# Groups

Organizations using [Single Sign-On (SSO)](https://docs.carto.com/carto-user-manual/settings/sso) can leverage user groups from their Identity Provider (IdP) to facilitate sharing assets (e.g., sharing a map with an entire group) and to [automatically assign user roles](https://docs.carto.com/carto-user-manual/settings/users-and-groups/mapping-groups-to-user-roles).

{% hint style="info" %}
Groups are only available for Enterprise Large plans and above. Groups also require an SSO integration. Please get in touch at <support@carto.com> if you’re interested in this feature.
{% endhint %}

<figure><img src="https://3029946802-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FybPdpmLltPkzGFvz7m8A%2Fuploads%2Fgit-blob-5ee843d29d08a2e0f7028031c1b394ae78bec416%2Fsettings_groups_listed.png?alt=media&#x26;token=1cc7830b-b161-42aa-83cf-60b6ea53b718" alt=""><figcaption></figcaption></figure>

## **How are groups synchronized with the IdP?**

CARTO retrieves a user's group membership information each time they log in. As a result, changes to group composition in the Identity Provider (IdP) may not be reflected in CARTO until the affected users log in again.

In practice, this ensures that groups in CARTO stay aligned with SSO groups through all possible changes, including scenarios where a user is removed from a group. This ensures that CARTO aligns with the governance policies defined in your IdP.

{% hint style="info" %}
**Example**

* User A:
  * Belongs to the “Sales” and “North America” groups in the IdP
  * Logs in to CARTO
  * CARTO creates the groups “Sales” and “North America” and adds user A to both groups
* User B:
  * Belongs to the “Sales” and “Asia” groups at the IdP level
  * Logs in to CARTO
  * CARTO creates the group “Asia” and adds user B to the “Asia” and “Sales” groups
    {% endhint %}

{% hint style="info" %}
CARTO can sync up to 200 groups per user when using Microsoft Entra as the IdP.
{% endhint %}

### Syncing selected groups

For organizations that don't require all their groups in CARTO, it is possible to sync only a subset of them. This involves setting up sync rules in the Identity Provider, and the configuration process may vary depending on the provider. For more information, contact our support team at <support@carto.com>.

## Managing groups

Admins can **rename**, **delete** and **see the composition of groups** from the Settings. To do so, simply head to the *Groups* tab of the *Users & Groups* settings and then click on the three dots next to the group you want to manage.

<figure><img src="https://3029946802-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FybPdpmLltPkzGFvz7m8A%2Fuploads%2Fgit-blob-a9ebd13fa27658e87b837bd53205985d328774df%2FScreenshot%202024-12-12%20at%2018.50.00.png?alt=media" alt=""><figcaption></figcaption></figure>