Documentation

SSO-Driven Assignment of Scoped Views

SSO driven assignment of Scoped Views through Ternary Groups

Suggest Edits

Our SSO integration allows you to configure users to be assigned an appropriate set of Scoped Views when they access Ternary for the first time or when their IdP group changes.

To begin the process of setting up groups in Ternary to assign appropriate Scoped Views to users, you must have SSO through your IdP configured with Ternary. This allows us to receive the Group names from your IdP token which is what enables assigning the appropriate Scoped Views through Groups in Ternary.

Prerequisites

  • A user with the Admin role in Ternary
  • Have already created Scoped Views that align to your user groups to provide users the appropriate data. Documentation and explanations on creating Scoped views can be found here
  • You must have SSO configured and set up with Ternary. If you have not done this, you can find the steps to do so in our documentation here

Gotchas

  • If a group name already exists in Ternary an error will be returned by the system when attempting to create the Group.
  • If you delete a group the users assigned Scoped Views will be removed and they will have access to all data. You can create a separate Scoped View that filters out all data and assign it to the user to ensure they do not have access to do data that they should not have.
  • Instead of making Edits directly in an existing Group, to do testing, we recommend making a Copy of the Group to make changes to test.
  • Changes are instantaneous. Meaning, if a user was not in a Group before and had access to all data, as soon as they are assigned to a Group the Scoped Views will be available/enforced/enabled by default.
  • You cannot change the name of an existing group, at present, you must make a Copy and change the name. This is to prevent an issue of an already working Group being modified and breaking the integration.
  • If a user has existing Scoped Views assigned, they will be overwritten by the Group assigned Scoped Views.
  • If you make changes to an underlying Scoped View, for a particular user manually, those changes will decouple the SSO assigned Group and Ternary. For example, if a Scoped View was assigned to a user as "Enforced For" and you change it to "Available For" for that user it will decouple the two.

Step 1 - Set up Groups in Ternary

  1. Navigate to Admin -> User Group configurations
  2. Click "Add User Group Config"
  3. Enter the Group Name (The name of the Group must be EXACTLY as it appears in the ID token and it is case sensitive)
  4. Select the Scoped Views you want any user in the Group to have when logging into Ternary

Admin Page:

Configuring Group with Name and associated Scoped Views:

Once completed, you will see the new Group in the User Group Configurations table.

Updated 19 days ago