From 15c338db512610a9c4ccd4d7cff7f918beb5ec6c Mon Sep 17 00:00:00 2001 From: Owen Rumney Date: Tue, 10 Sep 2024 19:24:58 +0100 Subject: [PATCH] docs: update docs about enterprise saml groups --- docs/infracost_cloud/sso.md | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/docs/infracost_cloud/sso.md b/docs/infracost_cloud/sso.md index 932a8fb9..23c2bb2c 100644 --- a/docs/infracost_cloud/sso.md +++ b/docs/infracost_cloud/sso.md @@ -120,12 +120,23 @@ To enable this feature you will need to provide the following information: | SAML group | Infracost organization slug | Infracost role | |------------|-----------------------------|----------------| - | InfracostViewer | my-org | Org Viewer | - | InfracostEditor | my-org | Org Editor | + | InfracostOwner | my-org | Org Owner | | InfracostAdmin | my-org | Org Admin | - | InfracostOwner | my-org | Enterprise Admin | + | InfracostEditor | my-org | Org Editor | + | InfracostViewer | my-org | Org Viewer | + + This supports all the Infracost roles listed in the [roles documentation](/docs/infracost_cloud/key_concepts/#team-management) for specific organizations. + Where customers have multiple organizations under an enterprise organization, the SAML groups can be treated as global roles that span all orgs in the enterprise, eg; + + | SAML Group | Infracost role | + | ------------------------- | ----------------- | + | InfracostEnterpriseOwner | Enterprise Owner | + | InfracostEnterpriseAdmin | Enterprise Admin | + | InfracostEnterpriseEditor | Enterprise Editor | + | InfracostEnterpriseViewer | Enterprise Viewer | + + In an enterprise with 10 organizations, if a user is assigned the `InfracostEnterpriseViewer` SAML group, they will be a viewer in all 10 organizations. - This supports all the Infracost roles listed in the [roles documentation](/docs/infracost_cloud/key_concepts/#team-management), as well as a special role `Enterprise Admin` which has access to all organizations in your enterprise account. 2. The attribute name in the SAML assertion that will contain the group names, for example `memberOf`. 3. If possible, an example of the SAML assertion that will be sent.