Group Mapping on Confluent Cloud

Required RBAC role: OrganizationAdmin.

A group mapping is a collection or set of rules that lets you map user groups in your SSO identity provider to Confluent Cloud RBAC roles. When an SSO user signs in to Confluent Cloud, Confluent Cloud automatically and assigns the Confluent Cloud RBAC roles you have mapped to the user’s groups.

Create a group mapping for each set of Confluent Cloud RBAC roles that you want to assign to a user based on the user’s group memberships in your SSO identity provider. Your organization might have groups with different sets of permissions based on teams, Confluent Cloud environments, or read/write/admin access. You can create a group mapping for each set of permissions.

For example, you might create a group mapping that assigns the Confluent Cloud RBAC roles DeveloperWrite and ResourceOwner to a user who is a member of the data-science group in your SSO identity provider.

Important

SSO users can map to multiple groups and get the permissions of all the matching groups. SSO group mapping permissions are additive with each other, meaning a user who is a member of two groups has permissions for both mappings.

Limitations

  • Group mapping permissions are only granted to SSO user accounts after the users sign in to Confluent Cloud using SSO. User API keys only have permissions manually assigned to the user and do not have any group mapping permissions.
  • The current ksqlDB authorization auditable events do not include the assigned_principal and acting_principal fields (for SSO users with group permissions).

Types of group mappings

There are two types of group mappings available in Confluent Cloud: basic and advanced. Basic group mappings are simple and provide easy mappings between user groups and Confluent Cloud ACLs or RBAC roles. Advanced group mappings are more complex and use Common Expression Language (CEL) expressions for increased flexibility.

Basic group mapping

A literal group mapping is a simple way to map users or groups from your SSO identity provider to Confluent Cloud ACLs or RBAC roles. A literal group mapping is a string value representing a single group value and is case-sensitive and space-sensitive.

Advanced group mapping

An advanced group mapping uses filters to map users and groups from your SSO identity provider to Confluent Cloud ACLs or RBAC roles. An advanced group mapping is a string value representing a group filter that uses a Common Expression Language (CEL) expression on multiple groups. CEL can be used to write complex expressions that filter groups based on their names, attributes, or relationships to other groups.

Using an advanced group mapping, an administrator can give a condition with the keyword groups to determine whether the group mapping can be applied to the SSO user.

Tip

Create default permissions that are applied to all SSO users by setting the Advanced Filter value to true. No user groups need to be in the SSO sign-in request for this group mapping to be applied.

For detailed information about CEL expressions, supported CEL operators, and examples, see Use CEL expressions for advanced group mappings.