django-saml2-auth icon indicating copy to clipboard operation
django-saml2-auth copied to clipboard

Published 20 hours ago verified publisher icon grafana

Mapping groups to staff/superusers

Open heydonovan opened this issue 2 years ago • 1 comments

More of a general question than an issue.

We have the implementation working, but this gives everyone superuser status by default:

'NEW_USER_PROFILE': {
    'ACTIVE_STATUS': True,
    'STAFF_STATUS': True,
    'SUPERUSER_STATUS': True,
}

If we wanted a second group of folks who would be staff, but not superusers, what's the best way to achieve this? I was thinking just creating two groups, but am not sure if cherry-picking permissions to assign to that group gives the same abilities as setting a user to staff/superuser.

heydonovan avatar Apr 21 '22 16:04 heydonovan

Hey @heydonovan,

You can always match group attribute statements with GROUPS_MAP and/or use NEW_USER_PROFILE.USER_GROUPS, but I haven't used them. I created a custom user to teams/project matching system, which works by passing custom user attributes from IdP to the TRIGGER.BEFORE_LOGIN hook function. There you have all the user attribute statements and the matching system matches based on the attribute name and value and will assign the user to the correct organization and project.

mostafa avatar May 06 '22 09:05 mostafa

I'll close this due to inactivity. Feel free to re-open it if you still have this issue/question.

mostafa avatar Sep 02 '22 13:09 mostafa