Managing Authentication Groups

Overview

To map groups from your identity provider to Hyperscience permission groups, you must first add an authentication group. If an external user tries to log in without appropriate mapping, they will receive the following error: “This user account does not have permission to log in. Please contact your system administrator.”

Adding an authentication group

  1. Go to Users > Authentication Groups.

  2. Click the Add Authentication Group button.

  3. Set a name for the group.

    • For LDAP, the name of the authentication group should be the full LDAP Group DN (e.g., CN=DATA_CLERK,OU=HSCORP,DC=corp,DC=hyperscience,DC=com).

    • For SAML configured outside of Azure Active Directory (Azure AD) and for OIDC, the name of the authentication group should be the full OIDC Group name (e.g., data_clerk).

      • If you've configured SAML in Azure AD, the name should be the group's Object ID, not the full OIDC Group name.

  4. Select the Hyperscience permission group or groups from which this authentication group should inherit permissions.

  5. Click Save.

mceclip0__1_.png

Export an authentication group

You can use your custom authentication groups in other instances. To do so, export the authentication groups, then import their JSON files into any instances where you would like to use the authentication groups.

To export authentication groups:

  1. Go to Users > Authentication Groups, and select the checkboxes for the authentication groups you want to export.

  2. Click the Actions button, and then click Export.

The system creates a JSON file for each exported authentication group, which is then downloaded to your machine. If you’ve exported multiple authentication groups, the system creates a ZIP file containing a JSON file for each authentication group.

Import an authentication group

In addition to creating new authentication groups manually by following the steps in Adding an authentication group, you can also import existing authentication groups. This option allows you to use the same authentication groups across multiple instances.

Check the names of your authentication groups before uploading

If the name of the imported authentication group matches the name of an authentication group that is already on your instance, the imported authentication group will overwrite the contents of that group. If you do not want the imported authentication group to overwrite any of your current authentication groups, make sure the name of the imported authentication group will be unique in your instance.

Check the names of your permission groups before uploading

If the name of a permission group you’re referencing in your authentication groups does not match the name of any permission group that exists in your instance, the import of your authentication groups will fail.

To import an authentication group:

  1. Go to Users > Authentication Groups.

  2. Click the Add Authentication Group button in the upper-right corner.

  3. In the Add Authentication Group dialog box, click the Upload Existing tab.

  4. Do one of the following:

    • Drag and drop the authentication group’s JSON file to the dialog box.

    • Click Choose File, and find and open the authentication group’s JSON file on your machine.

    • Click Upload.

Deleting authentication groups

  1. Go to Users > Authentication Groups.

  2. Select the checkboxes for the authentication groups you want to delete.

  3. Click Actions, and then click Delete.

  4. Click OK to confirm the deletion.