Skip to main content

Automatically assign roles based on group names
App

You can automatically assign roles in Atlan based on user group memberships. This helps streamline onboarding, enforce consistent access control, and reduce manual effort by mapping groups to roles such as Admin, Member, or Guest.

Prerequisites

Before you begin, ensure you have:

  • Access to the User Role Sync app. If you don't have access, contact Atlan support or your Atlan customer team to request it.
  • Admin permissions in Atlan to configure workflows and assign roles. Learn more about admin roles.
  • A personal API token generated from your Atlan profile for workflow authentication.
  • All required user groups created and available in Atlan, as described in Create groups.

Setup workflow

  1. In your Atlan workspace, go to the homepage and click New workflow in the top navigation bar.
  2. Search for User Role Sync, and then select Set up workflow.
  3. In the Workflow name field, enter a descriptive name that clearly identifies the purpose of this workflow.
  4. In the Authentication section, provide your API token. This token is required for the workflow to authenticate with Atlan and perform user role updates.

Define role mapping rules

After authentication is configured and tested, set up how group memberships correspond to specific roles in Atlan. This configuration also determines the order of priority when a user belongs to multiple groups and can optionally include sub-role assignments for more granular control.

  1. In the Selection mode, select List to define a fixed set of Atlan group names that are explicitly mapped to roles, such as assigning the admin role to data-admins and data-leads (both part of the existing Atlan groups in your workspace).

    If you need to match multiple groups that follow a naming pattern, such as all groups ending in -admins, use Regex mode instead. For more details, see Selection mode.

  2. In the Role hierarchy, choose how Atlan resolves conflicts when a user belongs to multiple groups mapped to different roles. You can select the default Guest → Member → Admin, which prioritizes the most restrictive role.

    If a user belongs to both the guests and data-admins groups, the guest role is assigned. To view other hierarchy options, see Role hierarchy options.

  3. In the Admin group field, enter a comma-separated list of group names whose members are assigned the admin role. Use names that are identical to the display names of the groups in Atlan.

    data-admins,data-leads

    To match group names using patterns, see Regex matching.

  4. To assign more granular responsibilities under the admin role, select Static under the Admin Sub Role Option. This assigns fixed sub-roles such as workflow-admin and governance-admin to specific groups and sets their order of precedence.

  5. In the Workflow Admin (sub-role) Group field, enter the group names whose members receive the workflow-admin sub-role. Use comma-separated values, such as engineering-ops-admins.

  6. In the Governance Admin (sub-role) Group field, enter the group names whose members receive the governance-admin sub-role. Use comma-separated values, such as data-governance-leads.

  7. In the Admin Sub Role hierarchy field, define the order of precedence between sub-roles. If a user qualifies for multiple sub-roles, the one listed first is assigned.

    workflow-admin,governance-admin

    If you need to define flexible, custom admin sub-roles instead of fixed ones, see Configure dynamic sub-roles.

  8. In the Member group field, add group names to assign the member role for users who work with metadata, glossaries, or queries but don’t need admin access.

  9. In the Guest group field, enter group names for users who only need limited or read-only access to Atlan, such as viewers or contractors.

  10. Schedule and run the workflow. Run the workflow manually or set a recurring schedule to keep role assignments up to date.

Need help?

If you have any issues related to configuring the app, contact Atlan support.

See also

  • User Role Sync: Reference: Detailed explanation of each configuration property, including valid values, examples, and behavior.