--- title: Dynamic Role-Based Access Control (RBAC) slug: dynamic-role-based-access-control-rbac icon: {"faIcon":"fa-solid fa-people-group"} docTags: createdAt: 2025-05-13T13:39:34.334Z --- Using your own Identity Provider (IdP), you can enable automatic user creation and role mapping to add users to TruffleHog. ![](https://api.archbee.com/api/optimize/ROghP1UKk6x79T0dxONbz-1zO_7q-UBrLomkTIr_MTC-20250513-174122.png) This feature allows TruffleHog **Admins** to map different fields (such as groups) found in your company's IdP to roles within TruffleHog. TruffleHog currently supports three Roles: - `Admin`: Full access to TruffleHog, including configurations, user maintenance, and more - `Editor`: Read/write access to TruffleHog, these users can triage secrets and add integrations, but cannot add users - `Viewer`: Read-only access to TruffleHog # Configuration and Maintenance :::hint{type="info"} This feature is only available to TruffleHog accounts who use SAML SSO and have SSO required for TruffleHog login. To enable SSO, go to `Organization enforcement` section on the `Settings > Authentication` page. ::: ## Adding Users You can map one to many fields to a TruffleHog Role. To add a new mapping: 1. Go to `Settings > Authentication` in the left-hand navigation. 2. Scroll down to the `Auotmatic role mapping` section and click on `Edit`. 3. The `Update automatic role mappings` modal will appear (see image below). For each mapping you want to add: 1. Click on `Add another role mapping` button. 2. Specify the `SAML assertion field name` and the `IdP group` and select the appropriate `TruffleHog role` . 4. Click `Save` when all desired fields have been queried and matched to a role. ![](https://api.archbee.com/api/optimize/ROghP1UKk6x79T0dxONbz-fnKpTSKHssaMjQc7EKRmz-20250513-174350.png "Update automatic role mappings modal") Any users added through this mapping will have `(Auto)` appear at the beginning of their `Role` in the User table found on `Settings > Users`. :::hint{type="info"} Any new users added through a mapping must login once to appear in the `Users` table. Until attempted login, the user will not be listed. ::: :::hint{type="info"} Manual Role assignments to a user will override any automated assignments, even if the automated assignment grants higher priviledge. ::: :::hint{type="info"} If multiple roles are automatically assigned to the same user, the user will be assigned with highest privilege specified. ::: ## Removing Users You can remove users who have been added automatically by removing the mapping: 1. Go to `Settings > Authentication` in the left-hand navigation. 2. Scroll down to the `Auotmatic role mapping` section and click on `Edit`. 3. The `Update automatic role mappings` modal will appear. For each mapping you want to remove, click on the `X` button. 4. Click `Save`. Since you are removing users, you will be prompted to verify you want to save and delete the corresponding users. Click `Yes` to apply these changes. :::hint{type="warning"} When you remove a role mapping, all users added to TruffleHog through that mapping will become disabled unless they were manually added. These users will appear in the `Settings > Users` table. Upon their next attempted login, they will be visibly disabled as well and their `Role` will list `Removed`. :::