Managing User Group Membership - Administration Portal - Current - Current - Ready - Hyland Experience - external

Hyland Experience Administration Portal

Platform
Hyland Experience
Product
Administration Portal
Release
Current
License

User group membership can be managed internally (locally) by a Hyland Experience administrator or externally by an external identity provider.

Internal User Groups

For internal user groups, membership must be managed manually using the Administration Portal. Only a Hyland Experience administrator can add or remove users from internal user groups, regardless of whether the users sign in using local or federated authentication.

External User Groups

For external user groups, membership can be updated automatically based on SAML assertions from an external identity provider.

When a user signs in with federated authentication, Hyland Experience checks the incoming assertion for groups the user belongs to. The groups on the assertion are compared with the names of external user groups in Hyland Experience. If a group on the incoming assertion matches the name of an external Hyland Experience group, the two are considered a match. The method of matching is not case sensitive. For example, "DevOps" and "Devops" would be considered a match.

Note: Locally authenticated users can belong to external user groups in Hyland Experience, but they must be added to the groups manually by an administrator. With local authentication, users are neither added to nor removed from any Hyland Experience user groups.

Upon federated sign-in, a user gains, maintains, or loses membership to external Hyland Experience user groups based on the following rules:

Condition Result

An external Hyland Experience user group matches a group on the incoming assertion.

  • If the user is not currently a member of the external Hyland Experience user group, then the user is added to the group.
  • If the user is currently a member of the external Hyland Experience user group, then the user remains a member of the group.

An external Hyland Experience user group does not match a group on the incoming assertion.

  • If the user is currently a member of the external Hyland Experience user group, then the user is removed from the group.

A group on the incoming assertion does not match an external Hyland Experience user group.

  • The group on the assertion is ignored. A matching external Hyland Experience user group must exist in order for a user to be added or removed from it. New user groups are not created automatically.

Changing a Group from Internal to External

If you change a user group from internal to external, then users who currently belong to the user group may be removed the next time they access Hyland Experience using federated authentication. To prevent the unintended removal of users from the user group, take the following steps:

  • In the external identity provider, make sure there is a matching user group that includes all users who should belong to the Hyland Experience user group.
  • In the external identity provider, make sure assertions are configured to include user group information.
  • In the Hyland Experience Administration Portal, make sure the external identity provider has the user group claim correctly mapped.
  • In the Hyland Experience Administration Portal, make sure the user group name matches the group name provided on incoming assertions. Matching is not case sensitive.