Mapping groups to user roles
Last updated
Was this helpful?
Last updated
Was this helpful?
Organizations with Single Sign-On enabled that are synchronizing groups can automate user role management by mapping groups to roles in CARTO. That way, all members of a group, including new users, will automatically inherit the group's role. This approach significantly benefits organizations with a large number of users.
Your organization is using
You are synchronizing in CARTO from your IdP
At least one group needs to exist before enabling group role mapping
To start assigning roles to groups, navigate to the Settings > Users & Groups and then click on the SSO tab. If your organization meets the requirements, you will see a toggle to Enable role management by groups.
Once you start mapping groups to roles, user roles will be assigned automatically and you won't be able to manually assign a role for any individual user.
After enabling this option, you'll need to select one group: this group will be your first group of Admins. The other existing groups in the organization will remain without a role until an Admin selects a role for them.
Admins can go to the Groups tab and start assigning roles to the other groups in their organization. Admins can also determine the default role for new users without groups, which is set to Viewer by default.
If a user belongs to several groups, they will inherit the highest role of any of the groups they belong to.
After you have enabled the role management by groups, there will be a new column in the Groups section, called Group role.
If you change the role of a group, users from that group will acquire the new role the next time they log in.
If you want to map groups that have not still been synchronized to CARTO, simply go to the Groups tab and click on "Create group". For each new group, you will need to indicate:
Group alias: the user-facing name for this group in CARTO (can be changed later)
SSO group ID: this needs to match the group ID coming from your SSO IdP.
Once the group is created, it will show as having 0 members, but you will be able to assign it a role already. Do this with as many groups as necessary, and your organization will be ready to onboard hundreds of users if necessary, without needing manual role management.
