Mapping groups to user roles
Organizations with Single Sign-On enabled that are synchronizing groups can automate user role management by mapping groups to roles in CARTO. That way, all members of a group, including new users, will automatically inherit the group's role. This approach significantly benefits organizations with a large number of users.
Requirements
Your organization is using Single Sign-On (SSO)
You are synchronizing groups in CARTO from your IdP
At least one group needs to exist before enabling group role mapping
Enabling group role mapping
To set up role management by groups:
Go to the Authentication & SSO settings and toggle on Enable role management by groups.
Select your first Admin group – this group will contain your Admin users (select a group that you're a member of so that you keep your Admin status!). Organizations with group-role mapping need at least one Admin group at any point.
Assign roles to the remaining groups in the Groups tab of the Users & Groups settings. Groups without a role will remain in an undefined state and their members will maintain whatever role they had.
Set a default role for new users who aren't in any groups. This will be set to Viewer by default.
Important: Once enabled, user roles are assigned automatically based on group membership. You can't manually assign roles to individual users anymore.

Mapping your existing groups to roles
Once you have enabled role management by groups, you will see a new column in the Groups table (in the Users & Groups settings), Group role. You will be able to define roles for each group here. Users in each group will acquire the group's role the next time they log in.

Pre-creating groups for role mapping
Groups sync automatically when users log in. To assign roles to groups that don't exist in CARTO yet, you can create them manually. For each new group, you will need to specify:
Group alias: The display name users see in CARTO (can be changed later)
SSO group ID: Must match the group ID from your Identity Provider
Newly created groups will show 0 members until its member users log in, but you can assign roles immediately. Set up as many groups as needed to handle your user onboarding.

Last updated
Was this helpful?