Cloudera Management ConsolePDF version

Synchronizing group membership

can synchronize the user's group membership provided by your enterprise IdP with the user's group membership in .

When a user initially logs in to through the identity management system in your organization, creates a user account for the user. However, without being assigned roles, the user cannot perform tasks in . recommends that you create groups with assigned roles and add users to the groups so that the users can take on the roles assigned to the groups.

When you create an identity provider, you can select the Sync Groups on Login option to enable to synchronize the user group membership. By default, the Sync Groups on Login option is disabled. Clear the option selection if you do not want to synchronize the user group membership.

Group names must be alphanumeric, may include dots (.), hyphens (-), and underscores (_), and must be fewer than 64 characters long. Additionally, names can only start with an alphabetic character or an underscore.

When the Sync Groups on Login option is enabled, synchronizes a user's group in the following manner:

  • The group membership that your enterprise IdP specifies for a user overrides the group membership set up in . Each time a user logs in, updates the user's group membership based on the groups that your enterprise IdP specifies for the user.
  • If the group exists in , adds the user to the group. The user takes on all the roles associated with the group.
  • If the group does not exist in , creates the group and adds the user to the group. However, no roles are assigned to the new group, so a member of the new group does not take on roles from the group.
  • If the user is a member of a group in that is not included in the list provided by your enterprise IdP, removes the user from the group.
  • If the list of groups from your enterprise IdP is empty, removes the user from all groups in . After login, the user will not be a member of any group and will not have roles from any group.

To ensure that users can perform tasks in , recommends that you set up the groups in with appropriate roles before you assign them to users.

When the Sync Groups on Login option is disabled, does not synchronize the user's group membership in with the user's group membership provided by the IdP. After login, a user's group membership in is determined by the groups assigned to the user in . The groups assigned to the user in your enterprise IdP are ignored.

Additionally, once you have synced your IdP and you create a new group in , you have an option called Sync Membership that determines whether group membership is synced to IdP when a user logs in. By default, Sync Membership is enabled when Sync Groups on Login is enabled.

The following table describes how the global Sync Groups on Login and the per-group Sync Membership options can be used:

IdP Sync Groups on Login on IdP Sync Groups on Login off
Group Sync Membership on Group membership for the specific group is reflected in IdP. Group membership for the specific group is not reflected in IdP.
Group Sync Membership off Group membership for the specific group is not reflected in IdP. Group membership for the specific group is not reflected in IdP.

In other words, if Sync Groups on Login is off at the IdP level, then no groups are getting synced regardless of what the setting for Sync Membership is. But if Sync Groups on Login is turned on at the IDP level, then you have the option to override it for certain groups that you explicitly leave off.