Once SCIM provisioning is enabled, you have to manage Productboard roles in Okta.
In this article, we share two approaches to how you can manage Productboard roles in Okta. We recommend getting familiar with both approaches before you begin to make changes.
In this article:
- Setting up a role for every user
- Setting a role just for 4 groups
We expect that you already have SCIM configured or at least you’re familiar with Setting up SCIM provisioning with OKTA.
Setting up a role for every user
How to set up roles in the Productboard application profile
To set a role for every user, you would need to create a Role attribute for your Productboard application. The Role attribute will look like this when you set a role for the user.
Role attribute for your Productboard integration already exists.
You should create the exact copy of this attribute, but make the Attribute type as Personal. Click on + Add Attribute and make sure you fill out the following fields correctly:
- Data type: string
- Variable name: role
- External name: roles.^[primary==true].value
- External namespace: urn:ietf:params:scim:schemas:core:2.0:User
Note: Leaving the Attribute Type as Group would allow you to configure roles on a group basis as well as on user basis. Choose Personal if you want to manage roles on a user basis only.
With this setup, you can manage Productboard roles in the Assignments tab of your Productboard app from the Okta catalog.
To add a new user to the application:
- Click on Assign, and select Assign to People.
- Click on Assign to select the chosen user.
- Select their Role and click on Save and Go Back.
You’ll need to do the steps above for each individual user. To update Individual user assignments, follow the same steps described above.
Set up Productboard role in Okta profile
Go to Directory, then Profile Editor, and select Okta’s User (default) profile.
Click on + Add Attribute.
Make sure you fill out the following fields correctly:
- Data type: String
- Display name: Productboard Role
- Variable name: Productboard Role
Check the Define enumerated list of values and define these Productboard roles: admin , maker, contributor, viewer.
Mapping the configuration
To be able to verify later that the mapping is configured correctly, set this Productboard Role field for at least one user.
- Go to your Productboard integration, then go to Provisioning and select To App.
- At the bottom, you should see that one attribute mapping shows a warning Not mapped.
- Click on the Edit icon and configure the mapping according to the screenshot below:
- If you want to see the value for a different user, please change the user in the Preview.
- Click Save.
Now, you’re all set up and you can keep track of a user’s Productboard role in their Okta profile.
Setting a role only for 4 groups
We consider this approach more pleasant because you don’t have to configure the Role attribute for each user. We recommend keeping track of your users in groups according to Productboard roles such as Productboard makers, Productboard viewers, etc.
Role attribute for your Productboard integration already exists and it’s exactly what’s needed for this setup.
- Go to Directory, then Groups.
- Click on Add group to create 4 groups for the 4 Productboard roles:
- Productboard Admins
- Productboard Makers
- Productboard Contributors
- Productboard Viewers
- Assign Productboard users to their relevant groups.
- Go to Applications, then Applications, and click on your Productboard application.
- Click on the Assign button, then Assign to Groups.
- Then assign the 4 groups to the Productboard application.
- Select a role for the group so it matches with the role in the group’s name.
In Assignments, you’ll still see all users as Individuals even though they’re in groups now.
To change them to Group assignments
- Click on Convert assignments.
- You can either Convert all assignments or Select assignments to convert. Let’s go with the latter.
- Select one or multiple users. On the right, you can see the Group Name. Click Convert selected to convert users to Group Type.
Now, when you go back to Assignments, you’ll see that converted users have Group Type. If a user had a different role with Individual assignment, right now the group attributes take precedence. Thus, a member’s role is updated in Productboard to match a group’s role.
From now on, when you need to add a new Productboard member, just add them to a group corresponding to the expected role in Productboard.
When you need to change a user’s role, first add them to a new group corresponding to their new role, and then remove them from the previous group. This way, the user doesn’t lose access.