Group Sync
Group sync automatically maps groups from your identity provider (IdP) to workspace roles in SetGet. When a user authenticates via SSO, SetGet reads their group memberships from the SAML assertion and assigns the corresponding workspace role. This eliminates manual role assignment and ensures that access permissions stay in sync with your organization's directory.
Prerequisites
Before configuring group sync, you need:
- SSO configured and working (see SSO)
- Your IdP configured to include group membership in the SAML assertion
- A workspace Owner or Admin role in SetGet
How group sync works
- A user signs in via SAML SSO.
- The IdP includes the user's group memberships in the SAML assertion.
- SetGet reads the group attribute from the assertion.
- SetGet matches the group names against configured role mappings.
- The user's workspace role is set (or updated) based on the matched mapping.
IdP Groups Role Mappings SetGet Role
───────── ───────────── ──────────
"Engineering" ─────> Engineering → Member ─────> Member
"IT-Admins" ─────> IT-Admins → Admin ─────> Admin
"Executives" ─────> Executives → Owner ─────> OwnerConfigure group attribute in your IdP
Your IdP must send group information in the SAML assertion. The configuration varies by provider:
| Identity Provider | How to configure |
|---|---|
| Okta | In the SAML app, add a Group Attribute Statement with name groups and filter for desired groups |
| Azure AD | In the Enterprise Application, configure "Groups Claim" under Token Configuration |
| Google Workspace | Use a custom attribute or organizational unit mapping |
| OneLogin | Add a "Groups" parameter to the SAML app configuration |
The SAML assertion should include an attribute like:
<saml:Attribute Name="groups">
<saml:AttributeValue>Engineering</saml:AttributeValue>
<saml:AttributeValue>Product-Team</saml:AttributeValue>
</saml:Attribute>Configure group sync in SetGet
- Navigate to Workspace Settings > Security > SSO.
- Click the Group Sync tab.
- Set the Group attribute name — the SAML attribute that contains group memberships (default:
groups). - Add role mappings:
| Field | Description |
|---|---|
| IdP Group Name | The exact group name as it appears in the SAML assertion |
| SetGet Role | The workspace role to assign: Owner, Admin, Member, or Guest |
- Click Add Mapping for each group-to-role pair.
- Click Save.
Example mappings
| IdP Group | SetGet Role | Notes |
|---|---|---|
setget-owners | Owner | Full workspace control |
setget-admins | Admin | Workspace management without billing |
engineering | Member | Standard project access |
contractors | Guest | Limited, invitation-only access |
WARNING
Be careful when mapping groups to the Owner role. Any user in the mapped IdP group will have full control over the workspace, including billing and member management.
Role assignment rules
When a user belongs to multiple IdP groups that map to different roles, SetGet applies the highest privilege role:
| User's IdP groups | Mapped roles | Assigned role |
|---|---|---|
engineering | Member | Member |
engineering, setget-admins | Member, Admin | Admin |
engineering, setget-admins, setget-owners | Member, Admin, Owner | Owner |
Users with no matching groups
| Scenario | Behavior |
|---|---|
| User's groups match no mappings, user is new | User is created with the default role (Member) |
| User's groups match no mappings, user exists | User's role is not changed (existing role preserved) |
| User is removed from all mapped groups | Role is downgraded on next SSO sign-in (if downgrade is enabled) |
Role downgrade
By default, group sync only upgrades roles (assigns a higher role if the user's groups change). You can enable role downgrade to also lower roles when group memberships change:
- In the Group Sync settings, toggle Enable role downgrade.
- When enabled, if a user is removed from the "Admin" IdP group, their SetGet role is downgraded to match their remaining group memberships.
WARNING
Enabling role downgrade means that IdP group changes immediately affect workspace access. Ensure your IdP group memberships are accurate before enabling this feature.
Sync frequency
Group sync happens at specific trigger points:
| Trigger | When it runs |
|---|---|
| SSO sign-in | Every time a user authenticates via SSO |
| Periodic sync | Configurable interval (e.g., every 1 hour, 6 hours, or 24 hours) |
| Manual sync | Admin-triggered from the Group Sync settings page |
Configure periodic sync
- In the Group Sync settings, set the Sync interval.
- Available intervals:
| Interval | Use case |
|---|---|
| 1 hour | Organizations with frequent group changes |
| 6 hours | Standard for most organizations |
| 24 hours | Low-change environments |
| Disabled | Sync only on sign-in |
TIP
For most organizations, syncing on every SSO sign-in is sufficient. Enable periodic sync only if you need role changes to take effect between sign-in events.
Manual sync
- Navigate to Workspace Settings > Security > Group Sync.
- Click Sync Now.
- SetGet fetches the latest group memberships for all SSO users and updates roles accordingly.
The sync results are displayed, showing how many users were updated.
View sync status
The Group Sync settings page shows:
| Field | Description |
|---|---|
| Last sync time | When the most recent sync occurred |
| Users synced | Number of users processed in the last sync |
| Roles updated | Number of role changes applied |
| Errors | Any sync errors (e.g., missing group attribute) |
Troubleshooting
| Issue | Likely cause | Resolution |
|---|---|---|
| Groups not detected in SAML assertion | IdP not configured to send groups | Add group attribute to IdP SAML app configuration |
| Wrong attribute name | Attribute name mismatch | Verify the SAML attribute name matches the configured "Group attribute name" |
| User gets wrong role | Multiple group mappings conflict | Check priority rules (highest privilege wins); review group memberships |
| Role not updated on sign-in | Group sync disabled or mapping missing | Enable group sync and add the appropriate mapping |
| Role not downgraded | Downgrade not enabled | Toggle "Enable role downgrade" in settings |
| Sync shows errors | IdP connection issue or malformed assertion | Check IdP configuration and review SAML response in browser dev tools |
Debug SAML assertions
To see what group data your IdP sends:
- Open browser developer tools (F12).
- Sign in via SSO.
- In the Network tab, find the SAML callback request.
- Decode the SAML response (Base64) and inspect the group attribute values.
This helps identify mismatches between what the IdP sends and what SetGet expects.
Related pages
- Security Overview — authentication and authorization overview
- SSO — SAML SSO configuration
- Roles and Permissions — workspace role definitions
- Workspace Members — manage member access