Managing groups

Commercial & Enterprise

Groups are a way to manage and assign workspace access and workspace-level roles for subsets of organization members.

Group roles

Group members can have one of the following roles:

  • Member: This role is the default for all group members. This role confers no special privileges beyond being able to access any workspace to which the group is added.

  • Manager: Group managers have group-specific administrative privileges, including adding and removing group members and assigning other group managers. These administrative privileges are restricted to the group context and aren’t inherited into any workspaces to which the group is added. For example, if a group is added to a workspace, the group managers don’t automatically become workspace managers.

  • Admin: Any organization admin added to a group has the Admin role. The admin role can be assigned only at the organization level, but is inherited into all groups to which an admin is added. Admins aren’t automatically added to all groups but have the ability to manage all groups.

    Adding an admin to a group doesn’t have an impact on their workspace access or administrative permissions. Organization admins have access to all workspaces in the organization and inherit the Admin role in all contexts.

See the following table for a comparison of group-related administrative permissions between group managers and admins:

Administrative taskGroup managerAdmin
Create, manage, delete groups, including assigning first group manager
Manage group membersIn their managed group onlyAll groups
Assign group roles, including group managerIn their managed group onlyAll groups

Managing groups

Admins can create groups and assign a group manager.

  1. In the header, click the initials icon and select Settings.

  2. Click Members.

  3. On the Groups tab, click Add group.

  4. Define a group name, then click Create.

    All organization members can see details about all groups, including group name and members. You can rename groups if needed.
  5. Search for and select members to add to the group, then click Next.

    You can’t add groups to a group. Groups can’t be nested.
  6. Select members to assign the group manager role, then click Add.

You can also create a group by selecting a list of members on the Members tab, then clicking Add to group > New group.

Deleting groups

Admins can delete groups. Group managers don’t have this permission. Deleting a group rescinds any workspace access granted through membership of that group.

  1. In the header, click the initials icon and select Settings.

  2. Click Members.

  3. On the Groups tab, select the group to open the group details view.

  4. Click the overflow icon, then select Delete group.

  5. Click Confirm.

If you’d rather rename the group than delete it, click the overflow icon and select Rename group.

Managing group members

After a group is created, admins and group managers can manage the group members list.

There is no limit to the number of groups a member can be added to, but being part of several groups can make it difficult to manage individual members’ workspace access and roles.
  1. In the header, click the initials icon and select Settings.

  2. Click Members.

  3. On the Groups tab, select the group.

  4. Click Add members.

  5. Select a role, then search for and select the members to add to the group.

    Any organization admins added to the group remain an admin, regardless of the group role selected.
  6. Click Add.

You can also add members to a group by selecting a list of members on the Members tab, then clicking Add to group > Existing group.

Changing group roles

Admins and group managers can change group members’ roles.

  1. In the header, click the initials icon and select Settings.

  2. Click Members.

  3. On the Groups tab, select the group to open the group members list.

  4. In the member’s row, click the Edit (pencil) icon.

  5. Select the new role and click Save.

You can update roles for multiple members by selecting multiple rows then clicking Actions > Update roles.

Removing group members

Admins and group managers can remove group members. Removing someone from a group also rescinds any workspace access granted through membership of that group.

Members can see that they’re part of a group, but can’t remove themselves from the group.
  1. In the header, click the initials icon and select Settings.

  2. Click Members.

  3. On the Groups tab, select the group to open the group members list.

  4. In the member’s row, click the Delete (trash can) icon.

  5. Click Confirm.

You can remove multiple members by selecting multiple rows then clicking Actions > Remove members from group.

Adding groups to workspaces

See Managing members for instructions on assigning groups to a workspace. The process is the same as adding individual members to a workspace. After adding a group to a workspace, you can assign workspace-level roles to the group. Roles assigned to a group apply to all group members.

Members can be added to a workspace multiple times, either individually or through different groups. In this case, someone can appear multiple times in the workspace members list, with different roles assigned. If someone has multiple workspace-level roles assigned, the role with the highest privileges applies.

To remove a workspace member from a workspace, remove all instances of their membership in the workspace members list. Removing a member from a group also removes any workspace access granted through membership of that group.

Workspace member searches include any group affiliations in the results.

SAML group mapping

Single-tenant AI Hub environments using security assertion markup language (SAML)-based authentication can configure SAML group mapping. When enabled, group membership is controlled at the identity provider (IdP).

Upstream changes in your IdP aren’t immediately applied and instead take effect with the member’s next AI Hub login. For example, if a member is removed from a SAML group in your IdP, upon next login that change of status syncs and the member is removed from the mapped AI Hub group.

Add mappings

Before you begin

Ensure your SSO configuration includes the groups attribute. See Configuring SAML-based SSO for details.

Admins can add SAML group mappings when creating a group or by adding the mapping to an existing group.

To add a mapping to a new group:

  1. In the header, click the initials icon and select Settings.

  2. Click Members.

  3. On the Groups tab, click Add group.

  4. Define a group name.

    All organization members can see details about all groups, including group name and members. You can rename groups if needed.
  5. Turn on the Enable SAML mapping toggle.

  6. In SAML group name, enter the name of the SAML group as defined in your IdP.

  7. Click Create.

After adding a SAML group mapping to a new group, the group members list doesn’t immediately populate. Upon each member’s next AI Hub login, their presence in the SAML group in your IdP is verified. If they’re present in a SAML group mapped to an AI Hub group, they’re added to the group’s members list.

To add a mapping to an existing group:

  1. In the header, click the initials icon and select Settings.

  2. Click Members.

  3. On the Groups tab, locate the group in the groups list, then click the overflow icon and select Create new mapping.

  4. Enter the name of the SAML group as defined in your IdP.

  5. Click Save.

After adding a SAML group mapping to an existing group, the group members list in AI Hub initially remains unchanged. Upon each member’s next AI Hub login, their presence in the SAML group in your IdP is verified. If the group member isn’t part of the SAML group, they’re removed from the AI Hub group.
What's next

While group membership is managed at the IdP level, group roles aren’t. Group roles can be assigned manually.

Edit mappings

Admins can edit the SAML group mapping for a group.

  1. In the header, click the initials icon and select Settings.

  2. Click Members.

  3. On the Groups tab, locate the group in the groups list, then click the overflow icon and select Edit mapping.

  4. Enter the name of the SAML group as defined in your IdP.

  5. Click Save.

After changing the SAML group mapping, the group members list in AI Hub doesn’t immediately update. Upon each member’s next AI Hub login, their presence in the SAML group in your IdP is verified. If the group member isn’t part of the newly mapped SAML group, they’re removed from the AI Hub group.

Remove mappings

Admins can remove group mappings. After removing a group mapping, the latest version of the group members list is maintained. Admins and group managers can then add and remove group members as needed.

  1. In the header, click the initials icon and select Settings.

  2. Click Members.

  3. On the Groups tab, locate the group in the groups list, then click the overflow icon and select Delete mapping.

  4. Click Confirm.

Was this page helpful?