Group Mapping on Confluent Cloud¶
A group mapping is a collection or set of rules that lets you map user groups in your SSO identity provider to Confluent Cloud RBAC roles. When an SSO user signs in to Confluent Cloud, Confluent Cloud automatically and assigns the Confluent Cloud RBAC roles you have mapped to the user’s groups.
Create a group mapping for each set of Confluent Cloud RBAC roles that you want to assign to a user based on the user’s group memberships in your SSO identity provider. Your organization might have groups with different sets of permissions based on teams, Confluent Cloud environments, or read/write/admin access. You can create a group mapping for each set of permissions.
For example, you might create a group mapping that assigns the Confluent Cloud RBAC roles
DeveloperWrite and ResourceOwner to
a user who is a member of the data-science
group in your SSO identity provider.
Important
SSO users can map to multiple groups and get the permissions of all the matching groups. SSO group mapping permissions are additive with each other, meaning a user who is a member of two groups has permissions for both mappings.
Limitations¶
- Group mapping permissions are only granted to SSO user accounts after the users sign in to Confluent Cloud using SSO. User API keys only have permissions manually assigned to the user and do not have any group mapping permissions.
- The current ksqlDB authorization auditable events do not include
the
assigned_principal
andacting_principal
fields (for SSO users with group permissions).
Types of group mappings¶
There are two types of group mappings available in Confluent Cloud: basic and advanced. Basic group mappings are simple and provide easy mappings between user groups and Confluent Cloud ACLs or RBAC roles. Advanced group mappings are more complex and use Common Expression Language (CEL) expressions for increased flexibility.
Basic group mapping¶
A literal group mapping is a simple way to map users or groups from your SSO identity provider to Confluent Cloud ACLs or RBAC roles. A literal group mapping is a string value representing a single group value and is case-sensitive and space-sensitive.
Advanced group mapping¶
An advanced group mapping uses filters to map users and groups from your SSO identity provider to Confluent Cloud ACLs or RBAC roles. An advanced group mapping is a string value representing a group filter that uses a Common Expression Language (CEL) expression on multiple groups. CEL can be used to write complex expressions that filter groups based on their names, attributes, or relationships to other groups.
Using an advanced group mapping, an administrator can give a condition with the keyword
groups
to determine whether the group mapping can be applied to the SSO user.
Tip
Create default permissions that are applied to all SSO users by setting the
Advanced Filter value to true
. No user groups need to be in the SSO
sign-in request for this group mapping to be applied.
Supported CEL operators for group mapping¶
You can use the following supported Common Expression Language (CEL) operators (in order of precedence) to create a more complex filter group mapping:
Use case | Operator precedence | CEL expression |
---|---|---|
Logical IN | 1 | "everyone" in groups |
Logical AND | 2 | "kafka" in groups && "all" in groups |
Logical OR | 3 | "google" in groups || "confluent" in groups |
Note the following:
- A group filter has a limit of 300 characters.
- CEL expressions can only use the keyword
groups
and notclaims.groups
. No other claims are supported. - CEL filters evaluate in order, from left to right, and the combination of
or ||
andand &&
might not be commutative becausea || b && c
is not the same asa && b || c
. - Prefixes and suffixes are not supported for group names.
Examples¶
Example 1¶
Assume that a user, Priya, is only in the “everyone” group in their identity provider (for example, Azure Marketplace OIDC, Azure SAML, or Okta):
"kafka" in groups && "all" in groups || "everyone" in groups
This CEL filter evaluates to true
for Priya because even though she is
not in “kafka” or “all”, the right side of the ||
operation is true.
"kafka" in groups || "all" in groups && "everyone" in groups
This CEL filter evaluates to false
for Priya because "kafka" in groups || "all" in groups
is false and the &&
operation requires that both the left side and right
side must be true.
Example 2¶
An administrator can use a filter with CEL expressions to create a group mapping
for users who are members of either the data-science
group or the engineering
group:
"data-science" in groups || "engineering" in groups
Using a filter group mapping like this avoids having redundant group mappings for users when the groups share identical RBAC permission sets.
Example 3¶
For testing purposes, an application developer sets the value to
true
, which results in the group mapping applying to all SSO users without
needing to map to any specific groups from the SAML request.
true