---
myst:
  html_meta:
    "description lang=en": "Create user groups with custom settings and authentication in Kasm Workspaces."
    "keywords": "Kasm, Server, Groups, Configuration"
    "property=og:locale": "en_US"
---
```{title} Groups
```

# Groups

Groups are used to define roles for specific sets of users in Kasm Workspaces. By default there are two groups created
by the system, the Administrators group and the All Users group, the All Users group is the default group for every user
where statewide settings can be set.

Groups can be used to specify Kasm images and settings for different sets of users. For example, you may have a custom image for
developers with pre-installed developer tools. You can tie that image to a group. You can define settings for that group, such
as enabling bi-directional clipboard.

## Create Group

Steps to create individual groups for sections of users.

- Select **Access Management > Groups** tab from navigation menu
- Select **Add Group** from the top right of the table
- Specify Group properties listed below

```{include} /guide/groups/group_properties.md
```

There is a **Users** tab in the edit group page that allow for the selection of its users

```{figure} /images/users/add_user_group.webp
:align: center
**Users in Group**
```

```{include} /guide/groups/group_settings.md
```

```{include} /guide/groups/group_permissions.md
```

## Group Workspaces

Administrators can define which Workspaces are available to each group.
By default newly created workspaces are automatically assigned to the **All Users** group. This behavior can be changed
by modifying the **Add Images To Default Group** global {doc}`Settings <settings>`.

```{figure} /images/groups/group_images.webp
:align: center
**Group Workspaces**
```

## SSO Group Mappings

Administrators can configure the system to automatically map users that authenticate with an SSO provider
(e.g SAML, OpenID, LDAP) into Kasm Groups.

If **Assign All Users** is selected, any user that authenticates with the defined SSO provider will be added to the
Kasm group. Otherwise, only users that have the defined **Group Attributes** passed in by the SSO provider will be
added to the group.

These group mappings are evaluated and updated at each user login. If a mapping is defined and a user does not have
the group attributes listed, the user will be removed from the group.

```{figure} /images/groups/sso_group_mappings.webp
:align: center
**SSO Group Mappings**
```

```{figure} /images/groups/sso_group_mapping_config.webp
:align: center
**SSO Group Mappings Config**
```

## Group File Mappings
File Mappings allow the administrator to manage files to be mapped to the inside of a user's container 
based Workspace session. File Mappings can be defined on a User, Group, and/or Workspace. See the primary
documentation on {doc}`File mappings <file_mappings>` for more details.


```{note}
When a user belongs to multiple Groups that define a File Mapping with the same destination, the group with the lowest priority
value gets mapped into the user's container.
```

```{figure} /images/images/file_mappings.webp
:align: center
**File Mappings Table**
```

The following is an example File Mapping of a Chrome Managed Policy to define bookmarks in Chrome.

```{figure} /images/images/file_mapping.png
:align: center
**File Mapping Definition**
```