IdP Groups to Roles

Note: This feature is available in the New Drata Experience only.

Drata role assignments can now be automatically synced based on IdP group membership, eliminating the need to manually assign and revoke roles as your team changes.

Why It Matters

• Eliminates manual role management by automatically syncing Drata role assignments based on IdP group membership.

• Reduces the risk of over-permissioned users — when someone is removed from an IdP group, their Drata roles are revoked automatically.

• Strengthens access control hygiene and supports least-privilege principles, directly reinforcing IAM-related controls across frameworks.

• Works with any IdP that supports groups with Drata.

What’s New

• A new IdP Group Mappings section is available under Settings → Role Administration.

• Admins can map one or more IdP groups to one or more Drata roles — roles are additive across multiple group memberships.

• Role assignments stay continuously in sync: adding or removing a user from an IdP group automatically grants or revokes the corresponding Drata role(s).

Notes

• Requires Admin access in Drata and an active IdP connection with groups configured.

• IdP-derived roles and manually assigned roles are independent and additive — if you want IdP groups to be the sole source of truth for roles, manually assigned roles should be cleaned up.

• The Workspace Manager role has special handling — assigning it via a group mapping will replace other roles in that workspace. Drata will surface a confirmation prompt before applying.

Learn more: Map IdP Groups to Drata Roles