Manage user access with IdP groups
This feature is only available on the Pro and Enterprise plans.
IdP group mapping allows you to manage membership in BSR organizations and repositories via security groups in your IdP, so it works seamlessly with your existing access controls:
- Users are granted access based on IdP group membership, with a default role that you can choose.
- The BSR automatically enrolls and un-enrolls users as members as your IdP groups change, and resolves differences between groups and manually-assigned access levels.
Prerequisites
- Your BSR instance uses SSO for user provisioning.
- You can provide an OIDC claim or a SAML assertion that contains the user’s groups—Buf will need to configure your instance before you can map groups.
Contact your Buf representative or Support for setup.
- For OIDC, if your IdP broadcasts a
UserInfoendpoint, you can configure the BSR to pull it from there. Otherwise, it must be part of the ID token. - SCIM isn't required for this feature, but if it's enabled and you're using it to push groups to the BSR, your IdP must be configured to provide the OIDC claim/SAML assertion.
- For OIDC, if your IdP broadcasts a
- If you filter which groups the BSR is aware of, only map to those groups. Mapping to a group the BSR can't see has no effect.
Warning
Once this is configured, all user tokens from the IdP must contain group information. If you're using SAML, any user for whom groups information isn't provided will be unable to login to the BSR. If you're using OIDC, their groups will be treated as empty and they will lose access to the mapped organizations and repositories.
Map an IdP group to an organization
To map a group to a BSR organization, issue an API command with a user who has admin permissions on the organization:
- Create an API token.
- Export
BUF_TOKEN,GROUP_NAME,ORGANIZATION_NAMEandPRIVATE_BSR_HOSTNAMEaccording to your details. - Get the organization ID:
- Extract the returned
organization.id, export it asORGANIZATION_IDand use it to map the group (see below if you want to override the default member role): - Ask your employees to logout/login for changes to take effect.
Override the default member role
Members of the group are automatically added to the organization at the Member role by default.
You can optionally override this by specifying a role_override in the payload, where the value is one of the specified roles.
The ORGANIZATION_ROLE_MACHINE is equivalent to the WRITER role.
To create the mapping with a role override, issue this API command with a user who has admin permissions on the organization:
$ curl \
-H "Authorization: Bearer ${BUF_TOKEN}" \
-H "Content-Type: application/json" \
-d "{\"organization_id\":\"${ORGANIZATION_ID}\", \"group_name\":\"${GROUP_NAME}\", \"role_override\":\"ORGANIZATION_ROLE_ADMIN\"}" \
"https://${PRIVATE_BSR_HOSTNAME}/buf.alpha.registry.v1alpha1.OrganizationService/AddOrganizationGroup"
Change or clear the role override
If you want to change or clear the role override, issue this API command with a user who has admin permissions on the organization:
$ curl \
-H "Authorization: Bearer ${BUF_TOKEN}" \
-H "Content-Type: application/json" \
-d "{\"organization_id\":\"${ORGANIZATION_ID}\", \"group_name\":\"${GROUP_NAME}\", \"role_override\":\"ORGANIZATION_ROLE_ADMIN\"}" \
"https://${PRIVATE_BSR_HOSTNAME}/buf.alpha.registry.v1alpha1.OrganizationService/UpdateOrganizationGroup"
To clear the role override, use ORGANIZATION_ROLE_UNSPECIFIED as the role_override value.
Unmap a security group to an organization
To unmap a group, issue the same commands as for mapping, except in the final step invoke RemoveOrganizationGroup instead.
$ curl \
-H "Authorization: Bearer ${BUF_TOKEN}" \
-H "Content-Type: application/json" \
-d "{\"organization_id\":\"${ORGANIZATION_ID}\", \"group_name\":\"${GROUP_NAME}\"}" \
"https://${PRIVATE_BSR_HOSTNAME}/buf.alpha.registry.v1alpha1.OrganizationService/RemoveOrganizationGroup"
Members don't need to logout or login when a group is removed—they're removed from the organization immediately.
Map an IdP group to a repository
You can only map groups to repositories that are owned by an organization.
To map a group to a BSR repository, issue an API command with a user who has the Admin resource role on the repository:
- Create an API token.
- Export
BUF_TOKEN,GROUP_NAME,REPOSITORY_NAME,ORGANIZATION_NAME, andPRIVATE_BSR_HOSTNAMEaccording to your details. - Get the repository ID:
- Extract the returned
repository.id, export it asREPOSITORY_IDand use it to map the group (see below if you want to override the default resource role): - Ask your employees to logout/login for changes to take effect.
Override the default resource role
Members of the group are automatically added to the repository with a Read resource role by default.
You can optionally override this by specifying a role_override in the payload, where the value is one of the specified roles (except for REPOSITORY_ROLE_OWNER, which is the parent organization).
To create the mapping with a role override, issue this API command with a user who has the Admin resource role on the repository:
$ curl \
-H "Authorization: Bearer ${BUF_TOKEN}" \
-H "Content-Type: application/json" \
-d "{\"repository_id\":\"${REPOSITORY_ID}\", \"group_name\":\"${GROUP_NAME}\", \"role_override\":\"REPOSITORY_ROLE_WRITE\"}" \
"https://${PRIVATE_BSR_HOSTNAME}/buf.alpha.registry.v1alpha1.RepositoryService/AddRepositoryGroup"
Change or clear the role override
If you want to change or clear the role override, issue this API command with a user who has the Admin resource role on the repository:
$ curl \
-H "Authorization: Bearer ${BUF_TOKEN}" \
-H "Content-Type: application/json" \
-d "{\"repository_id\":\"${REPOSITORY_ID}\", \"group_name\":\"${GROUP_NAME}\", \"role_override\":\"REPOSITORY_ROLE_WRITE\"}" \
"https://${PRIVATE_BSR_HOSTNAME}/buf.alpha.registry.v1alpha1.RepositoryService/UpdateRepositoryGroup"
To clear the role override, use REPOSITORY_ROLE_UNSPECIFIED as the role_override value.
Unmap a security group to a repository
To unmap a group, issue the same commands as for mapping, except in the final step invoke RemoveRepositoryGroup instead.
$ curl \
-H "Authorization: Bearer ${BUF_TOKEN}" \
-H "Content-Type: application/json" \
-d "{\"repository_id\":\"${REPOSITORY_ID}\", \"group_name\":\"${GROUP_NAME}\"}" \
"https://${PRIVATE_BSR_HOSTNAME}/buf.alpha.registry.v1alpha1.RepositoryService/RemoveRepositoryGroup"
Members don't need to logout or login when a group is removed—they're removed from the repository immediately.
Resolution of different access levels
If a user has different access levels over an organization or repository based on group memberships and manual overrides via the BSR web app, the access level resolves at runtime to the highest available. The BSR tracks the complete set of roles that apply, so if a mapping is changed or a user's group membership changes, the BSR only removes that specific role. The user retains their roles from other groups and those given manually.