Synchronizing group membership
CDP can synchronize the user's group membership provided by your enterprise IdP with the user's group membership in CDP.
When a user initially logs in to CDP through the identity management system in your organization, CDP creates a CDP user account for the user. However, without being assigned CDP roles, the user cannot perform tasks in CDP. Cloudera recommends that you create CDP groups with assigned roles and add users to the groups so that the users can take on the roles assigned to the groups.
When you create an identity provider, you can select the Sync Groups on Login option to enable CDP to synchronize the user group membership. By default, the Sync Groups on Login option is disabled. Clear the option selection if you do not want CDP to synchronize the user group membership.
Group names must be alphanumeric, may include dots (.), hyphens (-), and underscores (_), and must be fewer than 64 characters long. Additionally, names can only start with an alphabetic character or an underscore.
Sync Groups on Login enabled
When the Sync Groups on Login option is enabled, CDP synchronizes a user's group in the following manner:
- The group membership that your enterprise IdP specifies for a user overrides the group membership set up in CDP. Each time a user logs in, CDP updates the user's group membership based on the groups that your enterprise IdP specifies for the user.
- If the group exists in CDP, CDP adds the user to the group. The user takes on all the roles associated with the group.
- If the group does not exist in CDP, CDP creates the group and adds the user to the group. However, no roles are assigned to the new group, so a member of the new group does not take on roles from the group.
- If the user is a member of a group in CDP that is not included in the list provided by your enterprise IdP, CDP removes the user from the group.
- If the list of groups from your enterprise IdP is empty, CDP removes the user from all groups in CDP. After login, the user will not be a member of any CDP group and will not have roles from any group.
To ensure that users can perform tasks in CDP, Cloudera recommends that you set up the groups in CDP with appropriate roles before you assign them to users.
Sync Groups on Login disabled
When the Sync Groups on Login option is disabled, CDP does not synchronize the user's group membership in CDP with the user's group membership provided by the IdP. After login, a user's group membership in CDP is determined by the CDP groups assigned to the user in CDP. The groups assigned to the user in your enterprise IdP are ignored.
Sync Membership option for a newly created group
Additionally, once you have synced your IdP and you create a new group in CDP, you have an option called Sync Membership that determines whether group membership is synced to IdP when a user logs in. By default, Sync Membership is enabled when Sync Groups on Login is enabled.
The following table describes how the global Sync Groups on Login and the per-group Sync Membership options can be used:
IdP Sync Groups on Login on |
IdP Sync Groups on Login off |
|
Group Sync Membership on |
Group membership for the specific group is reflected in IdP. | Group membership for the specific group is not reflected in IdP. |
Group Sync Membership off |
Group membership for the specific group is not reflected in IdP. | Group membership for the specific group is not reflected in IdP. |
In other words, if Sync Groups on Login is off at the IdP level, then no groups are getting synced regardless of what the setting for Sync Membership is. But if Sync Groups on Login is turned on at the IDP level, then you have the option to override it for certain groups that you explicitly leave off.