Best Practices for Group Mappings on Confluent Cloud

  • Create a default permission set with a minimal set of requirements, either with the advanced filter set to true or by using a broad user group value from your SSO identity provider, so that new users can get started in Confluent Cloud immediately.
  • Avoid assigning admininistrator RBAC role-bindings to group permissions, in accordance to the principle of least privilege, assigning users access only to the specific resources required to perform their job function.
  • Your identity provider might have limits on the number of characters or groups that are sent in a SAML sign-in request. If you intend on creating many group mappings in Confluent Cloud, make sure to check any limitations from your identity provider on the number of groups that will be sent to Confluent Cloud.