Help Center
News
Help Center
News
Sign in
Document
Documents & PoliciesQuestionnairesControls & Technical and Organizational Measures (TOMs)Report ExplorerAsset RegisterFrameworksRecord of Processing Activities (ROPA)Exporting your ROPAVendorsImpact Assessments (IA)Legitimate Interest DocumentationsMeetings & ActivitiesRetentions & Deletions PeriodsData Collection Point (DCP)Add documents to vendors
DPIA
Assessments
ROPA
Assets
International Standards & Frameworks
TOMs & Controls
Categories & Attributes
Data Collection Points
Legal Basis
Legitimate Interest
Documents & Policies
Retention & Deletion
Data Flow
Vendors
Questionnaires
Manage
Process Risk OverviewData Flow Map
Dashboards
AI Assistance & Automation
Projects
Tasks
Meetings & Activities
Workflows & Automations
Reporting
React & Resolve
TasksProjectsIncidents & BreachesData Subject Requests
Risk Scenarios & Treatments
Incidents & Breaches
Release Notes
Q2 2026
Q1 2026
Q4 2025
Q3 2025
Q2 2025
Q1 2025
Q4 2024
Q3 2024
Q2 2024
Q1 2024
Q4 2023
Q3 2023
Q2 2023
Q1 2023
Q4 2022
Q3 2022
Getting Started
Quickstart GuideQuestionnairesTasksProcess Risk OverviewIT SettingsFrameworksThe Information Security / Asset Risk ModelData Subject RequestsDownloading an elementLegitimate Interest DocumentationsAssigning Audiences to ElementsDocuments & PoliciesControls & Technical and Organizational Measures (TOMs)General SettingsCreating attributes that fit your industryDocument list for onboardingThe Data Protection Risk ModelIncidents & BreachesProjectsManaging audiencesAdd documents to vendorsHow to answer an assessment/questionnaireSetting up the first organization or companyData Collection Point (DCP)Use AI to create elementsSetting Risk models in General SettingsSharing ElementsHow can a user change the language?Data Flow MapRecord of Processing Activities (ROPA)Time MachineCreate and evaluate assessments Company Widget FeatureAsset RegisterVendorsImpact Assessments (IA)Creating organizational unitsExporting your ROPAMeetings & ActivitiesTerms for legitimate processingRetentions & Deletions PeriodsHow to create a new user and how to change the password for loginReport ExplorerMaturity modelAdding risk scenarios to assets or asset groupsRelevant Risk SzenariosPriverion GRC Platform overviewDocument list for onboardingHow can a user change the language?Setting up the first organization or companyCreating attributes that fit your industry
User account
Sharing & Group functions
Features
How-To Guides & Tips
Get Help
Legal
Settings
General Settings
Compliance settings
Identity and access management
SCIM overviewSCIM configurationAPI tokensIdentity & Access Management overviewLocal authenticationSAML and OAuth settingsIAM logsIAM notification settingsRoles mappingRoles mapping groups
IT Settings
Risk Settings

Roles mapping

Map identity provider roles to platform roles for SSO users.

Roles Mapping

The Roles Mapping screen is where you tell DPMS how to translate your identity provider's group memberships into platform roles. Without this configuration, users who sign in through Single Sign-On (SSO) or are provisioned automatically via SCIM arrive without a role — meaning they cannot access the modules they need. This screen is the final piece of your Identity & Access Management setup, and everything you configure here has an immediate, automatic effect on every future login and every SCIM synchronisation.

How to open it

In the left-hand sidebar, expand IT Settings, then click Identity & Access Management. In the IAM sub-menu that appears, click Roles Mapping. The overview loads immediately — no extra tab click needed.

You need the IT Settings IAM read permission to see this screen at all. To make changes, you also need the IT Settings IAM edit permission. If the screen is not visible in your sidebar, contact your system administrator to confirm your permissions.

What you see

The overview page has a simple, two-column layout inside a white content card. On the left, each DPMS role is listed by name in blue text. On the right, you see which external groups are currently mapped to that role. If nothing has been configured yet, the right column shows a dash for every role. Once groups are assigned, each one appears with its name and a member count — for example, "DPMS-DPO — 12 members" — so you can immediately see both what is linked and how large each group is.

At the top of the card, you will find a pencil (edit) icon on the right side. This is your entry point to the edit flow. A breadcrumb at the very top of the content area shows your position (IT Settings › Identity & Access Management › Roles Mapping) and includes small left and right chevron arrows so you can navigate to adjacent IAM sections — such as SAML & OAuth or SCIM Overview — without returning to the sidebar.

When you click the pencil icon and enter edit mode, the screen expands into a two-tab layout. The General tab contains the role-to-group mapping form. The Groups tab shows a full list of all external groups stored in DPMS, with options to create, rename, and delete them.

Working with this screen

Setting up your role mapping for the first time

If your organisation has just finished configuring SSO on the SAML & OAuth screen, the Roles Mapping overview will show dashes in every row — nothing is linked yet. Here is how to complete the setup.

  • On the overview page, click the pencil (edit) icon in the top-right corner of the card. The edit page opens on the General tab.
  • After a brief loading moment, you will see a list of every DPMS role (except Super Administrator — more on that below) each paired with a searchable, multi-select dropdown.
  • Click the dropdown next to the first role you want to configure — for example, Data Protection Officer. Start typing the name of the group from your identity provider. Matching groups appear as you type, each showing the group name and its current member count.
  • Select the group. It appears as a chip inside the dropdown. Repeat for as many groups as that role needs, then move on to the next role.
  • When all your mappings are in place, click Save. A success confirmation appears, and you are taken back to the edit page with the Groups tab active, where you can verify all groups are present.
  • To see the final read-only summary, click the back arrow in the edit page header or use the breadcrumb to return to the overview.

From this point on, every time a user signs in via SAML2 or OAuth2 — and every time a SCIM sync runs — DPMS will consult these mappings and assign the correct role automatically.

Creating a new group on the fly while mapping

Sometimes the group you need does not yet exist in DPMS — perhaps it was just created in your identity provider but has not synced yet, or you want to pre-create it manually. You do not need to navigate away to do this.

  • Open the edit page (pencil icon) and go to the General tab.
  • Find the role dropdown where you need the new group. Start typing the group name you want to create.
  • The dropdown will show a Create "your-typed-name" option at the top of the suggestion list. Click it, or press Enter.
  • DPMS immediately creates the group in the background and adds it as a selected chip in the dropdown. The chip will show "0 members" initially — that is correct, because no users have been synced to it yet.
  • Click Save when you are done. Both the new group and the mapping are saved in one step.

If you need to set the correct Unique Identifier for the new group (so it matches what your identity provider sends), switch to the Groups tab afterwards and edit the group there.

Reviewing and cleaning up mappings

During a periodic IAM review — or whenever your identity provider's group structure changes — you may find groups that are stale or roles that need reassignment.

  • Navigate to the Roles Mapping overview and read through the two-column table. Look for any group names that have been decommissioned in your identity provider.
  • Click the pencil icon to enter edit mode. On the General tab, find the relevant role's dropdown and click the on the chip of the group you want to remove.
  • Click Save. The mapping is updated immediately. Future logins and SCIM syncs will no longer assign that role to users in the removed group.
  • If the group itself is no longer needed at all, switch to the Groups tab. Find the group in the list, click its three-dot menu, and select the delete option. This removes the group record from DPMS entirely.
Heads up: Deleting a group that was still mapped to a role will leave that role without a group assignment. Always remove the group from the mapping on the General tab before deleting it, or ensure the mapping is updated immediately afterwards.

Managing groups on the Groups tab

The Groups tab is a full management surface for all external groups stored in DPMS. You reach it either by clicking the tab on the edit page, or automatically after saving the mapping form or saving a group edit.

To create a new group manually, click the Create button and choose Create Group. This opens a short form where you enter the group's display name and its Unique Identifier (the value your identity provider sends). Fill in both fields and save. The group will now appear in the mapping dropdowns on the General tab.

To edit an existing group, click anywhere on its row in the table. The same form opens, pre-filled with the group's current name and identifier. Update the fields and save. You are returned to the edit page with the Groups tab active.

To delete a group, click the three-dot menu at the end of its row and choose the delete option.

Tip: The Groups tab does not have a Save button — each group operation (create, edit, delete) saves immediately on its own. If you switch to the Groups tab while you have unsaved changes on the General tab, those changes will be lost. Always save your role mappings first.

Field reference

The following fields appear in the group create/edit form, accessible from the Groups tab or by clicking a group row.

  • Name — The human-readable label for the group. This is the name shown in the mapping dropdowns and in the Groups table. Required. Sent to the platform as both the display name and the internal name. No length limit is enforced in the form, but keep names clear and consistent with your identity provider's naming conventions.
  • Unique Identifier — The machine-readable string that uniquely identifies this group in your identity provider. For SAML2 integrations, this must exactly match the value inside the group claim sent by your IdP. For SCIM integrations, it must match the externalId field your provisioning system sends. Required. This value is case-sensitive in most implementations — a mismatch, even a difference in capitalisation, will mean the group claim goes unrecognised and users will not receive the expected role.

The multi-select dropdowns on the General tab are searchable and accept multiple groups per role. Each option shows the group name alongside its current member count. You can also type a new name directly to create a group on the fly (see above).

How this connects to the rest of DPMS

Roles Mapping is the last step in your IAM configuration sequence. Typically, you will arrive here after:

  • Configuring your SAML & OAuth credentials (so SSO logins are working), and
  • Setting up your SCIM Overview and Tokens (so automated user provisioning is enabled).

Once your mappings are saved, they feed directly into:

  • Every SSO login — when a user authenticates via SAML2 or OAuth2, DPMS reads their group claims and looks them up in this mapping table to assign the correct role.
  • Every SCIM sync — when your identity provider adds, updates, or removes a user, DPMS checks the user's group memberships against this table and sets the role accordingly.
  • User Management — the roles shown for each user in the User Management screen are a direct result of what is configured here.
  • Module access — roles carry permissions that control which DPMS modules and actions each user can perform. If a user cannot access a module they expect to see, the first place to check is whether their identity provider group is correctly mapped here.

After finishing your Roles Mapping configuration, use the breadcrumb chevron arrows or the IAM sidebar to navigate to Logs and confirm that logins and SCIM syncs are completing without errors.

Tips & common pitfalls

Heads up: The Super Administrator role deliberately does not appear in the mapping form. This is a security design decision — Super Admin access cannot be granted through group-based provisioning. If you or a colleague are looking for a Super Admin mapping row and cannot find it, this is the reason, not a bug or a permissions issue.
Tip: The Unique Identifier must match exactly what your identity provider sends — character for character, including capitalisation. For SAML2, this is the value in your group claims attribute (configured on the SAML & OAuth screen). For SCIM, it is the externalId field. A mismatch means the incoming group claim will go unrecognised, and users will not receive the expected role.
  • Groups must exist in DPMS before they appear in search results. If a group was recently created in your identity provider and SCIM has not yet synced it, you can create it manually using the inline Create option in the dropdown or via the Groups tab, then set the correct Unique Identifier.
  • After saving the General tab, you land on the Groups tab — not the overview. This redirect is intentional so you can cross-check the group list. To see the final read-only summary, click the back arrow in the edit page header.
  • Member counts in the dropdowns are a snapshot, not live data. The number shown next to each group name reflects the count at the time the page loaded. After a SCIM sync or manual group update, reload the page to see current figures.
  • Switching tabs discards unsaved mapping changes. The General tab and the Groups tab operate independently. If you have made changes in the dropdowns on the General tab and then click over to the Groups tab, your mapping changes are gone. Always click Save on the General tab before switching.
  • If the pencil icon appears disabled, you have read-only access to this screen. Contact your system administrator to request the edit permission for IT Settings IAM.


Was this article helpful?

English
Powered by Product Fruits