Configuring Group Management

If you have SSO enabled, you can configure user groups and assign roles to the group. After you create user groups, you map claim values provided by your identity provider (IdP) with your user groups in PubSub+ Cloud. Users are then automatically added to groups when they log in based on the claim values received from the identity provider. If a user's claim values don't match any mapped claim values, the user can be denied access or added to a default group that you specify.

PubSub+ Cloud also lets you enable just-in-time provisioning, which lets you onboard new PubSub+ Cloud users without inviting them manually and is required to configure SSO for event broker services.

You can set up user groups by performing these tasks:

Prerequisites

Before you enable role management for your PubSub+ Cloud account, you need to perform these tasks:

Creating User Groups

You can create as many user groups as you need to represent teams or job functions within your organization.

  1. Log in to the PubSub+ Cloud Console if you have not done so yet. The URL to access the Cloud Console differs based on your authentication scheme. For more information, see Logging In to the PubSub+ Cloud Console.

  2. On the navigation bar, click User & Account and then select Account Details.
  3. On the Account Details page, select the User Management tab.
  4. Click User Groups. This option is available only if SSO is enabled for the account.
  5. Click Create Group.

    Screenshot showing the settings described in the surrounding text.

  6. Enter a User Group Name.
  7. Select one or more Roles to assign to all members of the user group.
  8. (Optional) Enter a Description for the user group.
  9. Click Create.

Managing User Groups

After you create user groups, you can map claims from your IdP to the groups.

You can also edit and delete claim mappings, enable just-in-time provisioning and set a default user group.

To map claims to and update group management settings, perform these steps:

  1. On the navigation bar, click User Account  and then select Account Details.
  2. On the Account Details page, select the User Management tab.
  3. Click User Groups. This option is available only if SSO is enabled for the account.
  4. Click Group Management.
  5. In the Group, Role Identifier or Claim field, add the claim name or key that provides the claim values that you want to map to roles. You can use any claim that can be returned by your IdP. The "groups" claim is commonly used for this purpose.

    Screenshot showing the settings described in the surrounding text.

  6. Perform the following steps for each new claim that you want to map to a user group:
    1. Click Add Mapping.
    2. In the Claim Mapping table, add a Claim Value that you expect to receive from the identity provider. Your claim value can be a user email or a group where multiple users can be assigned the same value.
    3. Select one or more User Groups to map to the claim value to.

      Screenshot showing the settings described in the surrounding text.

    4. Click Add.
  7. (Optional) Select Enable Just-In-Time provisioning to allow users who are able to authenticate with the identity provider to log in to PubSub+ Cloud and be added to a group without being manually invited first.
  8. (Optional) Select Customize Default User Group and select a user group from the Default User Group drop-down list. When selected, if no defined claim mappings match the user claim value, the user is added to the specified group. When not selected, if no claim value for the user is mapped to a user group, the user is denied access to PubSub+ Cloud.
  9. Click Test Access > Run Test. to test the updates to ensure that your administrator account is allowed access with the new settings.

    A message confirms whether you will still have administrator privileges on the account after the settings are applied. If you will lose administrator access, update the settings before continuing.

  10. Click Save.

Disabling Group Management

To disable group management, perform these steps:

  1. On the navigation bar, click User & Account and then select Account Details.
  2. On the Account Details page, select the User Management tab.
  3. Click User Groups.
  4. Click Group Management.
  5. On the Group Management page, click Disable.
  6. In the dialog box that appears, click Disable.

When group management is disabled, users are not dynamically added to user groups. All existing users keep their currently assigned roles.