Celonis Process Management SSO

User and Rights Management Considerations

In Celonis Process Management, users have attributes such as a name or an e-mail address. Additionally users can be members of user groups and have default permission sets assigned.

Based on the claims the Identity Provider (IdP) transmits to Celonis Process Management and the claims mapping defined in Celonis Process Management these attributes, memberships, and assignments can be updated and thereby ease user and rights management in Celonis Process Management.

The standard (see Transmitted Claims) / custom (see Custom Claims Mapping) claims mapping governs which information will be used by Celonis Process Management.

Unique User ID

A user is identified by a unique key. Which claim will be used as this unique key can be configured. By default the User Principal Name (UPN) is used. Celonis Process Management does not analyze this ID, it just expects it to be unique and uses this ID for user lookup and identification.

Attributes: Name, E-Mail Address, Telephone Number, etc.

There are many different claims which can be mapped to Celonis Process Management attributes. The default mappings are defined above (see Transmitted Claims) and can be customized (see Custom Claims Mapping).

All configured claims will automatically update associated user attributes each time the user logs in. That way Celonis Process Management's user data stays automatically synchronized to the IdP's userbase which remains the single source of truth.

Group Memberships and Permissions

In Celonis Process Management permissions are managed in three ways:

Role-based permissions (Viewer, Editor, Admin, etc.)
User default permissions by assigment of a named permission set
User group-based permissions inherited through group memberships

If no group-based permissions apply, the default user permissions are used. If no default user permissions are set, role-based permissions are used.

SAML Group Management Activated

You can configure Celonis Process Management to use SAML group claims (see Transmitted Claims) to manage those permissions for you.

During each user login, group claims are evaluated if "SAML group managment" has been activated. In this case the following steps are taken:

The SAML user is removed from all SAML user groups.
The SAML user's default permissions are removed.
The SAML user is added to each SAML user group which exists in Celonis Process Management and which the received group claims contain - the matching is done based on the user group name/group claim value.
The SAML user is assigned each permission set which exists in Celonis Process Management and which the received group claims contain - the matching is done based on the permission set name/group claim value.
A user role is assigned:
- The SAML user is a member of at least one SAML user group: The highest role from all SAML user groups he is a member of
- The SAML user is NOT a member of any SAML user group: The standard user role configured in the SAML configuration

SAML Group Management Not Activated

If "SAML group management" has not been activated, you need to assign all permissions manually.

The one exception (Celonis Process Management 1808 and later):

The first time a user logs in to a database using SAML, i.e. when a user is created in the database due to a SAML login, they are assigned a role based on the Standard Role configured for the current authentication provider.

Subsequent logins will not reapply the Standard Role so that manual changes to a user's role don't get overwritten.