Teams
The Team Edition provides a comprehensive team management feature for both web and desktop environments. Administrators can create and manage Teams to group users, assign project-based permissions, and share credentials.
Teams can be linked to external identity providers, allowing automatic user assignment based on group information received at login.
In the Team Edition, the process of managing team memberships differs slightly between the web and desktop interfaces, primarily in the user interface layout.
Team creation¶
To create a new Team, follow these steps:
- As administrator, go to the Settings -> Administration -> Access Management -> Teams.
- Click on the + Add button.
- Fill in the necessary details in the provided fields.
- As administrator, navigate to Window -> Show View -> Administration.
- Select the Teams tab.
- Click on the + Create button.
- Specify the name of the Team in the window that appears.
- After creating the Team, select it from the list.
- Fill in the necessary details for the selected Team.
Field Name | Description | Additional Info |
---|---|---|
Team ID (only in the web interface) | A unique identifier for the Team. | |
Team Name | The name of the Team. | |
Description (only in the web interface) | A brief description of the Team and its purpose. | |
Parameters | Additional parameters based on the authentication provider. | Read more about Integration with identity providers |
Predefined Team types¶
Team Edition includes all-users
predefined Team type. This Team includes all users by default.
User management¶
In the Users tab, administrators can manage Team memberships:
- To add a user to the Team, click Edit, select the desired users, and then click Add.
- To remove a user from the Team, select the user and click Delete.
In the Administration window, administrators can manage Team memberships:
- To add a user to the Team, click + Add, select the desired users, and then click Ok.
- To remove a user from the Team, select the user and click Delete.
Tip
One user can be a member of multiple teams.
Supervisor¶
Navigate to the Teams -> Users tab, here you can use the Supervisor checkbox to mark certain users as supervisors. Supervisors can view their team's queries in the Query Manager.
Note
The checkbox for assigning supervisor roles is exclusive to the web interface, but the capabilities granted by this permission are accessible in both the web and desktop interfaces.
After you have been assigned as a supervisor, you can view your team's queries by following these steps:
- Open the application and click on Tools in the toolbar.
- Select Query History from the dropdown menu.
- In the Query History window, you can toggle the Supervisor view on or off by using the Turn on/off supervisor
view button
.
Project management¶
In the Projects tab, administrators can manage which projects are available to the Team:
- To add a project to the Team, click Edit, choose the desired project, and then click Add.
- To remove projects from the Team, select the project and click Delete.
In the Administration window, administrators can manage which projects are available to the Team:
- To add a project to the Team, click + Add and choose the desired project.
- To remove projects from the Team, select the project and click Remove.
Tip
One project can be a part of multiple teams.
Permission management¶
In the Permissions tab (available only in the Web client), administrators can control what actions Team members are allowed to perform in the Data Editor and SQL Editor:
Permission | Description | Related articles |
---|---|---|
Data copy | Allows users to copy data from the Data Editor | Data Editor |
Data edit | Allows users to edit data in the Data Editor | Data Editor |
Data export | Allows users to export data from the Data Editor | Data export |
Data import | Allows users to import data using the Data Editor | Data import |
SQL script execution | Allows users to execute custom SQL scripts | SQL Editor |
Team permissions have priority over global defaults. Each team can have its own set of permissions, managed independently.
When you change the global defaults, these updates are applied automatically to all teams that are still using the defaults. Teams with custom permissions set by an administrator are not affected.
Tip
You can restore the default set of permissions at any time by clicking Restore to global defaults.
Auto mapping of users from identity providers¶
You can link Teams to external identity providers. This allows Team Edition to assign users to Teams automatically based on group or role information provided at login.
Team membership is managed entirely by your identity provider. Thereās no need to manually assign users - Team Edition reads group claims from the authentication token and maps users to Teams based on matching parameters.
Configuration steps¶
-
In the Identity Providers settings, specify the attribute or value used to identify user groups or roles.
Important
Team Edition reads this exact attribute during login. If itās missing or misconfigured, Team assignment wonāt work.
-
In the Team's Parameters settings, enter the exact group ID you expect from the provider. Use your provider's tools to inspect the token and find the actual group IDs being sent. Some providers return non-human-readable IDs ( e.g., UUIDs).
Provider parameter Expected value Example value Related articles Microsoft Entra ID UUID of group 73ab4df0-b4b4-4449-a2cd-1874923871049278
Microsoft Entra ID AWS Role ARN ARN of assumed role arn:aws:iam::123456789012:role/DBRole
AWS OpenID, via Okta SAML Group ID External group name or ID Admins
orb274cd83-331a-4e4e-9b8f-92f123456789
SAML configuration Okta Group ID Group name or internal ID 00g63lwgl1qHdgDfZ0x7
Okta OpenID LDAP Group name Distinguished name (DN) of the group Groups
LDAP OpenID Group ID Group name or internal group ID dev-team
or8e4b9ff4-11f3-4f17-902e-e9e5c1c2043a
OpenID configuration -
When a user logs in through the identity provider (e.g., Okta, Entra ID), Team Edition receives an authentication token. This token includes user details, such as group or role claims. If any value in the configured attribute (like
groups
) matches a Team Parameter, the user is automatically added to that Team and inherits its permissions.Important
- Attribute name (e.g.,
groups
) must be configured in the identity provider settings - The value in the Team must match the token value exactly
- Group IDs may not be human-readable - avoid using display names
- Any string format is accepted
- Some providers (e.g., Azure) may limit the number of groups sent in the token
- Attribute name (e.g.,
Updating Team memberships¶
For the changes to take effect, especially in cases where group memberships are updated:
- Users may need to log off and log back in through the Single Sign-On (SSO).
- Alternatively, users can wait for the session to timeout.
These actions ensure that the updated claims from the identity provider are received by Team Edition, thereby refreshing the Team memberships.
Troubleshooting mismatches¶
If users aren't assigned to a Team after login, check the following:
- Incorrect group ID: The value in Team parameters must exactly match the one sent in the token. Display names usually wonāt workāuse raw IDs (e.g., UUID, ARN).
- Wrong attribute name: Make sure the identity provider is configured to include the correct attribute (e.g.,
groups
,roles
) in the token. - Missing group claim: Some providers donāt send group claims by default. You may need to explicitly add them in the provider settings.
- Group limit: Azure AD and some other providers may limit the number of groups included in the token (e.g., 150). Users beyond the limit wonāt be mapped.
- Session not refreshed: Changes in group membership take effect only after the user logs out and logs in again (or after session timeout).