Skip to main content
Once users are provisioned via SSO, you can automate their permission levels by mapping Identity Provider (IdP) data to WisdomAI roles.

Role Management through SCIM

When SCIM is enabled, your existing SSO groups are automatically detected and synced to Wisdom.
  • View Synced Groups: Navigate to the SSO Groups list in the SSO Configuration settings to see groups like “Engineering” or “Sales” along with their sync status.
    Snippet showing the SSO Groups list
  • Assign Roles to Groups: Use the Add SSO Group button to link a synced group to a specific WisdomAI role (e.g., Explorer).
    Snippet showing the Add SSO Group modal
Any user belonging to that SSO group will automatically inherit the assigned roles and domain permissions in WisdomAI.

Role Management through Claims

If you prefer not to use SCIM groups, you can configure roles based on “claims” within the IDP’s JSON Web Token (JWT).
Contact WisdomAI support to enable claims-based role management for your instance.
How the Mapping Works:
  1. When a user logs in, WisdomAI reads a specific claim from the JWT (typically named roles or groups) which contains a list of strings.
  2. An SSO Group in WisdomAI acts as a bridge. It maps a specific string element from that JWT list to the assigned WisdomAI Role.
  3. If a user’s JWT contains the string "marketing_admin", and you have created an SSO Group in Wisdom that maps "marketing_admin" to the Explorer role, that user is automatically granted those permissions.
Setting it Up:
  • Click the Add Group button.
  • In the Add SSO Group modal that opens, enter the string element that matches your IDP claim in the SSO Group Name field.
    The claim should be a list of strings.
  • Role Assignments: Select the Role (e.g., Explorer) and the corresponding Domains to be mapped to that string.
  • Click Create User Group to finalize the mapping.

Auto SSO Group Generation

To avoid manual mapping entirely, WisdomAI can auto-generate groups based on a specific string schema in your IdP claims.
Contact WisdomAI support to enable claims-based role management for your instance.
Each claim string must follow this schema: wisdom.[optional_workspace_uri].role.[optional_scope_type].[optional_scope]
  1. wisdom. prefix for namespace and versioning purposes
  2. optional workspace URI. (default workspace if not given)
  3. role. (one of administrator, data_administrator, explorer, observer)
  4. optional scope type. (required if scope is given)
  5. optional scope (required if scope type is given)
Examples of valid claim strings:
  • wisdom.explorer: Assigns the Explorer role on all domains in the default workspace.
  • wisdom.foo.explorer: Assigns the Explorer role on all domains within the “foo” workspace.
  • wisdom.explorer.DOMAIN.ET_DOMAIN_foo: Assigns the Explorer role to a specific domain in the default workspace.
  • wisdom.foo.explorer.DOMAIN.ET_DOMAIN_bar: Assigns the Explorer role on a specific domain in the foo workspace.

Next Steps

Supported Data Sources

Explore the full list of databases and platforms you can connect to the system.

How WisdomAI Works

Understand the core concepts and architecture behind the platform’s data analysis capabilities.

Basic Tutorial: Connect and Test

Walk through the initial setup to connect a data source and run your first query.