Managing groups
Groups are a way to manage and assign workspace access and workspace roles for subsets of organization members.
Group roles
Group members can be assigned these roles.
-
Member: (Default role) Enables access to any workspace the group is added to. No group administration permissions.
-
Group manager: Enables adding and removing group members and assigning other group managers. Group manager privileges are distinct from workspace manager privileges, meaning group managers aren’t automatically conferred workspace privileges in workspaces the group is added to.
See the following table for a comparison of group-related administrative permissions between group managers and admins.
Adding groups
Admins can create groups and assign a group manager.
-
In the header, click the initials icon and select Settings.
-
Click Members.
-
On the Groups tab, click Add group.
-
Define a group name, then click Create. This name is visible to the organization.
-
Search for and select members to add to the group, then click Next.
You can’t add groups to a group. Groups can’t be nested. -
Select members to assign the group manager role, then click Add.
What's next
Admins and workspace managers can start adding groups to shared workspaces to grant all group members access to that workspace. After adding a group to a workspace, you can assign the group a workspace role.
Deleting groups
Admins can delete groups. Group managers don’t have this permission. Deleting a group rescinds any workspace access granted through membership of that group.
-
In the header, click the initials icon and select Settings.
-
Click Members.
-
On the Groups tab, select the group to open the group details view.
-
Click the overflow icon
, then select Delete group. -
Click Confirm.
Managing group members
After a group is created, admins and group managers can manage the group members list.
-
In the header, click the initials icon and select Settings.
-
Click Members.
-
On the Groups tab, select the group.
-
Click Add members.
-
Select a role, then search for and select the members to add to the group.
-
Click Add.
Changing group roles
Admins and group managers can change group members’ roles.
-
In the header, click the initials icon and select Settings.
-
Click Members.
-
On the Groups tab, select the group to open the group members list.
-
In the member’s row, click the edit icon
. -
Select the new role and click Save.
Removing group members
Admins and group managers can remove group members. Removing someone from a group also rescinds any workspace access granted through membership of that group.
-
In the header, click the initials icon and select Settings.
-
Click Members.
-
On the Groups tab, select the group to open the group members list.
-
In the member’s row, click the delete icon
. -
Click Confirm.
Group mapping
EnterpriseUse group mapping to map groups created in your identity provider (IdP) to groups created in AI Hub. AI Hub group membership is then managed in your identity provider. Group mapping is available for single-tenant AI Hub environments using security assertion markup language (SAML)-based or OpenID Connect (OIDC)-based single sign-on (SSO) authentication.
Adding group mappings
Group mappings can be added when creating a group or can be added to existing groups.
Before you begin
-
If using SAML-based SSO, ensure your SSO configuration includes the
groups
attribute. -
If using OIDC-based SSO, ensure your SSO configuration includes the
groups
claim.
Add a mapping to a new group
-
In the header, click the initials icon and select Settings.
-
Click Members.
-
On the Groups tab, click Add group.
-
Define a group name. This name is visible to the organization.
-
Turn on the Enable SAML mapping or Enable OIDC mapping toggle.
-
In SAML group name or OIDC group name, enter the name of the group as defined in your IdP.
-
Click Create.
After adding a group mapping to a new AI Hub group, the group members list doesn’t immediately populate. Upon each member’s next AI Hub login, their presence in the group in your IdP is verified. If a valid mapping is found, they’re added to the corresponding AI Hub group.
Add a mapping to an existing group
-
In the header, click the initials icon and select Settings.
-
Click Members.
-
On the Groups tab, locate the group in the groups list, then click the overflow icon
and select Create new mapping. -
Enter the name of the group as defined in your IdP.
-
Click Save.
After adding a group mapping to an existing group, the group members list in AI Hub initially remains unchanged. Upon each member’s next AI Hub login, their presence in the upstream group is verified. If the group member isn’t part of the upstream group, they’re removed from the corresponding AI Hub group.
What's next
While group membership is managed at the IdP level, group roles aren’t. Group roles can be assigned manually.
Editing mappings
If a group name has changed in your IdP or you want to change which upstream group is mapped to an AI Hub group, you can edit group mappings.
-
In the header, click the initials icon and select Settings.
-
Click Members.
-
On the Groups tab, locate the group in the groups list, then click the overflow icon
and select Edit mapping. -
Enter the name of the group as defined in your IdP.
-
Click Save.
After changing the group mapping, the group members list in AI Hub doesn’t immediately update. Upon each member’s next AI Hub login, their presence in the group in your IdP is verified. If the group member isn’t part of the newly mapped group, they’re removed from the corresponding AI Hub group.
Removing mappings
Admins can remove group mappings. After removing a group mapping, the latest version of the group members list is maintained. Admins and group managers can then add and remove group members as needed.
-
In the header, click the initials icon and select Settings.
-
Click Members.
-
On the Groups tab, locate the group in the groups list, then click the overflow icon
and select Delete mapping. -
Click Confirm.