Groups

When is configured for accessing CARTO, user groups from your Identity Provider (IdP) can be automatically synchronized with CARTO each time a user logs in. These user groups can be used to share assets (e.g., sharing a map with a specific group) and to .

Groups are only available for Enterprise Large plans and above. Groups also require an SSO integration. Please get in touch at if you’re interested in this feature.

How are groups synchronized with the IdP?

CARTO retrieves a user's group membership information each time they log in. As a result, changes to group composition in the Identity Provider (IdP) may not be reflected in CARTO until the affected users log in again.

In practice, this ensures that groups in CARTO stay aligned with SSO groups through all possible changes, including scenarios where a user is removed from a group. This ensures that CARTO aligns with the governance policies defined in your IdP.

Example

User A:
- Belongs to the “Sales” and “North America” groups in the IdP
- Logs in to CARTO
- CARTO creates the groups “Sales” and “North America” and adds user A to both groups
User B:
- Belongs to the “Sales” and “Asia” groups at the IdP level
- Logs in to CARTO
- CARTO creates the group “Asia” and adds user B to the “Asia” and “Sales” groups

CARTO can sync up to 200 groups per user when using Microsoft Entra as the IdP.

Syncing selected groups

Managing groups

Admins can rename, delete and see the composition of groups from the Settings. To do so, simply head to the Groups tab of the Users & Groups settings and then click on the three dots next to the group you want to manage.

PreviousSSO NextMapping groups to user roles

Last updated 2 months ago

Was this helpful?