Managing groups
Groups are a way to manage and assign workspace access and workspace-level roles for subsets of organization members.
Group roles
Group members can have one of the following roles:
-
Member: This role is the default for all group members. This role confers no special privileges beyond being able to access any workspace to which the group is added.
-
Manager: Group managers have group-specific administrative privileges, including adding and removing group members and assigning other group managers. These administrative privileges are restricted to the group context and aren’t inherited into any workspaces to which the group is added. For example, if a group is added to a workspace, the group managers don’t automatically become workspace managers.
-
Admin: Any organization admin added to a group has the Admin role. The admin role can be assigned only at the organization level, but is inherited into all groups to which an admin is added. Admins aren’t automatically added to all groups but have the ability to manage all groups.
Adding an admin to a group doesn’t have an impact on their workspace access or administrative permissions. Organization admins have access to all workspaces in the organization and inherit the Admin role in all contexts.
See the following table for a comparison of group-related administrative permissions between group managers and admins:
Managing groups
Admins can create groups and assign a group manager.
-
In the header, click the initials icon and select Settings.
-
Click Members.
-
On the Groups tab, click Add group.
-
Define a group name, then click Create.
All organization members can see details about all groups, including group name and members. You can rename groups if needed. -
Search for and select members to add to the group, then click Next.
You can’t add groups to a group. Groups can’t be nested. -
Select members to assign the group manager role, then click Add.
Deleting groups
Admins can delete groups. Group managers don’t have this permission. Deleting a group rescinds any workspace access granted through membership of that group.
-
In the header, click the initials icon and select Settings.
-
Click Members.
-
On the Groups tab, select the group to open the group details view.
-
Click the overflow icon, then select Delete group.
-
Click Confirm.
Managing group members
After a group is created, admins and group managers can manage the group members list.
-
In the header, click the initials icon and select Settings.
-
Click Members.
-
On the Groups tab, select the group.
-
Click Add members.
-
Select a role, then search for and select the members to add to the group.
Any organization admins added to the group remain an admin, regardless of the group role selected. -
Click Add.
Changing group roles
Admins and group managers can change group members’ roles.
-
In the header, click the initials icon and select Settings.
-
Click Members.
-
On the Groups tab, select the group to open the group members list.
-
In the member’s row, click the Edit (pencil) icon.
-
Select the new role and click Save.
Removing group members
Admins and group managers can remove group members. Removing someone from a group also rescinds any workspace access granted through membership of that group.
-
In the header, click the initials icon and select Settings.
-
Click Members.
-
On the Groups tab, select the group to open the group members list.
-
In the member’s row, click the Delete (trash can) icon.
-
Click Confirm.
Adding groups to workspaces
See Managing members for instructions on assigning groups to a workspace. The process is the same as adding individual members to a workspace. After adding a group to a workspace, you can assign workspace-level roles to the group. Roles assigned to a group apply to all group members.
Members can be added to a workspace multiple times, either individually or through different groups. In this case, someone can appear multiple times in the workspace members list, with different roles assigned. If someone has multiple workspace-level roles assigned, the role with the highest privileges applies.
To remove a workspace member from a workspace, remove all instances of their membership in the workspace members list. Removing a member from a group also removes any workspace access granted through membership of that group.
SAML group mapping
Single-tenant AI Hub environments using security assertion markup language (SAML)-based authentication can configure SAML group mapping. When enabled, group membership is controlled at the identity provider (IdP).
Add mappings
Ensure your SSO configuration includes the groups
attribute. See Configuring SAML-based SSO for details.
Admins can add SAML group mappings when creating a group or by adding the mapping to an existing group.
To add a mapping to a new group:
-
In the header, click the initials icon and select Settings.
-
Click Members.
-
On the Groups tab, click Add group.
-
Define a group name.
All organization members can see details about all groups, including group name and members. You can rename groups if needed. -
Turn on the Enable SAML mapping toggle.
-
In SAML group name, enter the name of the SAML group as defined in your IdP.
-
Click Create.
To add a mapping to an existing group:
-
In the header, click the initials icon and select Settings.
-
Click Members.
-
On the Groups tab, locate the group in the groups list, then click the overflow icon and select Create new mapping.
-
Enter the name of the SAML group as defined in your IdP.
-
Click Save.
What's next
While group membership is managed at the IdP level, group roles aren’t. See Changing group roles for guidance on assigning group managers.
Edit mappings
Admins can edit the SAML group mapping for a group.
-
In the header, click the initials icon and select Settings.
-
Click Members.
-
On the Groups tab, locate the group in the groups list, then click the overflow icon and select Edit mapping.
-
Enter the name of the SAML group as defined in your IdP.
-
Click Save.
Remove mappings
Admins can remove group mappings. After removing a group mapping, the latest version of the group members list is maintained. Admins and group managers can then add and remove group members as needed.
-
In the header, click the initials icon and select Settings.
-
Click Members.
-
On the Groups tab, locate the group in the groups list, then click the overflow icon and select Delete mapping.
-
Click Confirm.