Default Role and Team Assignments

Administrators use the Role Assignments section to define the platform roles and teams for a user when they log in to the platform the first time for a configured IdP. When new members of an organization sign in to the platform for this IdP, they are assigned these predefined roles and team assignments. Refer to the Roles and features section in Managing Organizations for details on the roles and capabilities available in the platform.

The Role Assignments section defines:

IdP Managed Role and Team Assignments

The Advanced Role Management section allows an org administrator to manage platform role and team assignments from attributes provided by the IdP. An administrator can define any number of mappings for org roles and team assignments (if applicable). If a user has attributes that map to multiple default roles (platform or team roles), then the user is assigned the role that has the highest access level. Also the user is assigned all service or non-platform roles that are found.

Roles defined by these mappers are assigned to any matching user authenticating using the IdP. When their role assignment changes on their IdP, the users roles within the platform are automatically updated the next time the user logs in to the platform.

The Advanced Role Management section is optional and hidden by default. The advanced mapping configuration could save time for larger organizations who have users on their IdP with defined roles and teams, but may not be applicable or advantageous to orgs that do not. 

Mapping Roles and Teams

Use the Role Mapping section to map role assignments and the Team Mapping section to map team assignments to the IdP provided attributes.

To add a mapped role or team

  1. Click the Actions (...) menu on the Identity Provider's detail page to display the Role Mapping and Team Mapping sections (these sections are hidden by default).
  2. Click + Role Mapping or + Team Mapping. A blank row appears.
  3. Complete the following fields:

Testing Mapped Attributes

After you have completed mapping roles and teams, you can test the configuration.

To test the mapping

  1. Click the Actions (...) menu from the Identity Provider page, and then select Test Mapped Attributes. A modal dialog displays.
  2. Select a User and Attribute, and then click Check User Attribute
  3. Verify that the attribute mapper has stored the expected value on a user from the last time they logged into the platform.