Skip to content

Teams

The CloudBeaver provides a team management feature, allowing administrators to create and manage teams. This feature is integral for organizing users into groups and controlling their access to various databases.

Teams can also be linked to external identity providers, enabling automatic user assignment based on group information received during login.

Team creation

To create a new team, follow these steps:

  1. Navigate to the Settings -> Administration -> Users and Teams -> Teams.
  2. Click on the + Add button.
  3. Fill in the necessary details in the provided fields.

Field Name Description Additional Info
Team ID A unique identifier for the team.
Team Name The name of the team.
Description A brief description of the team and its purpose.
Permissions Access level for team members Admin Full Access grants full access to CloudBeaver settings
Parameters For group mapping and other metadata, e.g. AWS roles See Integration with identity providers

Note

The Parameters section is available only after you configure at least one identity provider.

Predefined Team types

CloudBeaver includes two predefined Team types:

Types Description
admin Members of this Team have full administrative privileges within CloudBeaver.
user This Team is for regular users. Administrators assign access to databases (in Team Edition, access to projects) to this team.

Tip

Administrators can configure the predefined types in the Server Settings. For more information, see Initial data configuration.

User management

In the Users tab, you can manage Team memberships:

  • To add a user to the Team, click Edit, select the desired users, and then click Add.
  • To remove a user from the Team, select the user and click Delete.

Tip

One user can be a member of a multiple Teams.

Connection management

In the Connections tab, you can manage which connections are available to the Team:

  • To add connections to the Team, click Edit, choose the desired connections, and then click Add.
  • To remove connections from the Team, select the connection and click Delete.

Permission management

In the Permissions tab, administrators can control what actions Team members are allowed to perform in the Data Editor and SQL Editor:

Permission Description Related articles
Data copy Allows users to copy data from the Data Editor Data Editor
Data edit Allows users to edit data in the Data Editor Data Editor
Data export Allows users to export data from the Data Editor Data export
Data import Allows users to import data using the Data Editor Data import
SQL script execution Allows users to execute custom SQL scripts SQL Editor

Team permissions have priority over global defaults. Each team can have its own set of permissions, managed independently.

When you change the global defaults, these updates are applied automatically to all teams that are still using the defaults. Teams with custom permissions set by an administrator are not affected.

Tip

You can always reset Team permissions to global defaults by clicking Restore to global defaults.

Auto mapping of users from identity providers

You can link Teams to external identity providers. This allows CloudBeaver to assign users to Teams automatically based on group or role information provided at login.

Team membership is managed entirely by your identity provider. There’s no need to manually assign users - CloudBeaver reads group claims from the authentication token and maps users to Teams based on matching parameters.

Configuration steps

  1. In the Identity Providers settings, specify the attribute or value used to identify user groups or roles.

    Important

    CloudBeaver reads this exact attribute during login. If it’s missing or misconfigured, Team assignment won’t work.

  2. In the Team's Parameters settings, enter the exact group ID you expect from the provider. Use your provider's tools to inspect the token and find the actual group IDs being sent. Some providers return non-human-readable IDs ( e.g., UUIDs).

    Provider parameter Expected value Example value Related articles
    Microsoft Entra ID UUID of group 73ab4df0-b4b4-4449-a2cd-1874923871049278 Microsoft Entra ID
    AWS Role ARN ARN of assumed role arn:aws:iam::123456789012:role/DBRole AWS OpenID, via Okta
    SAML Group ID External group name or ID Admins or b274cd83-331a-4e4e-9b8f-92f123456789 SAML configuration
    Okta Group ID Group name or internal ID 00g63lwgl1qHdgDfZ0x7 Okta OpenID
    LDAP Group name Group common name cn=Developers LDAP
    OpenID Group ID Group name or internal group ID dev-team or 8e4b9ff4-11f3-4f17-902e-e9e5c1c2043a OpenID configuration
  3. When a user logs in through the identity provider (e.g., Okta, Entra ID), CloudBeaver receives an authentication token. This token includes user details, such as group or role claims. If any value in the configured attribute (like groups) matches a Team Parameter, the user is automatically added to that Team and inherits its permissions.

    Important

    • Attribute name (e.g., groups) must be configured in the identity provider settings
    • The value in the Team must match the token value exactly
    • Group IDs may not be human-readable - use display names with caution
    • Any string format is accepted
    • Some providers (e.g., Azure) may limit the number of groups sent in the token

Updating Team memberships

For the changes to take effect, especially in cases where group memberships are updated:

  • Users may need to log off and log back in through the Single Sign-On (SSO).
  • Alternatively, users can wait for the session to timeout.

These actions ensure that the updated claims from the identity provider are received by CloudBeaver, thereby refreshing the Team memberships.

Troubleshooting mismatches

If users aren't assigned to a Team after login, check the following:

  • Incorrect group ID: The value in Team parameters must exactly match the one sent in the token. Display names usually won’t work—use raw IDs (e.g., UUID, ARN).
  • Wrong attribute name: Make sure the identity provider is configured to include the correct attribute (e.g., groups, roles) in the token.
  • Missing group claim: Some providers don’t send group claims by default. You may need to explicitly add them in the provider settings.
  • Group limit: Azure AD and some other providers may limit the number of groups included in the token (e.g., 150). Users beyond the limit won’t be mapped.
  • Session not refreshed: Changes in group membership take effect only after the user logs out and logs in again (or after session timeout).