Skip to main content
Glean supports assigning roles and feature access to identity provider (IdP) groups. Instead of configuring individual user roles, you can map IdP groups to Glean roles to enable automatic permission inheritance based on group membership. Group-based permissions allow you to:
  • Assign roles to IdP groups: Manage Glean roles collectively rather than per individual user.
  • Manage permissions at scale: Leverage existing identity provider groups.
  • Control feature access: Use groups in feature greenlists, such as access to Glean Assistant and data source test groups.
  • Automate inheritance: Ensure users automatically receive or lose permissions as their IdP group memberships change.
Group-based permissions control Glean roles and feature access only. This feature does not change or override data source permissions. Glean continues to honor all source system ACLs exactly as configured in your data sources.

Supported identity providers

Glean supports group-based permissions for the following identity providers:
Identity ProviderGroup SupportNotes
Azure AD (Microsoft 365)Groups synced via the O365 connector
Google Groups (Google Workspace)Groups synced via the Google Workspace connector
OktaUser provisioning via SCIM is supported, but group-based role assignment is not yet available
Glean only reads group membership information from your identity provider. It does not sync, modify, or enforce IdP permission rules.

Group-to-Role Mapping

Groups as principals

In Glean’s role-based access control (RBAC) model, groups are treated as principals alongside individual users. This means a group can be assigned:
  • One primary role (Member, Setup Admin, Admin, or Super Admin)
  • Multiple secondary roles (such as Agent Creator, Answers Moderator, Insights Moderator, or Sensitive Content Moderator)

Effective permission calculation

When a user belongs to one or more groups with assigned roles, Glean calculates effective permissions by merging:
  1. Roles assigned directly to the user
  2. Roles inherited from all groups the user belongs to
Glean applies the following rules during the merge:
  • Primary role: The highest-precedence role takes effect. Precedence follows this order: Super Admin > Admin > Setup Admin > Member.
  • Secondary roles: All secondary roles from the user’s direct assignments and group memberships are combined (union).
Consider a user with the following role assignments:
SourcePrimary RoleSecondary Roles
Direct assignmentAdmin
Group: IT-AdminsSetup AdminAPI Token Creator
Group: Content-TeamMemberAnswers Moderator
Effective result:
  • Primary role: Admin (highest precedence wins)
  • Secondary roles: API Token Creator + Answers Moderator (union of all)

Configure Group-to-Role mappings

Admins can map IdP groups to Glean roles from the Teammates page in the Admin console.
Only users with the Admin or Super Admin role can configure group-based permissions.

Steps to Configure

1

Access User Group Permissions

 Admin Console > TeammatesClick the Default Member permissions button, then navigate to the User group permissions section.
2

Select Identity Provider

Choose the identity provider that contains your groups (for example, Microsoft 365 or Google Workspace).
3

Add Group Mappings

Click Add mapping to create a new group-to-role mapping:
  1. Search and select a group by name or email.
  2. Assign a primary role for the group.
  3. Optionally assign one or more secondary roles.
  4. Repeat for additional groups as needed.
4

Save Changes

Click Save changes to apply your group mappings.

Limits and sync behavior

  • You can assign roles to a maximum of 1,000 groups.
  • Glean automatically syncs group membership changes from your IdP. The synchronization frequency depends on your integration type:
    • SAML/SCIM integrations: Changes sync in near real-time.
    • OIDC integrations: Changes may take up to three hours to sync.
  • An on-demand sync control is available to refresh group membership immediately.

Use groups for feature access

Group-based permissions integrate with Glean’s greenlist-style provisioning for features such as:
  • Glean Assistant access: Grant Assistant access to entire groups instead of adding users individually.
  • Feature rollouts: Use groups to control access to beta features or phased rollouts.
  • Data source test groups: Include groups when configuring which users can see results from a data source during testing.
When configuring these features, you can now select groups as principals in addition to individual teammates.

Privacy and Security

Group information visibility

Only Admins and Super Admins can view group names, descriptions, and membership information within the Admin Console. Regular users cannot view their group memberships or identify how the system derives their permissions.
For organizations with sensitive group structures (such as executive or M&A-related groups), contact Glean support to discuss options for limiting group name visibility.

Manage group-derived roles

Glean treats roles inherited through group membership as read-only. To modify these inherited roles, you must perform one of the following:
  • Add or remove the user from the relevant group in your identity provider.
  • Modify the role mapping for the group in Glean Admin console.
You cannot directly remove a group-derived role from an individual user in the Glean Admin console.

Safety rails

The following guardrails apply to group-based permissions:
  • Admins cannot remove the last user or group from any role.
  • Admins cannot downgrade or remove Super Admin permissions from users or groups.
  • Only Super Admins can assign the Super Admin role to groups.

Limitations

The following limitations apply to group-based permissions:
LimitationDetails
Okta groupsNot yet supported. Okta SCIM provides user provisioning, but groups cannot be used for role assignment.
Group membership latencyOIDC-based integrations may have up to 3 hours of sync delay for membership changes.
Custom rolesGroup-based permissions work with Glean’s existing role structure. Custom role definitions are not currently supported.
Feature flagGroup-based permissions are controlled by a feature flag. If the feature is disabled, group-derived roles are ignored and only direct user role assignments apply.

Examples

Example 1: IT administrators group

Map your IT Admins group to the Admin role so that all IT team members automatically receive Glean Admin permissions:
GroupPrimary RoleSecondary Roles
IT-Admins@company.comAdmin

Example 2: Assistant Pilot Group

Grant Glean Assistant access to a pilot group of early adopters:
GroupPrimary RoleSecondary Roles
Assistant-Pilot@company.comMember
Then configure Assistant access to include this group in the test group settings.

Example 3: Content Moderators

Assign content moderation permissions to your knowledge management team:
GroupPrimary RoleSecondary Roles
Knowledge-Team@company.comMemberAnswers Moderator, Collections Moderator