Skip to main content

Manage roles and organizations

The DoiT platform allows you to manage your user roles and the organizations they belong to. Instead of manually assigning user roles and organizations to each of your users within the DoiT platform itself, you can control the roles using groups or attributes set up in your company's user management system, for example, Azure AD, Okta, and so on. This makes managing who has access to DoiT easier and consistent with how you manage other applications.

You can do this using custom attributes or group mappings. If you want to have more than one role and organization in the DoiT Platform then use group mappings to map groups to your roles.

Note

Users are created and updated through the IdP. When you off board users, once they are deactivated in the IdP, they lose access to the DoiT Platform. The DoiT Platform itself doesn't deactivate users.

Default role

If you do not configure roles and organizations using custom attributes or group mappings, the DoiT Platform will assign the default role of your organization to new users.

Setting a default role in the DoiT console doesn't impact existing users, though they might be affected if you explicitly set the default role using a custom attribute or group mapping. We suggest that you consult the IdP-specific documentation for more information.

Configure using group mappings

Using groups, you can configure multiple roles and organizations for your users using the DoiT console. You can map each group to a role and an organization.

Note

Groups must be configured in your IdP to be sent as multiple, distinct values.

To do this, assign your SSO Group IDs to specific DoiT roles and organizations in the DoiT console.

Note that:

  • Any group mappings configured in the DoiT console do not apply to Admin users.

  • Custom attributes take precedence over group mappings.

  • For invited non-admin users, if no custom attributes or group mappings are configured, the role and organization values from the invitation are applied.

  • Each group can be mapped to one role and organization, but the same role and organization can be mapped to multiple groups.

  • When a user's group memberships match multiple groups, the mapping rule that appears first in the list is applied. Subsequent mapping rules are ignored. You can move the groups up or down the list if necessary.

SSO group mapping

Configure using custom attributes

You can configure one role and one organization per user using custom attributes in your IdP.

Roles

You can configure a DoiT Platform user role via your IdP by setting the custom attribute doit_platform_role_id per user. The value of the attribute must be the role ID of the desired DoiT Platform user role (See Role ID for how to find the role ID in the DoiT console.)

Organizations

You can configure a DoiT Platform user organization via your IdP by setting the custom attribute doit_platform_org_id per user. The value of the attribute must be the organization ID of the desired DoiT Platform user organization

If your IdP doesn't provide a value for doit_platform_org_id, no organization will be assigned to the user.

Last updated on