BetaTesting can automatically assign roles to SSO users based on their group memberships in your identity provider (IdP). This ensures your team members get the right level of access in BetaTesting without manual configuration.
How Role Mapping Works
When a user logs in via SSO, BetaTesting determines their role by checking which IdP groups they belong to. You configure your own role mapping rules directly in BetaTesting under Integrations → Single Sign-On. This links specific IdP group names to BetaTesting roles.
Example: If your IdP has a group called "BT-Admins" and a mapping rule assigns that group to the BetaTesting Admin role, any user who belongs to "BT-Admins" will automatically receive Admin access in BetaTesting.
Available BetaTesting Roles
Role mappings can assign users to the following BetaTesting roles:
Role | Access Level | Description |
Full Admin | Company-wide | Full management access to all tests, settings, and team members across the entire company account |
Support | Company-wide | Can manage tests and tester communications, but cannot modify company settings or billing |
Read-Only | Company-wide | View-only access to all tests and data across the company |
Tester | N/A | Default role -- the user participates in tests as a tester, with no company admin access |
Need access scoped to a specific business group in BetaTesting? Business Group-scoped roles (admin, support, or read-only limited to a single business group) are set up by your BetaTesting account manager. Reach out to them to scope access to a specific group.
How Groups Are Sent to BetaTesting
There are two ways IdP group information reaches BetaTesting, depending on whether you have SCIM enabled:
Without SCIM (SSO Only)
Group memberships are sent as claims in the SAML assertion each time the user logs in. You configure this by adding a Group Attribute Statement in your SAML app (see the SSO setup guides for details).
Roles are recalculated on every login
Changes to group membership in your IdP take effect the next time the user logs in
With SCIM
Group memberships are pushed to BetaTesting via the SCIM Groups API and stored persistently. When the user logs in via SSO, BetaTesting uses the stored SCIM group memberships for role resolution.
Roles are updated in real-time as your IdP pushes group changes via SCIM
Users don't need to log out and back in for role changes to take effect
This is the recommended approach for organizations that need tight access control
Setting Up Role Mappings
You set up mappings yourself on the Integrations → Single Sign-On connection page. The group claim name (the IdP attribute carrying group memberships, usually groups) is set on the connection; each mapping then matches a value within that claim and grants a role.
Where to configure
There are two places, and they edit the same set of mappings:
During initial setup - the Roles step of the SSO setup wizard.
Any time after - the Role mapping section on the connection's detail page.
Step 1: Open your role mappings
In BetaTesting, go to Integrations → Single Sign-On.
Open your SSO connection.
Scroll to the Access · Role mapping section ("Map IdP claims to BetaTesting roles").
Step 2: Add a mapping
Click Add mapping.
In When groups contains, enter the IdP group value you want to match (e.g., BT-Admins). This is whatever string your IdP sends — usually the group name or its display label.
In Grant this role, choose the BetaTesting role (Full admin, Support only, Read only, or Tester).
Click Add.
Repeat for each group you want to map. For example:
When groups Contains | Grant this role |
| Full Admin |
| Support |
| Read-Only |
Priority and Conflict Resolution
When a user belongs to multiple mapped groups, BetaTesting resolves conflicts using a priority order that you control by dragging mappings into order:
Mappings are evaluated top to bottom; the highest mapping that matches determines the user's role.
Drag a mapping row to move it up or down to change its priority
If no mapping matches any of the user's groups, the user receives the default role configured for your SSO connection (typically Tester).
Example: A user belongs to both BT-Admins (mapped to Full admin) and BT-Support (mapped to Support only). If the BT-Admins mapping sits above the BT-Support mapping, Full admin wins.
Default Role
Every SSO connection has a default role that applies when:
The user doesn't belong to any mapped groups
No mapping rules match the user's group memberships
Group attributes are not configured in your IdP
The default role is typically Tester, meaning users without a specific group mapping will have tester-level access. You can change the default role yourself on the connection's detail page (set during the wizard's Access step, editable any time after).
Business Group-Scoped Access
For organizations that organize their BetaTesting work into business groups, role mappings can be scoped to specific business groups:
Company-wide roles give access across all tests in the company
Business group-scoped roles restrict access to tests within a specific business group
This is useful when different teams within your organization need access to different subsets of your BetaTesting projects. Chat with your BetaTesting account manager if you need business group scoped access for your business needs.
Best Practices
Use descriptive group names - Name your IdP groups clearly (e.g.,
BetaTesting-Adminsrather thanGroup1) to make mappings easy to understandStart with the default role - Keep the default role as Tester so unrecognized users get the lowest access level
Test with a dedicated user - Before rolling out to your entire team, test role mapping with a single user to verify correct assignment
Keep groups consistent - The group names in your IdP must match the role mapping configuration exactly (case-sensitive). Any changes to group names in your IdP will need to be updated in BetaTesting
Use SCIM for real-time sync - If you need role changes to take effect immediately (without the user logging out and back in), enable SCIM provisioning
Making Changes
To update role mappings, go to Integrations → Single Sign-On, open your connection, and use the Role mapping section:
Add a mapping: Click Add mapping, enter the IdP group value and the BetaTesting role, then Add.
Change a mapping: Click a mapping to edit its value or role, then Save.
Reorder priority: Drag mappings up or down; higher in the list wins.
Remove a mapping: Delete the mapping; affected users fall back to the default role on their next login (SSO only) or immediately (SCIM).