User Group Associations

Follow

User Group Associations

Automatically add/remove users from user groups in Kion based attributes from your identity provider. This is useful for dynamically determining user permissions.

Ensure you don't have multiple associations for the same group, because they will overwrite each other. If you remove an association, it will not affect previous group membership.

Prerequisites

LDAP Sync

You can use an LDAP server you already have configured to bring user group associations into Kion. This is done by adding your LDAP server credentials to your IDMS configuration. For more information, see Add a SAML 2 IDMS.

Manual Configuration

  1. Login to Kion as an administrator.
  2. Navigate to Users > Identity Management Systems.
  3. Click the SAML or OpenID IDMS you would like to configure.
  4. Select the User Group Associations tab.
  5. Click Add > Add New. You can also select the Bulk Add option if you want to add several associations at once using the same field descriptions.
  6. Enter the name of the attribute you’re passing that will be used to evaluate group membership. For example ADmembership.
  7. Enter a regular expression that evaluates the attribute. For example, ^cloudtamer-admins would match a group named cloudtamer-admins.
    This field supports expression matching characters (such as ^ for the beginning of a phrase or $ for the end of a phrase). You can find more information in Google's re2 Syntax article.
  8. Select the Kion user group the matched groups will be added to.
  9. (Optional) Evaluate users on every log in and remove them from user groups they no long match.
  10. Click Add.

Demonstration

Troubleshooting

Test logging in with a user account that matches one of the user group associations you specified.

If you don't see the permissions you expected to be applied, review the POST operation against the /api/v1/saml/callback. Ensure that the assertion for your groups exists and the expected group name comes across in the assertion.

For information on how to review the operation, see Tracing SAML Logins.