Skip to content

Teams

The Team Edition provides a comprehensive team management feature for both web and desktop environments. Administrators can create and manage Teams to group users, assign project-based permissions, and share credentials.

Teams can be linked to external identity providers, allowing automatic user assignment based on group information received at login.

In the Team Edition, the process of managing team memberships differs slightly between the web and desktop interfaces, primarily in the user interface layout.

Team creation

To create a new Team, follow these steps:

  1. As administrator, go to the Settings -> Administration -> Access Management -> Teams.
  2. Click on the + Add button.
  3. Fill in the necessary details in the provided fields.

  1. As administrator, navigate to Window -> Show View -> Administration.
  2. Select the Teams tab.
  3. Click on the + Create button.
  4. Specify the name of the Team in the window that appears.
  5. After creating the Team, select it from the list.
  6. Fill in the necessary details for the selected Team.

Field Name Description Additional Info
Team ID (only in the web interface) A unique identifier for the Team.
Team Name The name of the Team.
Description (only in the web interface) A brief description of the Team and its purpose.
Parameters Additional parameters based on the authentication provider. Read more about Integration with identity providers

Predefined Team types

Team Edition includes all-users predefined Team type. This Team includes all users by default.

User management

In the Users tab, administrators can manage Team memberships:

  • To add a user to the Team, click Edit, select the desired users, and then click Add.
  • To remove a user from the Team, select the user and click Delete.

In the Administration window, administrators can manage Team memberships:

  • To add a user to the Team, click + Add, select the desired users, and then click Ok.
  • To remove a user from the Team, select the user and click Delete.

Tip

One user can be a member of multiple teams.

Supervisor

Navigate to the Teams -> Users tab, here you can use the Supervisor checkbox to mark certain users as supervisors. Supervisors can view their team's queries in the Query Manager.

Note

The checkbox for assigning supervisor roles is exclusive to the web interface, but the capabilities granted by this permission are accessible in both the web and desktop interfaces.

After you have been assigned as a supervisor, you can view your team's queries by following these steps:

  1. Open the application and click on Tools in the toolbar.
  2. Select Query History from the dropdown menu.
  3. In the Query History window, you can toggle the Supervisor view on or off by using the Turn on/off supervisor view button .

Project management

In the Projects tab, administrators can manage which projects are available to the Team:

  • To add a project to the Team, click Edit, choose the desired project, and then click Add.
  • To remove projects from the Team, select the project and click Delete.

In the Administration window, administrators can manage which projects are available to the Team:

  • To add a project to the Team, click + Add and choose the desired project.
  • To remove projects from the Team, select the project and click Remove.

Tip

One project can be a part of multiple teams.

Permission management

In the Permissions tab (available only in the Web client), administrators can control what actions Team members are allowed to perform in the Data Editor and SQL Editor:

Permission Description Related articles
Data copy Allows users to copy data from the Data Editor Data Editor
Data edit Allows users to edit data in the Data Editor Data Editor
Data export Allows users to export data from the Data Editor Data export
Data import Allows users to import data using the Data Editor Data import
SQL script execution Allows users to execute custom SQL scripts SQL Editor

Team permissions have priority over global defaults. Each team can have its own set of permissions, managed independently.

When you change the global defaults, these updates are applied automatically to all teams that are still using the defaults. Teams with custom permissions set by an administrator are not affected.

Tip

You can restore the default set of permissions at any time by clicking Restore to global defaults.

Auto mapping of users from identity providers

You can link Teams to external identity providers. This allows Team Edition to assign users to Teams automatically based on group or role information provided at login.

Team membership is managed entirely by your identity provider. There’s no need to manually assign users - Team Edition reads group claims from the authentication token and maps users to Teams based on matching parameters.

Configuration steps

  1. In the Identity Providers settings, specify the attribute or value used to identify user groups or roles.

    Important

    Team Edition reads this exact attribute during login. If it’s missing or misconfigured, Team assignment won’t work.

  2. In the Team's Parameters settings, enter the exact group ID you expect from the provider. Use your provider's tools to inspect the token and find the actual group IDs being sent. Some providers return non-human-readable IDs ( e.g., UUIDs).

    Provider parameter Expected value Example value Related articles
    Microsoft Entra ID UUID of group 73ab4df0-b4b4-4449-a2cd-1874923871049278 Microsoft Entra ID
    AWS Role ARN ARN of assumed role arn:aws:iam::123456789012:role/DBRole AWS OpenID, via Okta
    SAML Group ID External group name or ID Admins or b274cd83-331a-4e4e-9b8f-92f123456789 SAML configuration
    Okta Group ID Group name or internal ID 00g63lwgl1qHdgDfZ0x7 Okta OpenID
    LDAP Group name Distinguished name (DN) of the group Groups LDAP
    OpenID Group ID Group name or internal group ID dev-team or 8e4b9ff4-11f3-4f17-902e-e9e5c1c2043a OpenID configuration
  3. When a user logs in through the identity provider (e.g., Okta, Entra ID), Team Edition receives an authentication token. This token includes user details, such as group or role claims. If any value in the configured attribute (like groups) matches a Team Parameter, the user is automatically added to that Team and inherits its permissions.

    Important

    • Attribute name (e.g., groups) must be configured in the identity provider settings
    • The value in the Team must match the token value exactly
    • Group IDs may not be human-readable - avoid using display names
    • Any string format is accepted
    • Some providers (e.g., Azure) may limit the number of groups sent in the token

Updating Team memberships

For the changes to take effect, especially in cases where group memberships are updated:

  • Users may need to log off and log back in through the Single Sign-On (SSO).
  • Alternatively, users can wait for the session to timeout.

These actions ensure that the updated claims from the identity provider are received by Team Edition, thereby refreshing the Team memberships.

Troubleshooting mismatches

If users aren't assigned to a Team after login, check the following:

  • Incorrect group ID: The value in Team parameters must exactly match the one sent in the token. Display names usually won’t work—use raw IDs (e.g., UUID, ARN).
  • Wrong attribute name: Make sure the identity provider is configured to include the correct attribute (e.g., groups, roles) in the token.
  • Missing group claim: Some providers don’t send group claims by default. You may need to explicitly add them in the provider settings.
  • Group limit: Azure AD and some other providers may limit the number of groups included in the token (e.g., 150). Users beyond the limit won’t be mapped.
  • Session not refreshed: Changes in group membership take effect only after the user logs out and logs in again (or after session timeout).