Map Groups to User Roles on Platform
CloudQuery Platform supports user roles that specify what activities users can perform in the application. There are additional data access roles that specify what data the users can see. You can map each group from your SSO identity provider to a set of roles on CloudQuery Platform so the Platform roles are updated automatically for each user.
For example, a user who is a member of the test-team group in your Google workspace automatically receives the admin:read role when they log in.
To set up the mapping between groups and user roles, navigate to Organization settings > Single sign-on and scroll down to the Role Mapping section.
Default Mapping
The first section provides an option to set the default user roles for all users who are not a member of any group on your SSO identity provider. We recommend you leave this empty or assign a restrictive role.
Custom Group Mapping
This section enables mapping of groups from your SSO identity provider to roles in CloudQuery Platform.
In the left column, put the group name from the SSO Identity Provider. In the right column, select roles to assign to the members of the group. You can select multiple roles as long as they are of the same type (built-in feature roles, or data access roles).
Roles are additive, not restrictive. This means that if a user has Admin:Read and General:Read role assigned via group memberships, they will have the permissions of Admin:Read. See also Limiting Access to Data as Workspace Roles override Data Access Roles.
Next Steps
- Workspace Roles Overview - Understand available roles
- Limiting Access to Data - Restrict data access by role
- Certificate Rollover - Manage SSO certificate updates