Dynamic Permission Assignment (SSO)
This feature allows administrators to automatically assign roles and customer access to users during Single Sign-On (SSO) based on predefined rules. Permissions are dynamically mapped using identity attributes (such as groups or custom attributes) received from the Identity Provider (IdP).
Each rule defines:
- Attribute to evaluate (e.g., Group or custom attribute)
- Condition (i.e Contains/ Equals/ In )
- Value to match
- Roles to be assigned
- Customer Access to be granted
Rules are processed in order, with options to add, edit, delete, and reorder them.
A default rule ensures fallback access when no other conditions match. This setup reduces manual user management, enforces consistent access control, and ensures users receive the correct permissions automatically at login.
To configure Dynamic Permission Assignment rules, click Add to set up the required settings:
| Settings | Values |
|---|---|
| Attribute | Under the Role Configuration, define the Attribute Name that has to be evaluated (e.g.,Group This will refer to the group attribute of the user). For steps on how to add Attributes, please click here (e.g., Attribute: Engineering, Value: QA). |
| Condition | Select the conditions from the dropdown: 1. Contain 2. Equals 3. In Note: The condition field defines how SureMDM Hub matches the attribute value received from the SSO provider with the value specified in the rule. |
| Value | Provide the value that the Attribute name must match (e.g., “Admin”, “Manager”, or any other relevant group identifier). The system will look for this value within the user’s group attribute to determine if the role should be assigned. |
| Roles | Specify the roles that should be dynamically assigned to the user when the Attribute matches the specified Value. For example, if the group contains "Admin", assign the Administrator role, or if the group contains "Manager", assign the Manager role. To know more see Create Roles for Admin users. |
| Customer Access | Specify the Customer Access permission that should be dynamically assigned to the user when the Attribute matches the specified Value. |
If the Attribute or Value does not match the information provided by the IdP:
SureMDM Hub assigns default permissions to the sub-user, preventing the intended custom role from being applied.
Recommendation: Ensure that attributes and values are consistently configured between the IdP and SureMDM Hub.