Skip to Main Content
Status Future consideration
Categories Account settings
Created by Roman Hernandez
Created on Sep 20, 2018

Active Directory group integration for user authentication

We would like to give visibility (at least read only access) to Aha to a large amount of users (> 1K) in our organization however this is currently not practical as each user needs to be added manually one by one. Even when using SSO you still need to add and set the permissions individually for each user.

We are already using single sign-on with Active Directory but would like to see the ability to map a specific role (e.g. Reviewer) to an Active Directory group. 

Could not find a similar idea or request. The closest was however this is more about defining and using groups internally in Aha.



The proposed solution to use product prefix only address part of the problem of granting initial access. Also as in our organization there are multiple groups which should have different initial access it does not solve that either.

What is needed is to be able to map roles to a specific group in AD so that permissions are dynamic based on group membership.

e.g. When a user is added to the "Fredwin contributors" group in AD when that user logs in he/she will have the contributor role for the Fredwin product and in the same way if the user is removed from that AD group he/she  would no longer have the role.

    Jul 22, 2022

    Thank you for your idea. It is possible to set the initial permissions by including product prefix and role as attributes in your SAML SSO setup. This article provides more details. See the Product prefix and Product role sections toward the bottom of the article.

    We will continue to monitor customer feedback on the idea of having permissions update dynamically based on group changes.

  • Attach files
  • Roman Hernandez
    Oct 19, 2018

    Hi, I don't think the proposed solution in the article does not match what we need. We don't want to give access to the whole organization that uses SSO but rather limit that to a specific group defined in AD, is there a way to configure that already?

  • +1