Skip to main content
  • Home
  • Ideas
  • Allow SSO to retain manual custom role assignments
Released

Allow SSO to retain manual custom role assignments

Related products:CC Users & Roles
jahnavi
cmultanen
shiv_kumar_katiyar
acote
  • jahnavi
    jahnavi
  • cmultanen
    cmultanen
  • shiv_kumar_katiyar
    shiv_kumar_katiyar
  • acote
    acote
dandre
  • dandre
  • Contributor ⭐️⭐️⭐️⭐️⭐️
  • 50 replies

Unfortunately, we ran into what I think is a big limitation for SSO. We had the option enabled to set custom roles alongside SSO - which was VERY hard for our team to implement, since we had to modify our SSO response to include values that inSided wanted, rather than having an interface to map already existing attributes to make descisions about roles - i.e we already had data in the response to identify the correct roles.

Anyway, with that out of the way, we came to learn that ANY manual modifications to use roles via control will get overridden by SSO upon next user login. For us, this is a deal breaker because we will have several scenarios where we need somebody to be in a role to gain access to specific categories which cannot be assigned via SSO. For example, we had planned to leverage the community to run a beta program. Now we have to somehow edit our SSO response to identify a beta customer - which may only be 10 users at a time? that does not make sense to me. Likewise, new customer onboarding is a use case we are pursueing right now - we do not have a way to easily detect a ‘new customer’ between our systems so its not possible for us to add this to the SSO response. Our workaround would be to use API or just have a trigger in gainsight to tell our community admin to add them into the correct role.

Right now we have custom roles disabled, and luckily we have a strong engineering that built a script that checks for new users and assigns roles every hour. That is NOT ideal, since it could be up to an hour before a user gets access to a place they need to be in (i.e new customer).

Given the these paramters, the idea here is to allow an option to manually add ‘additional’ roles to a user via control, and NOT have it overwritten via SSO. These are only in addition to the role IDs defined in the SSO response. I do not mind if a change in the group IDs in the SSO response enforces a custom role change, but if the role was configured manually it should be left alone.

Thought:

User1 belongs to roles 5,10,15 in SSO. In control we add them to role 20.

User1 continues to be part of 5,10,15, 20 upon next login.

 

A change occurs and SSO now has the user as 1, 10, 15

Next time the user logs in, their roles should be 1, 10, 15, 20

When things get tough, we ask, what is best for the customer?

7 replies

daniel.boon
Forum|alt.badge.img
  • daniel.boon
  • Helper ⭐️⭐️⭐️
  • 730 replies
  • March 11, 2021

Thanks for sharing this feedback @dandre - sounds super frustrating and definitely not ideal to have a 0-60min latency on a user being able to see the right content/categories.

inSided product alumnus
dandre
1 person likes this
  • dandre
    dandre
daniel.boon
Forum|alt.badge.img
  • daniel.boon
  • Helper ⭐️⭐️⭐️
  • 730 replies
  • March 11, 2021
Updated idea status NewOpen
inSided product alumnus
dandre
1 person likes this
  • dandre
    dandre
dandre
  • dandre
  • Author
  • Contributor ⭐️⭐️⭐️⭐️⭐️
  • 50 replies
  • July 29, 2021

Adding @Dorothyt - she is a consultant and is implementing inSided for another customer. Unfortunately they are impacted by this issue as well.

When things get tough, we ask, what is best for the customer?
D
1 person likes this
  • D
    Dorothyt
alex.timmermann
  • alex.timmermann
  • Gainsight Employee ⭐️
  • 37 replies
  • August 3, 2021

Hi @dandre @Dorothyt! I’m happy to be able to tell you that this has been implemented now :raised_hands_tone1::rocket: For now this isn’t self-service, so to enable this feature for your respective communities, please let us know through Support or your CSM :slight_smile:

One thing to keep in mind that differs from what @dandre sketched out above: Enabling this feature will lead to the currently assigned roles being merged with the ones coming in from SSO. That also means that roles cannot be unassigned via SSO with this enabled. So for example:

  • User1 belongs to roles 5,10,15 in SSO. In control we add them to role 20.

  • User1 continues to be part of 5,10,15,20 upon next login.

  • A change occurs and SSO now has the user as 1,10,15

  • Next time the user logs in, their roles will be 1,5,10,15,20

daniel.boon
Gainsight CC Team
2 people like this
  • daniel.boon
    daniel.boon
  • Gainsight CC Team
    Gainsight CC Team
alex.timmermann
  • alex.timmermann
  • Gainsight Employee ⭐️
  • 37 replies
  • August 3, 2021
Updated idea status OpenDelivered
olimarrio
1 person likes this
  • olimarrio
    olimarrio
dandre
  • dandre
  • Author
  • Contributor ⭐️⭐️⭐️⭐️⭐️
  • 50 replies
  • August 3, 2021

Brilliant! Looking forward to trying this out - this will be a huge step forward for us.

When things get tough, we ask, what is best for the customer?
alex.timmermann
1 person likes this
  • alex.timmermann
    alex.timmermann
alex.timmermann
  • alex.timmermann
  • Gainsight Employee ⭐️
  • 37 replies
  • September 6, 2021

Update:

This is now also available as a self-service option in the SSO provider configuration!

 

daniel.boon
dandre
AnnaF_RW
3 people like this
  • daniel.boon
    daniel.boon
  • dandre
    dandre
  • AnnaF_RW
    AnnaF_RW

Reply


Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings