Permission Groups

Updraft clients with a large group of Users often face the challenge of managing large teams within their Identity Providers (IdPs) like Okta or Active Directory (AD). For big organizations with thousands of testers, it is impractical to manually assign users and groups to individual projects in Updraft. Manually adding users to each project becomes a time-consuming task, especially for large enterprises.

To address these challenges, we are introducing Permission Group Management in Updraft to streamline user and group assignments across Updraft projects.

Group Management Overview

• A Permission Group is a collection of Updraft users who can be collectively assigned to projects.

• Users can belong to one or more permission groups within Updraft.

• Groups can be assigned to projects, eliminating the need to add individual users manually.

Assigning permission groups to projects

• Organization owners can invite permission groups to projects via a group invitation mechanism.

• When adding a group to a project, the user must define the group's maximum user-role in that project (e.g., Admin, Tester or Mobile-User).

• The maximum user-role defines the highest access level any user in the group can obtain for that project.

View project members source

Project membership origin: For clarity, Updraft shows all sources of membership for each project member. If a project member has multiple sources of membership, each instance is shown and counted separately in the list of the project members. For example, when a project member is added to a group directly and also through inheritance, they appear twice in the project member list, each entry indicating a different source, and are counted as two distinct project members.

• When a project member is added directly the source is: direct.

• When a project member is added by permission group the source is: the name of the permission group.

Create permission groups

On the permission group page an Owner of an organization can create new permission groups.

1. Create a new group

2. Add a name

3. Save it

Add permission groups to users

There are two possibilities to add permission groups to an Updraft user:

1. On the Users page, the Owner of an Organization is able to select permission groups for each user

2. SSO: When SSO users log in via an SSO integration (e.g., Okta, AD), Updraft automatically discovers their group memberships from the IdP.

   1. Newly detected permission groups are automatically added to the User, simplifying group management for large organizations.

   2. When you are using SSO and you would like to mapping SSO groups with Updraft permission groups, create first the permission groups in Updraft, so that the mapping works correctly.

Assign permission group to project(s)

1. Click on the 3 dots next to your created permission group

2. Select the projects and related applications to which your permission group should get access

   1. you can set indivual access on app level

3. Select the user-role (The maximum user-role defines the highest access level any user in the group can obtain for that project)

4. Add to project

Mapping SAML groups to Updraft permission groups

In certain situations, you may need to align the SAML groups from your Identity Provider (IdP) with the group names used in Updraft. This is an optional process, required only if your IdP does not provide the actual group names, but instead sends an ID linked to the group in the IdP. You can configure this in the Settings of each SAML setup by using key/value pairs.

Updraft will automatically assign users to the right permission group.

It is important that the groups are created in Updraft (it is sufficient to enter the name of the permission group). The group mapping can then be carried out in the SAML provider. As soon as a user logs in via SSO, their group is then dedected and the user is assigned to the permission group in Updraft. This allows you to make fine granular settings for permissions down to app level - for example, you can only give your SSO user access to your test app via SSO mapping, but not to the productive app.