Group Mapping on Confluent Cloud

A group mapping is a collection or set of rules that lets you map user groups in your SSO identity provider to Confluent Cloud RBAC roles. When an SSO user signs in to Confluent Cloud, Confluent Cloud automatically and assigns the Confluent Cloud RBAC roles you have mapped to the user’s groups.

Create a group mapping for each set of Confluent Cloud RBAC roles that you want to assign to a user based on the user’s group memberships in your SSO identity provider. Your organization might have groups with different sets of permissions based on teams, Confluent Cloud environments, or read/write/admin access. You can create a group mapping for each set of permissions.

For example, you might create a group mapping that assigns the Confluent Cloud RBAC roles DeveloperWrite and ResourceOwner to a user who is a member of the data-science group in your SSO identity provider.

Important

SSO users can map to multiple groups and get the permissions of all the matching groups. SSO group mapping permissions are additive with each other, meaning a user who is a member of two groups has permissions for both mappings.

Limitations

  • Group mapping permissions are only granted to SSO user accounts after the users sign in to Confluent Cloud using SSO. User API keys only have permissions manually assigned to the user and do not have any group mapping permissions.
  • The current ksqlDB authorization auditable events do not include the assigned_principal and acting_principal fields (for SSO users with group permissions).

Types of group mappings

There are two types of group mappings available in Confluent Cloud: basic and advanced. Basic group mappings are simple and provide easy mappings between user groups and Confluent Cloud ACLs or RBAC roles. Advanced group mappings are more complex and use Common Expression Language (CEL) expressions for increased flexibility.

Basic group mapping

A literal group mapping is a simple way to map users or groups from your SSO identity provider to Confluent Cloud ACLs or RBAC roles. A literal group mapping is a string value representing a single group value and is case-sensitive and space-sensitive.

Advanced group mapping

An advanced group mapping uses filters to map users and groups from your SSO identity provider to Confluent Cloud ACLs or RBAC roles. An advanced group mapping is a string value representing a group filter that uses a Common Expression Language (CEL) expression on multiple groups. CEL can be used to write complex expressions that filter groups based on their names, attributes, or relationships to other groups.

Using an advanced group mapping, an administrator can give a condition with the keyword groups to determine whether the group mapping can be applied to the SSO user.

Tip

Create default permissions that are applied to all SSO users by setting the Advanced Filter value to true. No user groups need to be in the SSO sign-in request for this group mapping to be applied.

Supported CEL operators for group mapping

You can use the following supported Common Expression Language (CEL) operators (in order of precedence) to create a more complex filter group mapping:

Use case Operator precedence CEL expression
Logical IN 1 "everyone" in groups
Logical AND 2 "kafka" in groups && "all" in groups
Logical OR 3 "google" in groups || "confluent" in groups

Note the following:

  • A group filter has a limit of 300 characters.
  • CEL expressions can only use the keyword groups and not claims.groups. No other claims are supported.
  • CEL filters evaluate in order, from left to right, and the combination of or || and and && might not be commutative because a || b && c is not the same as a && b || c.
  • Prefixes and suffixes are not supported for group names.

Examples

Example 1

Assume that a user, Priya, is only in the “everyone” group in their identity provider (for example, Azure Marketplace OIDC, Azure SAML, or Okta):

"kafka" in groups && "all" in groups || "everyone" in groups

This CEL filter evaluates to true for Priya because even though she is not in “kafka” or “all”, the right side of the || operation is true.

"kafka" in groups || "all" in groups && "everyone" in groups

This CEL filter evaluates to false for Priya because "kafka" in groups || "all" in groups is false and the && operation requires that both the left side and right side must be true.

Example 2

An administrator can use a filter with CEL expressions to create a group mapping for users who are members of either the data-science group or the engineering group:

"data-science" in groups || "engineering" in groups

Using a filter group mapping like this avoids having redundant group mappings for users when the groups share identical RBAC permission sets.

Example 3

For testing purposes, an application developer sets the value to true, which results in the group mapping applying to all SSO users without needing to map to any specific groups from the SAML request.

true