Versions Compared

Old Version 1

changes.mady.by.user Jonė Š.

Saved on

compared with

New Version Current

changes.mady.by.user Jonė Š.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

On this page

Table of Contents
maxLevel4


In certain security-related authentication scenarios, user access rights must be determined dynamically by SAML IDPs on each login operation by taking network and user location (and possibly other criteria) into account. Teamwork Cloud allows you to validate/invalidate user group membership based on SAML attribute values by using the conditional user groups feature.

When users are added to a conditional user group, they receive the group permissions only if the group condition is met, for example, if they log in from the right location.

Note
titlePrerequisites
  • To
use
  • allow users to create conditional user groups, the Conditional user groups option must be enabled in the Settings application.
  • To define the conditions for conditional user groups, SAML attributes must already be configured on the SAML page of the Settings application.


To create a conditional user group

  1. Go to the Users application
  2. Start creating a new or select to edit an existing user group.
  3. On the group details pane, turn on the Conditional user group switch.
  4. In the Condition box, enter the condition users must meet to be granted the group permissions. Available attributes are displayed below the Condition box. Learn more about condition syntax.

    5. Click

  5. Warning

    When defining the condition for a conditional user group, make sure to use SAML attributes in the same way they are configured on the SAML page of the Settings application.

  6. Click Image Modified to save the user group.


Image RemovedImage Added

Creating a conditional user group.

Condition syntax

Configuring SAML attributes

Conditions for conditional user groups accept only the SAML attributes configured in the authserver.properties file on the Settings application's SAML page used for SAML integration.


To configure SAML attributes for conditional user groups

  1. Open the
    2. <install_root>/AuthServer/config/authserver.properties file.
  2.  Web Application Platform's Settings > SAML page.

  3. Fill in the SAML user attributes for conditional user groups field with

    4. Uncomment the authentication.saml.attributes property and provide a comma-separated list of the

  4. SAML attributes you want to use for conditional groups

    5. as its value

  5. .

    6. Restart Web Application Platform

  6. Save the configuration.


Condition operators

You can define the conditions for conditional user groups using the configured SAML attributes and the following operators:

  • Boolean operators: AND; OR
  • Equality operators: ==; !=
  • Grouping of statements: ()
Tip
titleExample. When defining conditions, use SAML attributes the same way the are configured in your SAML integration.
A conditional user group with condition (SAML.loginLocation == "Dallas" AND SAML. clearance == "Secret") OR SAML. department == "ITservices" will grand grant its permissions to the members who either log in from Dallas and have the "Secret" clearance level or belong to the IT Services department.