Skip to content

Auto-assign User Role from IdP Group membership #5390

New issue
New issue
Open
Open
Auto-assign User Role from IdP Group membership#5390
Labels
feature-request
@ffa6995

Description

@ffa6995
ffa6995
opened on Feb 19, 2026

Auto-assign User Role from IdP Group membership (single role, highest priority wins)

Problem / Motivation

We’re using NetBird with IdP auto-synchronization (Microsoft Entra ID). Users are created/synced automatically, but their NetBird User Role still has to be assigned manually (or via custom API automation).

This is hard to manage at scale and becomes error-prone when permissions should be driven by standard org group membership.

Requested Feature

Add a way to automatically assign a user’s NetBird User Role based on Group membership, ideally using IdP-synced groups (Entra ID).

Example mapping:

  • Group "Service Technician" → Role "Network Admin"
  • Group "Accounting" → Role "Billing Admin"
  • Group "Security Auditors" → Role "Auditor"
  • Group "IT Admins" → Role "Admin"
  • Group "Employees" → Role "User"

Roles referenced: Admin, Network Admin, Billing Admin, Auditor, User

Expected Behavior

  • Admins can configure a Group → Role mapping (UI and API ideally).
  • On IdP sync / user provisioning / periodic sync (and/or on login):
    • NetBird evaluates the user’s group memberships.
    • Single-role enforced: if multiple mappings match, assign only one role using a defined priority order (highest priority wins).
    • If the user no longer matches the group that granted their current role, NetBird should re-evaluate and:
      • Assign the next highest matching role, or
      • Fall back to a configurable default (e.g., User).

Priority / Conflict Resolution

To make behavior deterministic, enforce a priority order, e.g.:
Admin > Network Admin > Billing Admin > Auditor > User

(Optionally, allow admins to set per-mapping priority, but a fixed order would already solve the main need.)

Why this is valuable

  • Eliminates manual role administration and reduces reliance on custom API scripts.
  • Keeps permissions aligned with IdP governance (Entra ID) and org processes.
  • Reduces security risk from stale or incorrect role assignments.

Current Workarounds

  • Manual role assignment in the NetBird UI.
  • Custom scripts/code using the API to update roles after sync.

Metadata

Metadata

Assignees

No one assigned

    Labels

    feature-request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions