Group role mapping and directory rules

Map IdP groups to workspace roles; attribute-based assignment and provisioning rules.

6 min read

Especially for

adminownerorg admin

Typically requires permissions

org:settings:manage

Under Identity & SSO, admins configure:

Group role mappings — external group ID → workspace assignments with roles (GroupRoleMapping)
Directory assignment rules — attribute conditions, optional Clerk org role, workspace assignments, priority
Provisioning rules — default workspaces/role, auto-create/suspend, allowed email domains, fallback behavior

Members provisioned via directory sync carry provisionedBy: scim or directory_sync on workspace memberships.

Related articles