Synchronizing group membership

CDP can synchronize the user's group membership provided by your enterprise IdP with the user's group membership in CDP.

When a user initially logs in to CDP through the identity management system in your organization, CDP creates a CDP user account for the user. However, without being assigned CDP roles, the user cannot perform tasks in CDP. Cloudera recommends that you create CDP groups with assigned roles and add users to the groups so that the users can take on the roles assigned to the groups.

When you create an identity provider, you can select the Sync Groups on Login option to enable CDP to synchronize the user group membership. By default, the Sync Groups on Login option is enabled. Clear the option selection if you do not want CDP to synchronize the user group membership.

Sync Groups on Login enabled

When the Sync Groups on Login option is enabled, CDP synchronizes a user's group in the following manner:

  • The group membership that your enterprise IdP specifies for a user overrides the group membership set up in CDP. Each time a user logs in, CDP updates the user's group membership based on the groups that your enterprise IdP specifies for the user.
  • If the group exists in CDP, CDP adds the user to the group. The user takes on all the roles associated with the group.
  • If the group does not exist in CDP, CDP creates the group and adds the user to the group. However, no roles are assigned to the new group, so a member of the new group does not take on roles from the group.
  • If the user is a member of a group in CDP that is not included in the list provided by your enterprise IdP, CDP removes the user from the group.
  • If the list of groups from your enterprise IdP is empty, CDP removes the user from all groups in CDP. After login, the user will not be a member of any CDP group and will not have roles from any group.

To ensure that users can perform tasks in CDP, Cloudera recommends that you set up the groups in CDP with appropriate roles before you assign them to users.

Sync Groups on Login disabled

When the Sync Groups on Login option is disabled, CDP does not synchronize the user's group membership in CDP with the user's group membership provided by the IdP. After login, a user's group membership in CDP is determined by the CDP groups assigned to the user in CDP. The groups assigned to the user in your enterprise IdP are ignored.