Automatic role assignment with role mapping rules Innovation Release

Role mapping rules allow you to automatically assign roles to users based on their identity provider (IdP) attributes. When a user logs in, Hybrid Manager (HM) evaluates the configured rules and assigns the appropriate roles without manual intervention.

This feature is useful for organizations that want to:

• Automatically grant roles based on IdP group membership
• Reduce manual role assignment overhead
• Ensure consistent role assignments across users from the same IdP groups

How role mapping works

When a user authenticates through an external IdP, HM receives information about their IdP identity and group memberships. Role mapping rules define which roles should be assigned based on these attributes.

Each rule consists of:

• Conditions: Criteria that must be satisfied for the rule to match (for example, IdP identifier and group membership)
• Roles: The roles to assign when all conditions match

Rule evaluation

• All conditions within a single rule must match (AND logic)
• Multiple rules are evaluated independently (OR logic)
• A user receives the union of roles from all matching rules

Role assignment sources

Users can have roles from two sources:

• Manual: Roles assigned directly by an administrator through the HM console. These roles can be modified or removed by an administrator.
• Mapping: Roles assigned automatically through role mapping rules. These roles cannot be modified in the UI. To change a user's mapped roles, update the role mapping rules or the user's group membership in the IdP.

Prerequisites

Before configuring role mapping rules:

1. Configure an external IdP (SAML, OIDC, or LDAP) with group attribute mapping enabled
2. Ensure users have group memberships configured in your IdP
3. Have organization owner or appropriate administrative permissions

Configuring role mapping rules

You can configure role mapping rules at two levels:

• Organization level: Assigns organization-scoped roles (Organization Administrator, Organization Owner, etc.)
• Project level: Assigns project-scoped roles (Project Owner, Project Editor, Project Viewer, etc.)

Creating organization-level rules

1. In the HM console, navigate to User Management.

2. Select the Role Mapping tab.

3. Select Add Role Mapping Rule.

4. Configure the rule conditions:

   Condition	Description
   Identity Provider	Select the IdP this rule applies to
   Group	Enter the IdP group name that users must belong to

5. Select the organization roles to assign when the conditions match.

6. Select Save.

Creating project-level rules

You can add project-level role mapping rules to an existing project or during project creation.

Adding rules to an existing project

1. In the HM console, navigate to the project.

2. Go to Users.

3. Select the Role Mapping tab.

4. Select Add Role Mapping Rule.

5. Configure the rule conditions (Identity Provider and Group).

6. Select the project roles to assign when the conditions match.

7. Select Save.

Adding rules during project creation

1. When creating a new project, enable Automated Role Assignments.

2. Configure the role mapping rules as part of the project setup.

Example configurations

Assign organization owner role to IT administrators

Create an organization-level rule:

• Identity Provider: Your corporate SAML IdP
• Group: IT-Admins
• Roles: Organization Owner

All users in the IT-Admins group are automatically assigned the Organization Owner role when they log in.

Assign project roles based on team membership

Create project-level rules for a data analytics project:

Rule 1 - Data engineers get editor access:

• Identity Provider: Corporate LDAP
• Group: data-engineering
• Roles: Project Editor

Rule 2 - Data analysts get viewer access:

• Identity Provider: Corporate LDAP
• Group: data-analysts
• Roles: Project Viewer

Users who are members of both data-engineering and data-analysts groups receive both Project Editor and Project Viewer roles.

Role reconciliation

When you modify role mapping rules, HM automatically reconciles role assignments for affected users:

• Adding a rule: Users matching the new rule receive the configured roles on their next login
• Removing a rule: Mapping-assigned roles from the removed rule are revoked; manually assigned roles remain unchanged
• Modifying a rule: The previous assignments are removed and new assignments are applied based on the updated rule

Users who have previously logged in have their roles reconciled immediately when rules change. Users who have never logged in receive the appropriate role assignments on their first login.

Invalidating user sessions

When you update group memberships in your IdP (for example, adding a user to a new group), currently logged-in users do not automatically receive the updated group information until they log in again.

To ensure that users receive the correct roles based on their current group memberships, you can invalidate their sessions to force re-authentication.

1. In the HM console, go to Settings > Identity Providers.
2. Select the IdP whose users need to be re-authenticated.
3. Click Invalidate Sessions button
4. Confirm the action.

All active sessions for users from that IdP are terminated. Users must log in again, at which point their authentication token includes the current group memberships from the IdP.

Removing role mapping rules

When you remove a role mapping rule:

1. Roles that were assigned only through mapping are automatically revoked from affected users.
2. Roles that were also manually assigned remain in place.
3. The change takes effect immediately for users who have previously logged in.