User group membership can be managed internally (locally) by a Hyland Experience administrator or externally by an external identity provider.
Internal User Groups
For internal user groups, membership must be managed manually using the Administration Portal. Only a Hyland Experience administrator can add or remove users from internal user groups, regardless of whether the users sign in using local or federated authentication.
External User Groups
For external user groups, membership can be updated automatically based on SAML assertions from an external identity provider.
When a user signs in with federated authentication, Hyland Experience checks the incoming assertion for groups the user belongs to. The groups on the assertion are compared with the names of external user groups in Hyland Experience. If a group on the incoming assertion matches the name of an external Hyland Experience group, the two are considered a match. The method of matching is not case sensitive. For example, "DevOps" and "Devops" would be considered a match.
Upon federated sign-in, a user gains, maintains, or loses membership to external Hyland Experience user groups based on the following rules:
Condition | Result |
---|---|
An external Hyland Experience user group matches a group on the incoming assertion. |
|
An external Hyland Experience user group does not match a group on the incoming assertion. |
|
A group on the incoming assertion does not match an external Hyland Experience user group. |
|
Changing a Group from Internal to External
If you change a user group from internal to external, then users who currently belong to the user group may be removed the next time they access Hyland Experience using federated authentication. To prevent the unintended removal of users from the user group, take the following steps:
- In the external identity provider, make sure there is a matching user group that includes all users who should belong to the Hyland Experience user group.
- In the external identity provider, make sure assertions are configured to include user group information.
- In the Hyland Experience Administration Portal, make sure the external identity provider has the user group claim correctly mapped.
- In the Hyland Experience Administration Portal, make sure the user group name matches the group name provided on incoming assertions. Matching is not case sensitive.