Active Directory group integration for user authentication

We would like to give visibility (at least read only access) to Aha to a large amount of users (> 1K) in our organization however this is currently not practical as each user needs to be added manually one by one. Even when using SSO you still need to add and set the permissions individually for each user.

We are already using single sign-on with Active Directory but would like to see the ability to map a specific role (e.g. Reviewer) to an Active Directory group. 

Could not find a similar idea or request. The closest was https://big.ideas.aha.io/ideas/APP-I-1383 however this is more about defining and using groups internally in Aha.

 

UPDATED:

The proposed solution to use product prefix only address part of the problem of granting initial access. Also as in our organization there are multiple groups which should have different initial access it does not solve that either.

What is needed is to be able to map roles to a specific group in AD so that permissions are dynamic based on group membership.

e.g. When a user is added to the "Fredwin contributors" group in AD when that user logs in he/she will have the contributor role for the Fredwin product and in the same way if the user is removed from that AD group he/she  would no longer have the role.

  • Roman Hernandez
  • Sep 20 2018
  • Future consideration
Release time frame
  • Nov 26, 2019

    Admin Response

    Thank you for your idea. It is possible to set the initial permissions by including product prefix and role as attributes in your SAML SSO setup. This article provides more details. See the Product prefix and Product role sections toward the bottom of the article.

    We will continue to monitor customer feedback on the idea of having permissions update dynamically based on group changes.

  • Attach files
  • Roman Hernandez commented
    19 Oct, 2018 11:39am

    Hi, I don't think the proposed solution in the article does not match what we need. We don't want to give access to the whole organization that uses SSO but rather limit that to a specific group defined in AD, is there a way to configure that already?