Group Mappings

Group mappings allow you to connect groups from your identity provider (IdP) to the roles and teams associated with your Sysdig account. You can create mapping at any time, but it can only be used if a compatible Single Sign On (SSO) authentication is enabled in Sysdig. Group mapping is currently supported when using SAML 2.0 or OpenID SSO.

Group mapping is beneficial to:

  • Manage permissions for and access to Sysdig resources from your organization’s IdP itself. For example, to allow your Analytics team to access a set of Dashboards, you can create a group named Analytics and grant group members access only to the dashboards they need access to.
  • Update or completely remove user access to Sysdig resources as soon as it’s updated in the IdP. As an admin, you can
  • Enter one or more IdP groups and assign a custom role and map teams.
  • Map a group to one of more teams, or all the teams.
  • Select a user role for each group individually.

When group mapping is enabled:

  • Group mapping will ignore the users that are manually set as administrators, allowing them to perform administrator functions without having the mapping permissions overwriting their existing permissions.
  • If a user does not belong to any of the mapped groups, or the mapping is misconfigured, the user will be assigned to the default team with the default role.
  • If user creation is disabled while group mapping is enabled, non-existing users will not be created. However, the team and role information associated with the existing users will be processed on each login.

Enable Group Mapping

To enable groups mapping in Sysdig Secure or Sysdig Monitor:

  1. Navigate to Settings > Authentication.
  2. For SAML 2.0, select SAML from Connection Settings. For OpenID, select OpenID from Connection Settings.
  3. Enable Group Mapping.

  4. Specify the Group Attribute Name. It is the configurable metadata name of an IdP group attribute. This must match the group attribute name configured on the IdP side. This value is processed on every login attempt to read the groups that the user belongs to.
  5. Click Save Settings.

A list of the configured mappings is available on the Settings > Group Mappings page.

Add a Mapping

You can map a group to one role and one or more teams.

  1. Navigate to Settings > Group Mappings.

  2. Enter the Group ID. This is the unique name assigned to the group on the IdP side.
  3. If users belonging to this group should assume Sysdig Admin role, select the checkbox in Admin column

Please make sure to configure Admin group mapping before March 31 2023 @ 06:00 UTC

  1. Select a role from the Role drop-down. You can select only one role for a group mapping. Ensure that the roles aren’t conflicting with each other because the mapping will not work if there are conflicting roles for a user.
    • If a user logged in before, the group mapping will not be processed and the groups & roles will remain as before
    • If a user is logging in for the first time, the system will default to placing a user in a default team with a default role.
  2. Select one or more teams from the Teams drop-down.
  3. Optionally, add additional mapping by clicking Add Group and repeating the same steps.
  4. Click Save.