When a Single Sign-On (SSO) is configured to access CARTO, we can also synchronize the groups coming from your Identity Provider (IdP) after each user’s login.

Groups are only available for Enterprise Large plans and above. Groups also require an SSO integration. Please get in touch at if you’re interested in this feature.

How are groups synchronized with the SSO?

We synchronize the membership for each user when they log in through the SSO, and we make any necessary changes.


  • User A:

    • Belongs to the “Sales” and “North America” groups at the IdP level

    • Logs in to CARTO

    • CARTO creates the groups “Sales” and “North America” and adds user A to both groups

  • User B:

    • Belongs to the “Sales” and “Asia” groups at the IdP level

    • Logs in to CARTO

    • CARTO creates the group “Asia” and adds user B to the “Asia” and “Sales” groups

In practice, this means that groups in CARTO will be kept in sync with the SSO groups throughout all possible changes, including a user being removed from a group.

Groups can be used to fine-tune access and more granular sharing in different parts of the CARTO platform, such as connections and maps. Read more about sharing maps with certain groups.

Using groups for role management

You can use groups to automatically control each user's role by mapping each group to a role in CARTO. Learn more about mapping groups to roles.

Last updated