Filtering User and Group Imports

Common Fate supports User and Group import filters. This is configured in your deployment.yml file via the IdentityGroupFilter parameter.

The IdentityGroupFilter is a regex string that is used by Common Fate's IDP sync function.

version: 2
deployment:
  account: '012345678912'
  region: ap-southeast-2
  parameters:
    AdministratorGroupID: common_fate_administrators
+   IdentityGroupFilter: common_fate_administrators|dev_.*
    ProviderConfiguration:
      aws-sso-v2:
        uses: commonfate/aws-sso@v2

In the above example Common Fate will filter any imported groups to match the regex pattern for common_fate_administrators|dev_.*. Practically this means that only users in the common_fate_administrators group or prefixed with dev_ will be imported in to Common Fate.

Why use an IdentityGroupFilter?

Identity group filters are helpful for Organizations with a large number of users/groups who want to reduce.

How does this differ from access groups configured in SAML?

Even if you have limited who can access Common Fate in your SAML settings, Common Fate by default will import the full set of Users/Groups. By adding and IdentityGroupFilter you can adhere the imported users/groups to the configuration in SAML.

What happens if I use an IdentityGroupFilter

Users are synced based on whether they are a part of the selection of groups that meet the filter criteria. Users not in a group will not be imported. Only groups that meet the criteria will be imported.

What happens if I don't use an IdentityGroupFilter

All users and groups are synced from your IDP (including users without a group).