AdministrationUser and access management

Managing groups

Commercial & Enterprise

Groups are a way to manage and assign workspace access and workspace roles for subsets of organization members.

Group roles

Group members can be assigned these roles.

  • Member — (Default role) Enables access to any workspace the group is added to. No group administration permissions.

  • Group manager — Enables adding and removing group members and assigning other group managers. Group manager privileges are distinct from workspace manager privileges, meaning group managers aren’t automatically conferred workspace privileges in workspaces the group is added to.

Organization admins can access and manage all groups, but aren’t automatically added to all groups. If an admin is added to a group, their group role is Admin.

See the following table for a comparison of group-related administrative permissions between group managers and admins.

PermissionAdminGroup manager
Create and delete groups.✓-
Manage group members.All groupsManaged groups only
Assign group roles.All groupsManaged groups only

Adding groups

Admins can create groups and assign a group manager.

  1. In the header, click the initials icon and select Settings.

  2. Click Members.

  3. On the Groups tab, click Add group.

  4. Define a group name, then click Create. This name is visible to the organization.

  5. Search for and select members to add to the group, then click Next.

    You can’t add groups to a group. Groups can’t be nested.

  6. Select members to assign the group manager role, then click Add.

You can also create a group by selecting a list of members on the Members tab, then clicking Add to group > New group.
What's next

Admins and workspace managers can start adding groups to shared workspaces to grant all group members access to that workspace. After adding a group to a workspace, you can assign the group a workspace role.

Deleting groups

Admins can delete groups. Group managers don’t have this permission. Deleting a group rescinds any workspace access granted through membership of that group.

  1. In the header, click the initials icon and select Settings.

  2. Click Members.

  3. On the Groups tab, select the group to open the group details view.

  4. Click the overflow icon Icon with three stacked vertical dots., then select Delete group.

  5. Click Confirm.

Managing group members

After a group is created, admins and group managers can manage the group members list.

There is no limit to the number of groups a member can be added to. However, being part of several groups can make it difficult to manage individual members’ workspace access and permissions. If a member is added to a workspace multiple times, such as being added individually and as part of a group, they can have several workspace roles in one workspace. When multiple roles are assigned, the role with the highest privileges applies.

  1. In the header, click the initials icon and select Settings.

  2. Click Members.

  3. On the Groups tab, select the group.

  4. Click Add members.

  5. Select a role, then search for and select the members to add to the group.

  6. Click Add.

You can also add members to a group by selecting a list of members on the Members tab, then clicking Add to group > Existing group.

Changing group roles

Admins and group managers can change group members’ roles.

  1. In the header, click the initials icon and select Settings.

  2. Click Members.

  3. On the Groups tab, select the group to open the group members list.

  4. In the member’s row, click the edit iconPencil icon..

  5. Select the new role and click Save.

You can update roles for multiple members by selecting multiple rows then clicking Actions > Update roles.

Removing group members

Admins and group managers can remove group members. Removing someone from a group also rescinds any workspace access granted through membership of that group.

Members can see that they’re part of a group, but can’t remove themselves from the group.

  1. In the header, click the initials icon and select Settings.

  2. Click Members.

  3. On the Groups tab, select the group to open the group members list.

  4. In the member’s row, click the delete icon Icon of a trash can..

  5. Click Confirm.

You can remove multiple members by selecting multiple rows then clicking Actions > Remove members from group.

Group mapping

Enterprise

Use group mapping to map groups created in your identity provider (IdP) to groups created in AI Hub. AI Hub group membership is then managed in your identity provider. Group mapping is available for single-tenant AI Hub environments using security assertion markup language (SAML)-based or OpenID Connect (OIDC)-based single sign-on (SSO) authentication.

Upstream changes in your IdP aren’t immediately applied and instead take effect with the member’s next AI Hub login. For example, after removing a member from a group in your IdP, the change of status syncs with that member’s next login. The member is then removed from the mapped AI Hub group.

Adding group mappings

Group mappings can be added when creating a group or can be added to existing groups.

Before you begin

Add a mapping to a new group

  1. In the header, click the initials icon and select Settings.

  2. Click Members.

  3. On the Groups tab, click Add group.

  4. Define a group name. This name is visible to the organization.

  5. Turn on the Enable SAML mapping or Enable OIDC mapping toggle.

  6. In SAML group name or OIDC group name, enter the name of the group as defined in your IdP.

  7. Click Create.

After adding a group mapping to a new AI Hub group, the group members list doesn’t immediately populate. Upon each member’s next AI Hub login, their presence in the group in your IdP is verified. If a valid mapping is found, they’re added to the corresponding AI Hub group.

Add a mapping to an existing group

  1. In the header, click the initials icon and select Settings.

  2. Click Members.

  3. On the Groups tab, locate the group in the groups list, then click the overflow icon Icon with three stacked vertical dots. and select Create new mapping.

  4. Enter the name of the group as defined in your IdP.

  5. Click Save.

After adding a group mapping to an existing group, the group members list in AI Hub initially remains unchanged. Upon each member’s next AI Hub login, their presence in the upstream group is verified. If the group member isn’t part of the upstream group, they’re removed from the corresponding AI Hub group.

What's next

While group membership is managed at the IdP level, group roles aren’t. Group roles can be assigned manually.

Editing mappings

If a group name has changed in your IdP or you want to change which upstream group is mapped to an AI Hub group, you can edit group mappings.

  1. In the header, click the initials icon and select Settings.

  2. Click Members.

  3. On the Groups tab, locate the group in the groups list, then click the overflow icon Icon with three stacked vertical dots. and select Edit mapping.

  4. Enter the name of the group as defined in your IdP.

  5. Click Save.

After changing the group mapping, the group members list in AI Hub doesn’t immediately update. Upon each member’s next AI Hub login, their presence in the group in your IdP is verified. If the group member isn’t part of the newly mapped group, they’re removed from the corresponding AI Hub group.

Removing mappings

Admins can remove group mappings. After removing a group mapping, the latest version of the group members list is maintained. Admins and group managers can then add and remove group members as needed.

  1. In the header, click the initials icon and select Settings.

  2. Click Members.

  3. On the Groups tab, locate the group in the groups list, then click the overflow icon Icon with three stacked vertical dots. and select Delete mapping.

  4. Click Confirm.