadio);
+    radio.simulate('change', { target: { value: 'bar' } });
+
+    expect(onChange).toHaveBeenCalled();
+  });
+
+  it('renders callout when disabled', () => {
+    const wrapper = shallow(<RoleSelector {...props} disabled />);
+    const radio = wrapper.find(EuiRadio);
+
+    expect(radio.dive().find(EuiCallOut)).toHaveLength(1);
+    expect(wrapper.find(EuiRadio).prop('checked')).toEqual(false);
+  });
+
+  it('sets checked attribute on radio when option matched type', () => {
+    const wrapper = shallow(<RoleSelector {...props} roleTypeOption="user" />);
+    const radio = wrapper.find(EuiRadio);
+
+    expect(radio.prop('checked')).toEqual(true);
+  });
+});
diff --git a/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/role_selector.tsx b/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/role_selector.tsx
new file mode 100644
index 0000000000000..a0e75a1b6aca2
--- /dev/null
+++ b/x-pack/plugins/enterprise_search/public/applications/shared/role_mapping/role_selector.tsx
@@ -0,0 +1,67 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+
+import { startCase } from 'lodash';
+
+import {
+  EuiCallOut,
+  EuiFormRow,
+  EuiRadio,
+  EuiSpacer,
+  EuiText,
+  EuiTextColor,
+  EuiTitle,
+} from '@elastic/eui';
+
+interface Props {
+  disabled?: boolean;
+  disabledText?: string;
+  roleType?: string;
+  roleTypeOption: string;
+  description: string;
+  onChange(roleTypeOption: string): void;
+}
+
+export const RoleSelector: React.FC<Props> = ({
+  disabled,
+  disabledText,
+  roleType,
+  roleTypeOption,
+  description,
+  onChange,
+}) => (
+  <EuiFormRow>
+    <EuiRadio
+      disabled={disabled}
+      id={roleTypeOption}
+      checked={roleTypeOption === roleType}
+      onChange={() => {
+        onChange(roleTypeOption);
+      }}
+      label={
+        <>
+          <EuiTitle size="xs">
+            <h4 className="usersLayout__users--roletype">{startCase(roleTypeOption)}</h4>
+          </EuiTitle>
+          {disabled && disabledText && (
+            <EuiCallOut
+              size="s"
+              title={<EuiTextColor color="subdued">{disabledText}</EuiTextColor>}
+              iconType="alert"
+            />
+          )}
+          <EuiSpacer size="xs" />
+          <EuiText size="s">
+            <p>{description}</p>
+          </EuiText>
+        </>
+      }
+    />
+  </EuiFormRow>
+);
diff --git a/x-pack/plugins/enterprise_search/public/applications/shared/types.ts b/x-pack/plugins/enterprise_search/public/applications/shared/types.ts
index d024c72bcf230..16a9e3b54aea5 100644
--- a/x-pack/plugins/enterprise_search/public/applications/shared/types.ts
+++ b/x-pack/plugins/enterprise_search/public/applications/shared/types.ts
@@ -43,3 +43,19 @@ export interface IndexJob extends IIndexingStatus {
 }
 
 export type TOperation = typeof ADD | typeof UPDATE;
+
+export interface RoleRules {
+  username?: string;
+  role?: string;
+  email?: string;
+  metadata?: string;
+}
+
+export interface RoleMapping {
+  id: string;
+  attributeName: string;
+  attributeValue: string;
+  authProvider: string[];
+  roleType: string;
+  rules: RoleRules;
+}
diff --git a/x-pack/plugins/enterprise_search/public/applications/workplace_search/types.ts b/x-pack/plugins/enterprise_search/public/applications/workplace_search/types.ts
index 404011b10f456..44e0fd5b6f287 100644
--- a/x-pack/plugins/enterprise_search/public/applications/workplace_search/types.ts
+++ b/x-pack/plugins/enterprise_search/public/applications/workplace_search/types.ts
@@ -5,6 +5,8 @@
  * 2.0.
  */
 
+import { RoleMapping } from '../shared/types';
+
 export * from '../../../common/types/workplace_search';
 
 export type SpacerSizeTypes = 'xs' | 's' | 'm' | 'l' | 'xl' | 'xxl';
@@ -203,3 +205,13 @@ export interface SearchResultConfig {
   color: string;
   detailFields: DetailField[];
 }
+
+export interface RoleGroup {
+  id: string;
+  name: string;
+}
+
+export interface WSRoleMapping extends RoleMapping {
+  allGroups: boolean;
+  groups: RoleGroup[];
+}