Most companies define their business policies through authorization assignments. When you configure SAML2/Account Management applications, SaaS Account Management allows you to map groups in your Access Manager user stores to specific authorizations in the SaaS applications.
If you configure SAML/Account Management connectors and provision users based only on mapped groups in specified LDAP user stores, but do not assign SaaS authorizations, the provisioned users get only basic user accounts without specific licenses, groups, roles, etc. For SaaS-specific authorizations to be assigned, you must map them to the LDAP groups you have selected.
Before you map authorizations, ensure that you understand the available authorizations for the SaaS application, and plan the mappings that are appropriate for your LDAP users. For more information about how authorizations work, see Understanding Authorizations and Understanding Google Apps Authorization Mappings.
IMPORTANT:Use caution when mapping authorizations. As a best practice, we recommend that you test any mapped authorizations in a non-production environment to ensure that they work as expected before you implement them in your production environment.
To map authorizations:
On the LDAP Groups and Authorizations page, in the LDAP Groups column, click +, then select at least one LDAP group from the list.
In the Authorizations column, select one or more authorizations, then click the blue arrow to map the authorizations to the LDAP groups.
You can use the filter fields to perform simple searches for LDAP groups or authorizations. For example, to filter for jhgroup1 of an authorization, if you enter JH or jh or gro, the filter finds jhgroup1. Wildcards and regular expressions are not currently supported in these fields.
Click Save, then click Save again on the Account Management page.
You can unmap authorizations individually by clicking X next to the authorization in the group. You can also unmap an entire group by selecting the group and then clicking the trashcan icon.