Teams
The CloudBeaver provides a team management feature, allowing administrators to create and manage teams. This feature is integral for organizing users into groups and controlling their access to various databases.
Teams can also be linked to external identity providers, enabling automatic user assignment based on group information received during login.
Team creation¶
To create a new team, follow these steps:
- Navigate to the Settings -> Administration -> Users and Teams -> Teams.
- Click on the + Add button.
- Fill in the necessary details in the provided fields.
Field Name | Description | Additional Info |
---|---|---|
Team ID | A unique identifier for the team. | |
Team Name | The name of the team. | |
Description | A brief description of the team and its purpose. | |
Permissions | Access level for team members | Admin Full Access grants full access to CloudBeaver settings |
Parameters ![]() |
For group mapping and other metadata, e.g. AWS roles | See Integration with identity providers |
Note
The Parameters section is available only after you configure at least one identity provider.
Predefined Team types¶
CloudBeaver includes two predefined Team types:
Types | Description |
---|---|
admin |
Members of this Team have full administrative privileges within CloudBeaver. |
user |
This Team is for regular users. Administrators assign access to databases (in Team Edition, access to projects) to this team. |
Tip
Administrators can configure the predefined types in the Server Settings. For more information, see Initial data configuration.
User management¶
In the Users tab, you can manage Team memberships:
- To add a user to the Team, click Edit, select the desired users, and then click Add.
- To remove a user from the Team, select the user and click Delete.
Tip
One user can be a member of a multiple Teams.
Connection management¶
In the Connections tab, you can manage which connections are available to the Team:
- To add connections to the Team, click Edit, choose the desired connections, and then click Add.
- To remove connections from the Team, select the connection and click Delete.
Permission management¶
In the Permissions tab, administrators can control what actions Team members are allowed to perform in the Data Editor and SQL Editor:
Permission | Description | Related articles |
---|---|---|
Data copy | Allows users to copy data from the Data Editor | Data Editor |
Data edit | Allows users to edit data in the Data Editor | Data Editor |
Data export | Allows users to export data from the Data Editor | Data export |
Data import | Allows users to import data using the Data Editor | Data import |
SQL script execution | Allows users to execute custom SQL scripts | SQL Editor |
Team permissions have priority over global defaults. Each team can have its own set of permissions, managed independently.
When you change the global defaults, these updates are applied automatically to all teams that are still using the defaults. Teams with custom permissions set by an administrator are not affected.
Tip
You can always reset Team permissions to global defaults by clicking Restore to global defaults.
Auto mapping of users from identity providers¶
You can link Teams to external identity providers. This allows CloudBeaver to assign users to Teams automatically based on group or role information provided at login.
Team membership is managed entirely by your identity provider. Thereās no need to manually assign users - CloudBeaver reads group claims from the authentication token and maps users to Teams based on matching parameters.
Configuration steps¶
-
In the Identity Providers settings, specify the attribute or value used to identify user groups or roles.
Important
CloudBeaver reads this exact attribute during login. If itās missing or misconfigured, Team assignment wonāt work.
-
In the Team's Parameters settings, enter the exact group ID you expect from the provider. Use your provider's tools to inspect the token and find the actual group IDs being sent. Some providers return non-human-readable IDs ( e.g., UUIDs).
Provider parameter Expected value Example value Related articles Microsoft Entra ID UUID of group 73ab4df0-b4b4-4449-a2cd-1874923871049278
Microsoft Entra ID AWS Role ARN ARN of assumed role arn:aws:iam::123456789012:role/DBRole
AWS OpenID, via Okta SAML Group ID External group name or ID Admins
orb274cd83-331a-4e4e-9b8f-92f123456789
SAML configuration Okta Group ID Group name or internal ID 00g63lwgl1qHdgDfZ0x7
Okta OpenID LDAP Group name Group common name cn=Developers
LDAP OpenID Group ID Group name or internal group ID dev-team
or8e4b9ff4-11f3-4f17-902e-e9e5c1c2043a
OpenID configuration -
When a user logs in through the identity provider (e.g., Okta, Entra ID), CloudBeaver receives an authentication token. This token includes user details, such as group or role claims. If any value in the configured attribute (like
groups
) matches a Team Parameter, the user is automatically added to that Team and inherits its permissions.Important
- Attribute name (e.g.,
groups
) must be configured in the identity provider settings - The value in the Team must match the token value exactly
- Group IDs may not be human-readable - use display names with caution
- Any string format is accepted
- Some providers (e.g., Azure) may limit the number of groups sent in the token
- Attribute name (e.g.,
Updating Team memberships¶
For the changes to take effect, especially in cases where group memberships are updated:
- Users may need to log off and log back in through the Single Sign-On (SSO).
- Alternatively, users can wait for the session to timeout.
These actions ensure that the updated claims from the identity provider are received by CloudBeaver, thereby refreshing the Team memberships.
Troubleshooting mismatches¶
If users aren't assigned to a Team after login, check the following:
- Incorrect group ID: The value in Team parameters must exactly match the one sent in the token. Display names usually wonāt workāuse raw IDs (e.g., UUID, ARN).
- Wrong attribute name: Make sure the identity provider is configured to include the correct attribute (e.g.,
groups
,roles
) in the token. - Missing group claim: Some providers donāt send group claims by default. You may need to explicitly add them in the provider settings.
- Group limit: Azure AD and some other providers may limit the number of groups included in the token (e.g., 150). Users beyond the limit wonāt be mapped.
- Session not refreshed: Changes in group membership take effect only after the user logs out and logs in again (or after session timeout).