Overview

You can map users from your idP to specific roles in Quantive. Users can be part of multiple groups and roles.

Group to Role Mapping through SSO or SCIM

You can use SSO (Single Sign On) for authentication, or for limited provisioning and SCIM (System for Cross-domain Identity Management) to set provisioning for your account. Admins can set the Group to Role Mapping through either SSO or SCIM.

SSO is available with the Quantive Scale plan and up.

SCIM is available only with the Quantive Enterprise plan.

Set default roles

To set default roles, navigate to Settings, then Group to Role Mapping, then select SSO or SCIM.

You can assign one or more roles to your users.

For example, user A belongs to both groups ‘Product’ and ‘Management’ in the idP. Group ‘Product’ is mapped to the role ‘user’ and group ‘Management’ to the role ‘admin,’ so user A will get both roles ‘user’ and ‘admin’.

If users do not belong to any group, they will be assigned the default role, which could be predefined. Most organizations choose ‘user’ as the default role.

The ‘view-only’ role cannot be combined with other roles. For example, if a user is assigned ‘view-only’ and ‘admin’ roles, the ‘admin’ role will be assigned no matter which role was added first.

SSO

Through SSO, provisioning occurs only when users log in, and roles can both be set as default or managed manually per each user. Every time a user logs in from an SSO connection, the values of their groups’ attributes will be checked. The corresponding role will be added if they match any new mapping rules. Group to Role Mapping through SSO does not remove roles.

Azure AD and Google Workspace/G Suite can be connected by an admin in Settings. For other SSO connections that support SAML 2.0, including Okta, OneLogin, and Ping, some additional setup from Quantive Support will be required. Feel free to contact us at [email protected].

SCIM

The SCIM integration will automatically manage user provisioning and map groups to roles, limiting security issues.

Benefits of SCIM provisioning:

  • Teams and their members can be automatically provisioned.

  • The sync between the IdP and Quantive happens less than 40 minutes after a change is present (for most external IdPs, it will change immediately).

  • Users deleted in the identity provider will also be deleted in Quantive. This applies to hard deletes only. Soft deletes (i.e., deactivating or disabling accounts) will not affect users.

  • As opposed to SSO, Group to Role Mapping via SCIM allows changing, adding, and removing roles.

You can find detailed instructions for configuring SCIM with Quantive here.

Switching Group to Role Mapping from SSO to SCIM

Note that if you switch from SSO to SCIM, the manually assigned roles will be erased, and the process will be irreversible.

Did this answer your question?