On this page


In certain security-related authentication scenarios, user access rights must be determined dynamically by SAML IDPs on each login operation by taking network and user location (and possibly other criteria) into account. Teamwork Cloud allows you to validate/invalidate user group membership based on SAML attribute values by using the conditional user groups feature.

Prerequisites

To use conditional user groups, the Conditional user groups option must be enabled in the Settings application.


To create a conditional user group

  1. Go to the Users application
  2. Start creating a new or select to edit an existing user group.
  3. On the group details pane, turn on the Conditional user group switch.
  4. In the Condition box, enter the condition users must meet to be granted the group permissions. Learn more about condition syntax.
  5. Click to save the user group.


Creating a conditional user group.

Condition syntax

Configuring SAML attributes

Conditions for conditional user groups accept the SAML attributes configured in the authserver.properties file used for SAML integration.


To configure SAML attributes for conditional user groups

  1. Open the <install_root>/AuthServer/config/authserver.properties file.
  2. Uncomment the authentication.saml.attributes property and provide a comma-separated list of the SAML attributes you want to use for conditional groups as its value.
  3. Restart Web Application Platform.


Condition operators

You can define the conditions for conditional user groups using the configured SAML attributes and the following operators:

  • Boolean operators: AND; OR
  • Equality operators: ==; !=
  • Grouping of statements: ()

Example

A conditional user group with condition (SAML.loginLocation == "Dallas" AND SAML.clearance == "Secret") OR SAML.department == "ITservices" will grand its permissions to the members who either log in from Dallas and have the "Secret" clearance level or belong to the IT Services department.