Setting up SSO often comes with a need to set up Group and Role for a new user. Sisense provides two alternative solutions for Group and Role Management:
- Use Defaults: Every new user is assigned default roles. This is only relevant for new users and it doesn’t override existing roles or groups starting from L2021.3.
- Define by Group: Define users based on group roles. Select this option if you have defined what group a new user should be assigned to through a Group claim.
The main different is that Define by Group option will validate user groups and assign role dynamically on every log in. This means that if user role or group was changed manually the next time user is authenticated the changes will be reverted, groups and role will be set to the same as in Identity Provider.
Therefore you should either chose the strategy of assigning groups and roles manually (Use Defaults) or rely on Identity Provider groups completely (Define by Group) and set up the roles for groups leaving the rest to Sisense.
Let's review this within the following example:
We have a system where SSO is already set up and now we want to define the role and groups to our new users.
We have a system where SSO is already set up and now we want to define the role and groups to our new users.
First scenario is we want all new users to be Viewers and have New users group:
Once the first user is created via SSO his role will be set to Viewer and user will be automatically included in New Users group. But what if we want to make this user a Designer or Admin and maybe remove the user from New users group? We can do that manually from the Users page as per usual. The next time user is authenticated via SSO his role and groups will remain untouched.
But what if we want to bring groups user belongs to alongside? In that case we will need to switch to Define by Group:
The first time user is created via SSO he will be added to the groups found in Groups claim and his role will be chosen by the highest Default Role:
So we have a new user created and the highest Role for his groups is Designer, but what if we want to make this particular user an Admin? Even though we can still go to the User page and change the user Role and Groups this is not the way to achieve this. The next time user is authenticated via SSO his Groups will be validated against Groups in Identity Provider (via the Groups claim) and all our changes will be overwritten.
So what is the recommended approach in this case? We can simply create a new group in our Identity Provider and Sisense and assign the Admin Default Role for this group. The next time user is authenticated via SSO the groups will be synced and highest role will be assigned - Admin role.
Note, we can always disable the logic that validates user Role/Group on SSO authentication:
In this case new user cannot not be created via SSO authentication which means we either need to create such user manually/using REST API or have our system available for existing users only.
