Manage Capella Role Mapping
- Capella Operational
- how-to
After adding federated and SSO authentication to your organization, you can map IdP groups to permission sets.
Teams map user groups from your identity provider (IdP) to permissions sets in Capella. A team’s members are the users of the SSO (IdP) groups you’ve mapped to it. You assign teams a set of project and organization roles and any projects you need their members to access.
This page walks you through the process of creating and configuring a team.
Role Mapping
Role mapping defines an SSO user’s level of access to Capella. You can add one or more SSO (IdP) groups to one or more teams to provision users with access to an organization’s projects and clusters.
-
Capella applies role mapping on user sign in.
-
Capella compares the SSO groups to the role mappings defined for your organization.
-
If you’ve defined role mappings for an SSO group so that they’re part of one or more teams, those team permissions apply to all users in that SSO group.
-
If you haven’t defined role mappings for an SSO group, Capella assigns those users to the default team.
-
If you remove an SSO user from all SSO groups that are mapped to a team, Capella assigns that user to the default team.
For example, imagine a user belonging to an SSO group named dev
. In Capella, you’ve role mapped thedev
SSO group to theDevelopers
team. If you remove that user from thedev
SSO group, Capella removes theirDevelopers
team roles when they next sign in. Instead, they’re given the team roles as configured by the default team set by the Realm.
-
Default Team
When you create an organization, Capella automatically creates "My First Team".
This is the default team unless you choose another team for that purpose.
The default team is what each SSO user is assigned to unless otherwise specified.
"My First Team" members have the Organization Member
role.
They don’t have any project or SSO group mapping unless otherwise specified.
You can’t delete any team set as the default team.
Access Teams in the Capella UI
Permissions Required
All members of an organization can view team information.
|
To manage teams for SSO, you first need to open the Teams page.
-
In the Capella UI, on the navigation bar, click the Teams tab.
-
The Teams page lists any existing teams in your organization.
If you added a realm and linked it with your IdP, "My First Team" is one of the options. Clicking a team listed on the Teams page opens its details and provides the controls needed to manage it.
Create a Team
Prerequisites
|
-
On the Teams page, click Create Team.
-
On the Create Team page, complete the following fields:
-
Team Name: Enter your desired team name.
-
SSO Groups: Enter the user groups from your IdP that you would like to map to this team. You must separate multiple SSO groups by a comma.
-
Okta: Enter the group name as it’s shown in Okta into the SSO Groups text area.
-
Azure AD: Enter the group’s object ID into the SSO Groups text area instead of the group’s name.
Using the Azure portal, you can find a group’s object ID by clicking . Or, you can use Microsoft Graph Powershell to search for a group’s display name:Get-MgGroup -ConsistencyLevel eventual -Search '"DisplayName:GROUP_NAME"'
. The output includes the group ID (Id
). -
Ping: Enter the group name as it’s shown in Ping into the SSO Groups text area.
-
CyberArk: Enter the group name as it’s shown in CyberArk into the SSO Groups text area.
-
Google Workspace: Enter the group name as it’s shown in Google Workspace into the SSO Groups text area.
-
OneLogin: Enter the group name as it’s shown in OneLogin into the SSO Groups text area.
-
-
Organization Roles: Select one or more organization roles that you would like all team members to have.
-
-
Add projects to the team you’re creating:
-
Click Add Project to Team.
-
Project: Choose a project in the organization you want all team members to access.
-
Project Roles: For this project, choose the project roles you want all members of this team to have.
-
Click Add Project.
-
-
Click Create Team.
Edit a Team
Permissions Required
You must have the Organization Owner role to edit a team.
|
You can change the following team settings:
Option | Actions | Considerations |
---|---|---|
Team Name |
You can rename a team at any time. |
|
SSO Groups |
You can add or remove SSO (IdP) groups to or from a team as needed. Removing an SSO group from a team doesn’t delete its users. If the SSO group you removed isn’t mapped to another team, Capella assigns it to the default team and its associated permissions. Any changes you make to user permissions are applied as users sign in, not immediately. |
|
Organization Roles |
You can add one or more organization roles to a team. Assigned organization roles apply to all team members. Any changes you make to user permissions are applied as users sign in, not immediately. |
|
Projects |
You can give a team access to multiple projects in an organization and assign project roles on a project-by-project basis. Assigned project roles apply to all team members. Any changes you make to user permissions are applied as users sign in, not immediately. |
Rename a Team
-
On the Teams page, click the name of the team you’re renaming.
The team page in question opens to the General page.
-
Inside the Name of Team field, replace the text with the name you want.
-
Click Apply.
Add an SSO Group
A realm must exist before mapping SSO groups to a team. If you haven’t yet created a realm, see Add Federated and SSO Authentication. |
-
On the Teams page, click the name of the team you’re editing.
The team page in question opens to the General page.
-
Enter the SSO groups from your IdP that you would like to map to this team into the SSO Groups field. You must separate multiple SSO groups by a comma.
-
Okta: Enter the group name as it’s shown in Okta into the SSO Groups text area.
-
Azure AD: Enter the group’s object ID into the SSO Groups text area instead of the group’s name.
-
Ping: Enter the group name as it’s shown in Ping into the SSO Groups text area.
-
CyberArk: Enter the group name as it’s shown in CyberArk into the SSO Groups text area.
-
Google Workspace: Enter the group name as it’s shown in Google Workspace into the SSO Groups text area.
-
OneLogin: Enter the group name as it’s shown in OneLogin into the SSO Groups text area.
-
-
Click Apply.
Remove an SSO Group
This action revokes the current team privileges from all SSO users within the removed SSO group. If you remove an SSO group that isn’t mapped to another team, Capella assigns it to the default team. |
-
On the Teams page, click the name of the team you’re editing.
The team page in question opens to the General page.
-
Within the SSO Groups field, click the Close icon in the SSO group you’re removing from the team.
-
Click Apply.
Edit Organization Roles
-
On the Teams page, click the name of the team you’re editing.
The team page in question opens to the General page.
-
In the navigation pane, click Organization Roles.
The Organization Roles page lists all the organization roles assigned to the current team.
-
Click each Capella organization role you want to assign to the team. Clicking a selected organization role removes it.
-
Click Apply.
Add Access to a Project
-
On the Teams page, click the name of the team you’re editing.
The team page in question opens to the General page.
-
On the navigation pane, click Projects.
The Projects page lists all of the projects assigned to the current team.
-
Click Add Project to Team.
This action displays the Add Project dialog.
-
Use the Project drop-down menu to select the project from the organization you’re adding.
-
Use the Roles drop-down menu to choose which project roles to apply to the whole team for the chosen project.
-
Click Add Project.
Edit Project Roles
-
On the Teams page, click the name of the team you’re editing.
The team page in question opens to the General tab.
-
On the navigation pane, click Projects.
The Projects page lists all of the projects assigned to the current team.
-
On the same row as the project you want to change the team’s access to, click Edit icon .
The action displays the Project Role dialog.
-
Click each Capella project role you’re assigning to the team for the selected project. Clicking an already chosen project role removes it.
-
Click Apply.
Remove Access to a Project
-
On the Teams page, click the name of the team you’re editing.
The team page in question opens to the General page.
-
On the navigation pane, click Projects.
The Projects page lists all of the projects assigned to the current team.
-
On the same row as the project you want to remove the team’s access to, click the Trash icon .
The action displays the Remove Project From team dialog.
-
Type
delete
into the provided text area. -
Click Remove.
Delete a Team
Permissions Required
You must have the Organization Owner role to create a team.
|
Deleting a team removes that team’s permissions from users in its mapped SSO groups. If an SSO user of a deleted team isn’t mapped to another team, Capella assigns them the default team, and they get its associated role mappings. |
-
On the Teams page, click the name of the team you’re deleting.
The team page in question opens to the General page.
-
Click Delete Team.
This action displays the Delete Team dialog.
-
Type
delete
into the provided text area. -
Click Delete.