5.2 Mapping the IdP Groups to Thinfinity Roles

Thinfinity Workspace uses your organization’s Identity Provider non-hierarchical groups to support Role-Based Access Control (RBAC). This means you can map access permissions in Thinfinity Workspace to the user groups already defined in your external directory services, such as Active Directory.

Understanding RBAC

Role-Based Access Control (RBAC) is a widely used method for managing user permissions by assigning them to predefined roles rather than individual users. A role defines what a user can access and what actions they can perform within a system.

In practice:

• Roles represent sets of permissions (e.g., Admin, Viewer, Restricted User).

• Users can be assigned to Roles and inherit their permission set and add individual permissions.

This model simplifies user management and strengthens security by reducing the chance of misconfigured or overly permissive access.

In Thinfinity, roles are mapped to the IdP group. This requires that the IdP can handle non-hierachical groups as both, Windows AD and Thinfinity IdP do.

Why Mapping Roles to IdP Groups Matters

Mapping Thinfinity roles to IdP groups offers a number of benefits:

• Centralized control: Your IT team only needs to manage user group membership in one place — the identity provider. Thinfinity automatically applies the corresponding permissions at login.

• Consistency across systems: By using the same roles and group structures across different platforms, you create a unified access management strategy that’s easier to audit and maintain.

• Scalability: As your organization grows, onboarding and offboarding users becomes more efficient. Add someone to a group in your IdP, and they immediately inherit the correct permissions in Thinfinity.

• Reduced manual configuration: Without role mapping, administrators would need to assign roles to each Thinfinity user manually. With mapping, user permissions are applied dynamically based on their group membership.

Roles vs. Groups: The Relationship

The distinction between roles and groups is important:

• Roles live within Thinfinity Workspace. They define what permissions a user has within the platform.

• Groups live in the identity provider. They are collections of users, often based on job function or department.

By mapping groups to roles, you create a bridge between your identity infrastructure and Thinfinity Workspace. This bridge allows users to receive the right permissions automatically, without requiring redundant administration.

Flexibility and Best Practices

While group-based role mapping is the recommended and most scalable approach, Thinfinity Workspace also supports assigning permissions directly to individual users when needed. However, centralized group mapping remains the best practice for larger teams, regulated environments, or organizations seeking efficient identity governance.