Skip to content

Role Mapping

Role mapping is an advanced SSO feature that dynamically assigns TrueWatch role permissions based on user attributes returned by the Identity Provider (IdP). Once enabled, employees will automatically receive matching roles upon their first SSO login, without the need for manual assignment.

Effects of Enabling

  • Enabled: Each time a user logs in, their role is dynamically matched based on the attribute fields returned by the IdP. Users who do not match any rule will be stripped of all roles and unable to log in.

  • Disabled: Users retain the default role assigned during their first login. Subsequent changes to IdP attributes do not affect TrueWatch permissions.

Add Mapping

  1. Go to Manage > Member Management > SSO Management > Role Mapping.
  2. Click Add Mapping to start creating a new mapping relationship.
  3. Select a SAML or OIDC Identity Provider already configured within the current workspace.
  4. Define the Attribute Field: The name of the user attribute returned by the IdP. It must exactly match the actual configuration in the IdP (case-sensitive).
  5. Define the Attribute Value: The expected value for this attribute. Multiple values are supported, separated by commas.
  6. Select a Role: The TrueWatch role (Administrator/Standard Member/Read-Only Member/Custom Role) to be granted upon successful matching.
  7. Save.

Configuration Example

Example: Assigning roles by department:

Assume the user attributes returned by the IdP are:

{
  "department": "Technology Department",
  "groups": ["devops", "admin"]
}

Configuration in TrueWatch:

Attribute Field Attribute Value Role
department Technology Department Administrator
groups admin,devops Administrator
department Sales Department Standard Member
Note
  1. The attribute field name must exactly match the field name actually returned by the IdP (case-sensitive).
  2. Multiple attribute values should be separated by English commas. Matching any one value will take effect.
  3. If a user matches multiple rules, the role with the highest permission level takes effect.

Manage Mapping Rules

You can manage mapping rules through the following operations.

Search and Filter

  • Search: Supports searching by role, attribute field, or attribute value keywords.

  • Filter: Filter by Identity Provider to quickly locate rules for a specific IdP.

Edit Rule

Click the edit button on the right side of a rule to modify its attribute field, attribute value, or role.

After modifying a rule, logged-in users will be re-evaluated upon their next login. If a user no longer matches any rule after the modification, they will be stripped of all roles and unable to log in.

Delete Rule

Supports single deletion or batch deletion.

After deleting a rule, users who originally matched that rule will fail to match any role upon their next login, resulting in the loss of all roles and inability to log in. It is recommended to first confirm the scope of affected users or configure replacement rules before deletion.

Further Reading

You might also be interested in: