Skip to main content
Solved

Assign multiple roles to a user from Azure AD SAML claim

  • January 19, 2026
  • 6 replies
  • 84 views
anryan
Contributor
Forum|alt.badge.img+5

Hi there,

In this article (Configure user attribute mapping with Azure AD SAML Provider – FME Support Center), a group claim can be setup to pass an AD group name which aligns to a role in FME Flow. As a group claim could be based on a search criterion and many AD groups could be returned which is a common method of Enterprise group membership in ArcGIS Enterprise software. I was wondering if this could be used to grant several roles to a user?

Looking at controlling access to repositories, who can view workspace and who can run a job, etc via AD group assignment.

Thanks

Best answer by zoe.forbes

Hi ​@anryan,

This isn’t currently possible but you’re welcome to submit an idea for this - Product Managers check Ideas to inform decision making. I’m also able to do this for you if you would prefer.

The best workaround I can think of would be exporting roles data outside of Azure, and creating a workspace which used the API to assign additional roles to Flow users after creation. The endpoint POST /accounts/{id}/roles could be used to do this.

Thanks,
Zoe

    This post is closed to further activity.
    It may be an old question, an answered question, an implemented idea, or a notification-only post.
    Please check post dates before relying on any information in a question or answer.
    For follow-up or related questions, please post a new question or idea.
    If there is a genuine update to be made, please contact us and request that the post is reopened.

    6 replies

    zoe.forbes
    Safer
    Forum|alt.badge.img+5
    • zoe.forbesSafer
    • Safer
    • Best Answer
    • February 3, 2026

    Hi ​@anryan,

    This isn’t currently possible but you’re welcome to submit an idea for this - Product Managers check Ideas to inform decision making. I’m also able to do this for you if you would prefer.

    The best workaround I can think of would be exporting roles data outside of Azure, and creating a workspace which used the API to assign additional roles to Flow users after creation. The endpoint POST /accounts/{id}/roles could be used to do this.

    Thanks,
    Zoe

      anryan
      Contributor
      Forum|alt.badge.img+5
      • anryanContributor
      • Author
      • Contributor
      • February 3, 2026

      @zoe.forbes thank you for the reply. I’ll be submitting an idea for this to utilise OOTB SSO/SAML capability.

      I have a question regarding your workaround in using a workspace to assign the additional roles - You hadn’t mentioned what type of trigger could be used for this. I assume a schedule as I couldn’t find any documentation that FME Flow has internal webhooks (eg. trigger on user creation)?

       

      At the moment, I’ll probably go for a schedule running every 30mins to check a defined list of AD group memberships and use that as my source and compare to FME Flow to work out which CRUD type of operations I need to do for the users and their roles to maintain it in the security section of Flow.

       

      Thanks again

      zoe.forbes
      Safer
      Forum|alt.badge.img+5
      • zoe.forbesSafer
      • Safer
      • February 3, 2026

      Hi ​@anryan, I thought this would be a one-off operation but I see that isn’t the case. Since there’s a “user created” system event, you could use the following as triggers:

      • A System Event Trigger in automations.
      • A Schedule as you suggested. Instead of polling all users/roles, you could retrieve System Events with an API call and use the query parameters start=[timestamp] and type=SYSTEMEVENT_USER_CREATE as a filter.
      anryan
      Contributor
      Forum|alt.badge.img+5
      • anryanContributor
      • Author
      • Contributor
      • February 4, 2026

      @zoe.forbes Awesome. Thanks. Didn’t think of sys events with an automation

      anryan
      Contributor
      Forum|alt.badge.img+5
      • anryanContributor
      • Author
      • Contributor
      • February 25, 2026

      @zoe.forbes I thought of something to ask relating to this.

      Since you mentioned using an automation to detect a user logging in, my question is how are the privileges used (on the fly vs persistent) in FME Flow for that user?

      If I use the automation approach to update/maintain the user’s privileges when the user logs in, will the user get any privileges assigned to them as part of this process?

      Thanks

      zoe.forbes
      Safer
      Forum|alt.badge.img+5
      • zoe.forbesSafer
      • Safer
      • February 26, 2026

      Hi ​@anryan,

      User permissions in FME Flow are granted immediately once set, and persist indefinitely until revoked This means permissions will be granted as soon as the automation is complete.

      When logging in for the first time however, users will likely authenticate and load the UI before this has happened. This means they’ll need to refresh the page once the automation’s ran to see items they have access to.

      If you feel it’s necessary, you could use a Broadcast Message to make sure users are aware of this. I double checked in 2025.2 and can confirm new users will see a Broadcast Message which was sent out before they were created.

      Please let me know if you have any questions about this or anything else!

      Community Stats

      32,329
      Posts
      123,141
      Replies
      40,359
      Members
      Terms & ConditionsCookie settingsAccessibility statement
      A product of
      Safe Software respectfully acknowledges that we live, learn and work on the traditional and unceded territories of the Kwantlen, Katzie, and Semiahmoo First Nations.