Map roles with Directory Sync

Directory role mapping assigns roles to new accounts automatically, based on the attributes and group memberships that come from your identity provider. Define the rules once and stop hand-assigning permissions one account at a time.

Map roles with Directory Sync
Requires Directory Sync. Role mapping reads the directory data that Directory Sync brings in, so your identity provider needs to be connected first. Roles themselves are covered in Roles and access.

When a new account is created, Droplet checks your mapping rules and applies the roles from every rule that matches. This works for accounts created through single sign-on (SSO) for the first time and for any other new account, as long as Directory Sync is enabled and the account's email matches a synced user in your directory.

Map by group or by attribute

You can build rules on either kind of directory data:

Groups
Map roles by directory group membership. This is how most districts prefer to manage access, since a person's groups usually already reflect what they should be able to do.
Attributes
Map roles by an individual attribute such as Job Title, Department Name, Division Name, Employee Type, or one of your Custom Attributes.
Groups are tracked separately from attributes. Attributes also remain available to autofill forms; groups are used only for role mapping.

Add a role mapping

  1. Go to Organization and open the Identity tab.
  2. Under Global Settings, find Directory Role Mapping and click Add Mapping.
  3. Under When the following is true, choose an attribute (or Groups), pick the operator, and enter the value or values to match. For groups, enter one or more group names, separated by commas.
  4. Under Assign these roles, select one or more roles to grant when the rule matches.
  5. Click Save.
The Directory Role Mapping section on the Identity tab, with an Add Mapping button

Directory Role Mapping lives under Global Settings on Organization › Identity.

The attribute picker in the Add Role Mapping dialog, listing Groups plus attributes like Job Title and Department Name

Build a rule on Groups or on any synced attribute.

A completed rule: Groups is one of Teachers, Instructional Staff, assigning the Form Builder role

A finished rule: anyone whose directory groups include Teachers or Instructional Staff is given the Form Builder role.

How the rules apply

A few things are worth knowing about how mappings behave when an account is created:

  • Every matching rule applies. If an account matches more than one rule, it receives the roles from all of them. Because roles are additive, the account ends up with the combined permissions. (See how roles work.)
  • There is no priority ordering. Rules are not ranked, so none overrides another. Every rule that matches contributes its roles.
  • The Default role is the fallback. If no role mapping is configured, or none of your rules apply to a new account, Droplet still assigns the Default role. Every account always has at least Default.
Because rules stack, keep each one focused on a single group or attribute and let them combine. For example, one rule can grant a baseline role by department while another grants an elevated role to a specific group.

When mapping runs

Role mapping is applied at account creation. It sets a new account's roles automatically so you do not have to. To change roles on an account that already exists, adjust them by hand from the Accounts tab (see Assign roles to a user).

The Accounts tab showing each account's assigned roles in the Roles column

Each account's roles show on the Accounts tab, whether they were mapped automatically or set by hand.

Frequently asked questions

Do I need SSO for role mapping to work?

No. Mapping applies to accounts created through SSO for the first time and to any other new account, as long as Directory Sync is enabled and the email matches a synced user.

What happens if two rules match the same account?

Both apply. The account receives the roles from every matching rule, combined. There is no priority ordering.

What if no rule matches?

The account still gets the Default role. Default is always applied when no other mapping applies.

Does changing a rule update existing accounts?

Role mapping runs when an account is created. To change roles on accounts that already exist, update them on the Accounts tab.

Should I map by groups or by attributes?

Groups are the common choice because they usually already reflect access, but attributes such as Job Title or Department Name work well when your directory does not model the distinction as a group.

Last reviewed by Lindsay Miceli and published on July 2, 2026 2PM ET