Group Mappings

Group mappings allow you to connect groups from your identity provider (IdP) to the roles and teams associated with your Sysdig account. You can create mapping at any time, but it can only be used if a compatible Single Sign On (SSO) authentication is enabled in Sysdig. Group mapping is currently supported only with SAML 2.0 SSO.

Group mapping is beneficial to:

  • Manage permissions for and access to Sysdig resources from your organization’s IdP itself.

    For example, to allow your Analytics team to access a set of Dashboards, you can create a group named Analytics and grant group members access only to the dashboards they need access to.

  • Update or completely remove user access to Sysdig resources as soon as it’s updated in the IdP.

As an admin, you can

  • Enter one or more IdP groups and assign a custom role and map teams.

  • Map a group to one of more teams, or all the teams.

  • Select a user role for each group individually.

When group mapping is enabled:

  • Group mapping will ignore the users that are manually set as administrators, allowing them to perform administrator functions without having the mapping permissions overwriting their existing permissions.

  • If a user does not belong to any of the mapped groups, or the mapping is misconfigured, the user will be assigned to the default team with the default role.

  • If user creation is disabled while group mapping is enabled, non-existing users will not be created. However, the team and role information associated with the existing users will be processed on each login.

Enable Group Mapping

To enable groups mapping in Sysdig Secure or Sysdig Monitor:

  1. Navigate to Settings > Authentication.

  2. Select SAML from Connection Settings.

  3. Enable Group Mapping.

  4. Specify the Group Attribute Name.

    It is the configurable metadata of an IdP group that is used in the SAML assertion statement. Sysdig uses this SAML attribute to identify the group and determine associated permissions. This value is processed on every login attempt to read the groups that the user belongs to.

  5. Click Save Settings.

Add a Mapping

You can map a group to one role and one or more teams.

  1. Navigate to Settings > Group Mappings.
  1. Enter the Group ID. This is the unique name assigned to the group on the IdP side.

  2. Select a role from the Role drop-down. You can select only one role for a group maaping. Ensure that the roles aren’t conflicting with each other because the mapping will not work if there are conflicting roles for a user.

  3. Select one of more teams from the Teams drop-down.

  4. Optionally, add additional mapping by clicking Add Group and repeating the same steps.

  5. Click Save.