Groups

When Single Sign-On (SSO) is configured for accessing CARTO, user groups from your Identity Provider (IdP) can be automatically synchronized with CARTO each time a user logs in. These user groups can be used to share assets (e.g., sharing a map with a specific group) and to automatically assign user roles.

How are groups synchronized with the IdP?

CARTO retrieves a user's group membership information each time they log in. As a result, changes to group composition in the Identity Provider (IdP) may not be reflected in CARTO until the affected users log in again.

In practice, this ensures that groups in CARTO stay aligned with SSO groups through all possible changes, including scenarios where a user is removed from a group. This ensures that CARTO aligns with the governance policies defined in your IdP.

Syncing selected groups

For organizations that don't require all their groups in CARTO, it is possible to sync only a subset of them. This involves setting up sync rules in the Identity Provider, and the configuration process may vary depending on the provider. For more information, contact our support team at [email protected].

Managing groups

Admins can rename, delete and see the composition of groups from the Settings. To do so, simply head to the Groups tab of the Users & Groups settings and then click on the three dots next to the group you want to manage.