Assigning roles to SAML users and groups

Once SAML/SSO has been configured, users will be provisioned at login. By default, users will be assigned the Remote Edit User role. If the SAML IDP is sending group information to Lens, then the Lens Portal can automatically assign a role to a user based on their SAML groups.

How roles are evaluated

A users role is evaluated based on the following criteria:

1. If a users role has a role other than Deny access, they use the users assigned role

2. If a users role is Deny access but they are part of a group that does allow access, then they will be assigned the group’s role

3. If a user's role is Deny access and they are not part of a group, then they will be denied access

Assigning a role based on SAML groups

1. Login to the Lens Portal. The user must have the 'Access to Settings' permission for the location where the scheduler will be enabled.

2. In the left sidebar, open the Configuration menu, then select the Settings option

3. Under the Roles group, select the Identity Mapping option

4. Click the Add button

5. A Add role mapping modal will appear. In the Group Name field enter the name of the SAML group. This is case-sensitive.

6. In the Role field, select the role you would like users that have the specified group name to have.

7. Click the Add button

Assigning a role to a SAML user

1. Login to the Lens Portal. The user must have the 'Access to Settings' permission for the location where the scheduler will be enabled.

2. In the left sidebar, open the Configuration menu, then select the Settings option

3. Under the Roles group, select the Identity Mapping option

4. Check the checkbox next to the user you want to assign a role to

5. Click the Edit button

6. In the Role field, select the new role

7. Click the Edit button