Mapping groups to user roles

Organizations with Single Sign-On enabled that are synchronizing groups can automate user role management by mapping groups to roles in CARTO. That way, all members of a group, including new users, will automatically inherit the group's role. This approach significantly benefits organizations with a large number of users.

Requirements

  • Your organization is using Single Sign-On (SSO)

  • You are synchronizing groups in CARTO from your IdP

    • At least one group needs to exist before enabling group role mapping

Enabling group role mapping

To start assigning roles to groups, navigate to the Settings > Users & Groups and then click on the SSO tab. If your organization meets the requirements, you will see a toggle to Enable role management by groups.

Once you start mapping groups to roles, user roles will be assigned automatically and you won't be able to manually assign a role for any individual user.

After enabling this option, you'll need to select one group: this group will be your first group of Admins. The other existing groups in the organization will remain without a role until an Admin selects a role for them.

Admins can go to the Groups tab and start assigning roles to the other groups in their organization. Admins can also determine the default role for new users without groups, which is set to Viewer by default.

Our recommendation is that you select a group that you're also a member of so that you keep your Admin status. Right after this step, you will be able to select more Admin groups, but you'll always need to keep one active Admin group.

Mapping your existing groups to roles

After you have enabled the role management by groups, there will be a new column in the Groups section, called Group role.

If you change the role of a group, users from that group will acquire the new role the next time they log in.

What if a user belongs to two or more groups? Users will acquire the highest role according to the groups they belong to. For example, if user A belongs to both an "Editors" and a "Viewers" group, they'll be assigned the Editor role.

Pre-creating groups for role mapping

If you want to map groups that have not still been synchronized to CARTO, simply go to the Groups tab and click on "Create group". For each new group, you will need to indicate:

  • Group alias: the user-facing name for this group in CARTO (can be changed later)

  • SSO group ID: this needs to match the group ID coming from your SSO IdP.

Once the group is created, it will show as having 0 members, but you will be able to assign it a role already. Do this with as many groups as necessary, and your organization will be ready to onboard hundreds of users if necessary, without needing manual role management.

Last updated

Was this helpful?