Mapping groups to user roles

Organizations with Single Sign-On enabled that are synchronizing groups can automate user role management by mapping groups to roles in CARTO. That way, all members of a group, including new users, will automatically inherit the group's role. This approach significantly benefits organizations with a large number of users.

Requirements

  • Your organization is using Single Sign-On (SSO)

  • You are synchronizing groups in CARTO from your IdP

    • At least one group needs to exist before enabling group role mapping

Enabling group role mapping

To set up role management by groups:

  1. Go to the Authentication & SSO settings and toggle on Enable role management by groups.

  2. Select your first Admin group – this group will contain your Admin users (select a group that you're a member of so that you keep your Admin status!). Organizations with group-role mapping need at least one Admin group at any point.

  3. Assign roles to the remaining groups in the Groups tab of the Users & Groups settings. Groups without a role will remain in an undefined state and their members will maintain whatever role they had.

  4. Set a default role for new users who aren't in any groups. This will be set to Viewer by default.

Mapping your existing groups to roles

Once you have enabled role management by groups, you will see a new column in the Groups table (in the Users & Groups settings), Group role. You will be able to define roles for each group here. Users in each group will acquire the group's role the next time they log in.

What if a user belongs to two or more groups? Users will acquire the highest role according to the groups they belong to. For example, if user A belongs to both an "Editors" and a "Viewers" group, they'll be assigned the Editor role.

Pre-creating groups for role mapping

Groups sync automatically when users log in. To assign roles to groups that don't exist in CARTO yet, you can create them manually. For each new group, you will need to specify:

  • Group alias: The display name users see in CARTO (can be changed later)

  • SSO group ID: Must match the group ID from your Identity Provider

Newly created groups will show 0 members until its member users log in, but you can assign roles immediately. Set up as many groups as needed to handle your user onboarding.

Last updated

Was this helpful?