Groups

When Single Sign-On (SSO) is configured for accessing CARTO, user groups from your Identity Provider (IdP) can be automatically synchronized with CARTO each time a user logs in. These user groups can be used to share assets (e.g., sharing a map with a specific group) and to automatically assign user roles.

Groups are only available for Enterprise Large plans and above. Groups also require an SSO integration. Please get in touch at support@carto.com if you’re interested in this feature.

How are groups synchronized with the IdP?

CARTO retrieves a user's group membership information each time they log in. As a result, changes to group composition in the Identity Provider (IdP) may not be reflected in CARTO until the affected users log in again.

In practice, this ensures that groups in CARTO stay aligned with SSO groups through all possible changes, including scenarios where a user is removed from a group. This ensures that CARTO aligns with the governance policies defined in your IdP.

Example

User A:
- Belongs to the “Sales” and “North America” groups in the IdP
- Logs in to CARTO
- CARTO creates the groups “Sales” and “North America” and adds user A to both groups
User B:
- Belongs to the “Sales” and “Asia” groups at the IdP level
- Logs in to CARTO
- CARTO creates the group “Asia” and adds user B to the “Asia” and “Sales” groups

Syncing selected groups

For organizations that don't require all their groups in CARTO, it is possible to sync only a subset of them. This involves setting up sync rules in the Identity Provider, and the configuration process may vary depending on the provider. For more information, contact our support team at support@carto.com.

Managing groups

Admins can rename, delete and see the composition of groups from the Settings. To do so, simply head to the Groups tab of the Users & Groups settings and then click on the three dots next to the group you want to manage.

PreviousSSO NextMapping groups to user roles

Last updated 7 days ago