Map Groups to User Roles on Platform
CloudQuery Platform supports user roles that specify what activities users can perform in the application. There are additional data access roles that specify what data the users can see. You can map user each group provided by the SSO identity provider to a set of roles on CloudQuery Platform so the Platform roles are updated automatically for each user.
For example, a user who is a member of the test-team group in your Google workspace can be automatically assigned to admin:read role when they logged in.
To set up the mapping between groups and user roles, navigate to Organization Settings > Single sign-on and scroll down to the Role Mapping section.
Default Mapping
The first section provides an option to set the default user roles for all users who are not a member of any group on your SSO identity provider. We recommend you leave this empty or assign a very restrictive role.
Custom Group Mapping
This section enables mapping of groups from your SSO identity provider to roles in CloudQuery Platform.
In the left column, put the group name from the SSO Identity Provider. In the right column, select roles to assign to the members of the group. You can select multiple roles as long as they are of the same type (built-in feature roles, or data access roles).
Roles are additive, not restrictive. This means that if a user has Admin:Read and General:Read role assigned via group memberships, they will have the permissions of Admin:Read. See also Limiting Access to Data as Workspace Roles override Data Access Roles.