Team-based auto-assignment is documented separately. See Automated Team and Project Assignment for the companion guide.
What project assignment does
When a user authenticates via SAML SSO, their IdP includes a set of attributes in the SAML response — for exampledepartment, role, memberOf, group, or country. EK compares those attributes against the project assignment rules you have configured and, on a match:
- Adds the user to each of the rule’s target project(s) (skipping any they already belong to).
- Applies a project role on each project — a default role, or a different role if a conditional override matches.
Additive by design: Project rules only ever add access. A user is never removed from a project, and an existing project role is never downgraded, even if a previously-matching attribute stops matching. Removing project access remains a manual/administrative action.
Independent of teams: Project rules do not touch team membership, home / billing team, or team roles. If you want team-wide access, use team assignment rules instead (or in addition).
Prerequisites
Before you can use project auto assignment:- SAML SSO must be configured for your tenant, and your IdP must send the attributes you intend to match on. If an attribute isn’t present in the SAML response, no rule referencing it can match.
- You must have Super Admin access to EK. Some Super Admin roles are view-only — in that mode the rules are visible but the create/edit/delete controls are hidden.
- The target projects must already exist. A rule references existing projects; it cannot create them.
Where to configure it
There are two entry points, both under Super Admin:Automated Management tab (all project rules)
Super Admin → Projects tab → Automated Management sub-tab. This lists every project assignment rule in the system and lets you create, edit, and delete them. Each rule can target one or many projects.Per-project shortcut (rules for one project)
Super Admin → Projects tab → Project Management. Find the project and click the shield icon (“SAML Project Rules”) in its Actions column. A modal opens listing every rule that targets that project, where you can add, edit, or delete rules.- In this modal the current project is locked as a target and cannot be removed.
- Editing a rule here may also affect its other target projects, because a single rule can target many projects at once.
Anatomy of a project rule
| Field | Purpose |
|---|---|
| SAML Attribute Name | The attribute to inspect (e.g. department). Matched exactly as the IdP sends it. |
| Attribute Value(s) | One or more required values. In the UI you type a value and press comma/Enter to turn each into a chip/tag. |
| IdP packs multi-values into one string | User-side CSV toggle — see How attribute matching works. |
| Wildcard (substring) match | Substring matching toggle — see How attribute matching works. |
| Default Project Role | Role applied on every target project unless an override matches: Viewer, Editor, or Admin. |
| Target Projects | One or more projects (searchable by id / name / team / owner). At least one is required. |
| Conditional Role Overrides | Optional nested rules that assign a different project role when an extra attribute matches — see Conditional role overrides. |
How attribute matching works
This section governs whether your rules behave as you expect. The matcher’s mental model is: “everything is treated as a multi-value set, except one genuinely ambiguous case.” Attribute matching uses the same engine as SAML Access Controls. See Matching behavior matrix in that guide for the general reference; the project-specific matrix below includes wildcard behavior.The rule side (what you type)
Whatever you enter in Attribute Value(s) is always treated as a comma-separated set of tokens. Each token is a required value.- A rule with a single value (
Finance) matches when the user’s attribute containsFinance. - A rule with multiple values (
Finance, US) matches only when the user’s attribute contains all of them — a subset (⊆) match: the rule’s required set must be contained within the user’s set.
Because commas in a rule are always token separators, you cannot write a rule that matches a literal value containing a comma (e.g.
Smith, John). In practice, access-control attributes (groups, roles, departments) almost never contain literal commas, so this is rarely a limitation.The user side (what the IdP sends)
How the user’s incoming value is interpreted depends on its wire shape and one per-rule toggle:| The IdP sends… | Interpreted as | Toggle needed? |
|---|---|---|
Multiple <AttributeValue> elements (native multi-value) | A set — always | No — automatic |
One <AttributeValue> with a plain value (Finance) | A single value | No |
One <AttributeValue> packing several values into one comma-separated string (Finance,US,Admin) | A single literal value unless the CSV toggle is on | Yes — see below |
Toggle: “IdP packs multi-values into one string”
Some IdPs cram several values into a single attribute value as one comma-separated string (e.g.Accounting,Admin,US). By default EK treats a single attribute value as one literal token, so Accounting,Admin,US would not match a rule value of Accounting.
- Off (default): the user’s single string is one literal value; embedded commas are preserved. Use this when the attribute really is single-valued.
- On: the user’s single string is split on commas into a set before matching. Use this when your IdP packs multiple values into one string.
Behavior matrix
| User’s incoming value | Toggle | Your rule value | Matches? |
|---|---|---|---|
native ["A","B","C"] | Off | A | ✓ |
native ["A","B","C"] | Off | A, B | ✓ |
native ["A","B","C"] | On | A, B | ✓ |
string "A,B,C" | Off | A | ✗ |
string "A,B,C" | Off | A, B | ✗ |
string "A,B,C" | On | A | ✓ |
string "A,B,C" | On | A, B | ✓ |
string "A" | Off | A | ✓ |
string "A" | On | A | ✓ |
Toggle: “Wildcard (substring) match”
- Off (default): each rule token must match a user token exactly (after case-insensitive trimming).
- On: each rule token matches if it appears anywhere inside one of the user’s tokens (case-insensitive substring). For example, rule value
val2matches an incoming value ofval1val2val3. For multi-token rules, every rule token must be contained in some user token.
Conditional role overrides
A rule’s Default Project Role applies to everyone the rule matches. Use Conditional Role Overrides to grant a different project role to a subset of matched users, based on an additional attribute. Each override has its own:- Attribute name and value(s)
- Project role (Viewer / Editor / Admin)
- CSV toggle (“IdP packs multi-values into one string”)
- Wildcard toggle
Which override wins
When more than one override matches, EK picks the most specific one — defined as the override requiring the largest set of values. If two overrides tie on specificity, the earliest-created one is chosen (and a warning is logged); restructure your overrides to remove ambiguous overlaps rather than rely on the tie-break. If no override matches, the rule’s Default Project Role is used.Union semantics and role precedence
Union semantics
Project rules use pure union semantics — there is no “one project per user” constraint:- Every project rule whose condition matches contributes its target projects.
- The user is added to the union of all matched projects (skipping any they already belong to).
Role precedence
- Project roles rank:
Viewer<Editor<Admin. - Within a single rule, the role is resolved from its most-specific matching override, else the rule’s default.
- When the same project is targeted by multiple matched rules that resolve to different roles, the highest-privilege role wins — so a user is never under-provisioned relative to any matched rule.
- Existing project roles are never downgraded. If the user is already a member of a target project, their current role is preserved.
Step-by-step configuration
Create a project assignment rule
Open Automated Management
Open the Super Admin dashboard and go to the Projects tab → Automated Management sub-tab.
Enter SAML matching criteria
Enter the SAML Attribute Name (e.g.
memberOf) and add one or more Attribute Value(s) — type a value and press comma/Enter to create a chip.Set toggles
- Enable IdP packs multi-values into one string if your IdP sends multiple values in a single comma-separated string.
- Enable Wildcard (substring) match only if you need substring matching.
Add target projects
Under Target Projects, search (by id / name / team / owner) and add each project the rule should grant access to. At least one is required.
Add conditional overrides (optional)
Add Conditional Role Overrides for subsets that should get a different role.
Edit or delete a rule
- Use the edit and delete icons on the rule’s row in the Automated Management list, or open the per-project shield icon modal.
- Deleting a rule removes its target list and role overrides but does not change any project memberships users already have.
Manage rules for a single project
Worked examples
Example 1 — Group to a project as Editor
Goal: Grant users whosememberOf contains KB-Editors editor access to the “Knowledge Base” project.
- Attribute
memberOf=KB-Editors - Default Project Role Editor
- Target Projects: Knowledge Base
Example 2 — IdP sends a single packed group string
Goal: Same as above, but the IdP sendsmemberOf as one string like KB-Editors,All-Staff,VPN-Users.
- Attribute
memberOf=KB-Editors - IdP packs multi-values into one string = On
- Default Project Role Editor
- Target Projects: Knowledge Base
KB-Editors is matched as one of the tokens.
Example 3 — Require two attributes together
Goal: Only users who are in bothUS and Engineering get access to the “US Engineering Docs” project.
- Attribute
groups=US, Engineering(two chips) - Target Projects: US Engineering Docs
groups set contains both values.
Example 4 — Base role plus an elevated override
Goal: Everyone indepartment=Support gets Viewer access to the “Support Runbooks” project; team leads get Editor.
- Attribute
department=Support, Default Project Role Viewer - Override: Attribute
title=Lead→ Editor
department=Support, title=Lead user gets Editor; a plain department=Support user gets Viewer.
Example 5 — Same project from two rules
- Rule A:
role=analyst→ Project X as Viewer. - Rule B:
role=lead→ Project X as Editor.
Behavior, edge cases, and important notes
- Additive only. Rules never remove a user from a project and never downgrade an existing role. Deprovisioning is a separate, manual action.
- Independent of teams. Project rules do not affect team membership, team roles, or the user’s home / billing team.
- Evaluated on every sign-in. Changes to a user’s IdP attributes take effect the next time they sign in via SSO. Creating a new rule does not retroactively apply to users who aren’t currently signing in.
- Applied in the background. After sign-in, project additions are processed by an asynchronous task, so very large target sets may take a short while to fully apply.
- Already-a-member projects are skipped. Users are only added to projects they don’t already belong to; existing roles are preserved.
- Missing roles are skipped. If a resolved role doesn’t exist on a particular project, that project is skipped rather than failing the whole login.
- Deleted target projects are ignored safely (and logged).
- Empty rule values are rejected. A value that reduces to nothing after trimming and removing empty comma slots is not accepted, because it would match nothing.
- Values are normalized for storage. Whitespace around each value is trimmed and empty slots dropped; original casing is preserved for display, but matching is case-insensitive.
- Auditing. Creating, updating, and deleting project rules and their role overrides is recorded in the Super Admin audit log.
Troubleshooting
A user isn't being added even though the rule looks right
A user isn't being added even though the rule looks right
- Confirm the attribute name exactly matches what the IdP sends (names are often fully-qualified URIs).
- Check the value casing/spelling — matching is case-insensitive but must otherwise match a token.
- If the IdP sends multiple values in one comma-separated string, enable “IdP packs multi-values into one string.”
- Remember matching is subset — a multi-value rule requires the user to have all listed values.
- Make sure the rule has at least one target project.
- The user must sign in again after the rule is created for it to apply.
A user matched but got the wrong role
A user matched but got the wrong role
- Check for conditional overrides — a more-specific override may be winning.
- Remember highest privilege wins across rules, and existing roles are never downgraded.
Substring matches are catching too many users
Substring matches are catching too many users
- Turn Wildcard off and use exact matching, or make the value more specific.
Editing a rule changed access on a project I didn't expect
Editing a rule changed access on a project I didn't expect
- A rule can target multiple projects. Editing it (including from the per-project shield-icon modal) affects all of its target projects.
Quick reference
| Concept | Behavior |
|---|---|
| Scope | Projects only — never touches teams or home team. |
| Rule value commas | Always token separators (subset match). |
| Native multi-value SAML | Always matched as a set. |
| Single packed string | Split into a set only when CSV toggle is on. |
| Wildcard toggle | Substring match instead of exact. |
| Match direction | Rule’s required set ⊆ user’s set. |
| Specificity | Larger required set = more specific (used for overrides). |
| Project roles | Viewer < Editor < Admin. |
| Evaluation | Union — every matching rule contributes its projects. |
| Same project, multiple roles | Highest privilege wins. |
| Existing membership/role | Never downgraded or removed. |
| Evaluation cadence | Every SSO sign-in. |
| Target projects | At least one required per rule. |
| Location (all rules) | Super Admin → Projects → Automated Management. |
| Location (one project) | Super Admin → Projects → Project Management → shield icon. |