On this page

In certain security-related authentication scenarios, user access rights must be determined dynamically by SAML IDPs on each login operation by taking network and user location (and possibly other criteria) into account. Teamwork Cloud allows you to validate/invalidate user group membership based on SAML attribute values by using the conditional user groups feature.

When users are added to a conditional user group, they receive the group permissions only if the group condition is met, for example, if they log in from the right location.

To create a conditional user group

1. Go to the Users application
2. Start creating a new or select to edit an existing user group.
3. On the group details pane, turn on the Conditional user group switch.
4. In the Condition box, enter the condition users must meet to be granted the group permissions. Available attributes are displayed below the Condition box. Learn more about condition syntax.
   

   When defining the condition for a conditional user group, make sure to use SAML attributes in the same way they are configured on the SAML page of the Settings application.

5. Click  to save the user group.

Creating a conditional user group.

Condition syntax

Configuring SAML attributes

Conditions for conditional user groups accept only the SAML attributes configured on the Settings application's SAML page used for SAML integration.

To configure SAML attributes for conditional user groups

1. Open the Web Application Platform's Settings > SAML page.

2. Fill in the SAML user attributes for conditional user groups field with SAML attributes you want to use for conditional groups.

3. Save the configuration.

Condition operators

You can define the conditions for conditional user groups using the configured SAML attributes and the following operators:

• Boolean operators: AND; OR
• Equality operators: ==; !=
• Grouping of statements: ()