Manage roles and organizations
The DoiT platform allows you to manage your user roles and the organizations they belong to. Instead of manually assigning user roles and organizations to each of your users within the DoiT platform itself, you can control the roles using groups or attributes set up in your company's user management system, for example, Azure AD, Okta, and so on. This makes managing who has access to DoiT easier and consistent with how you manage other applications.
You can do this using custom attributes or group mappings. If you want to have more than one role and organization in the DoiT Platform then use group mappings to map groups to your roles.
Users are created and updated through the IdP. When you off board users, once they are deactivated in the IdP, they lose access to the DoiT Platform. The DoiT Platform itself doesn't deactivate users.
Default role
If you do not configure roles and organizations using custom attributes or group mappings, the DoiT Platform will assign the default role of your organization to new users.
Setting a default role in the DoiT console doesn't impact existing users, though they might be affected if you explicitly set the default role using a custom attribute or group mapping. We suggest that you consult the IdP-specific documentation for more information.
Configure using group mappings
Using groups, you can configure multiple roles and organizations for your users using the DoiT console. You can map each group to a role and an organization.
Groups must be configured in your IdP to be sent as multiple, distinct values.
To do this, assign your SSO Group IDs to specific DoiT roles and organizations in the DoiT console.
Note that:
-
Any group mappings configured in the DoiT console do not apply to Admin users.
-
Custom attributes take precedence over group mappings.
-
For invited non-admin users, if no custom attributes or group mappings are configured, the role and organization values from the invitation are applied.
-
Each group can be mapped to one role and organization, but the same role and organization can be mapped to multiple groups.
-
When a user's group memberships match multiple groups, the mapping rule that appears first in the list is applied. Subsequent mapping rules are ignored. You can move the groups up or down the list if necessary.
Configure using custom attributes
You can configure one role and one organization per user using custom attributes in your IdP.
Roles
You can configure a DoiT Platform user role via your IdP by setting the custom attribute doit_platform_role_id
per user. The value of the attribute must be the role ID of the desired DoiT Platform user role (See Role ID for how to find the role ID in the DoiT console.)
Organizations
You can configure a DoiT Platform user organization via your IdP by setting the custom attribute doit_platform_org_id
per user. The value of the attribute must be the organization ID of the desired DoiT Platform user organization
If your IdP doesn't provide a value for doit_platform_org_id
, no organization will be assigned to the user.