# Role synchronization ### Enable role syncronization By default, UI Bakery does not sync any roles provided by the Identity Provider. To enable role synchronization, set the following environment variables: ``` UI_BAKERY_SSO_SYNC_ROLES=true UI_BAKERY_SSO_SYNC_ROLES_ON_LOGIN=true ``` Out of the box, UI Bakery will attempt to match received roles by names. UI Bakery will try to retrieve the role name(s) from a claim (attribute) named `role`. If a match is found (e.g., the SSO returned a `role=support` claim, and UI Bakery has a `support` role in the workspace), the user's current roles will be replaced with the matched SSO role(s). ### Advanced settings You can fine-tune role synchronization with the variables below. #### UI\_BAKERY\_SSO\_SYNC\_ROLES\_ON\_LOGIN By default, it is set to `false`, and roles are synchronized only during sign-up. If set to `true`, roles are synchronized every time during login and sign-up. For OpenID providers, it is also possible to sync roles with every [token refresh](https://docs.uibakery.io/on-premise/sso/openid/token-refresh). *** **UI\_BAKERY\_SSO\_ROLE\_MAPPING** Set up a mapping between SSO provider roles/groups and UI Bakery roles when they aren't matched by name, e.g: ```bash UI_BAKERY_SSO_ROLE_MAPPING=identityRoleName->bakeryRoleName,identityRoleName2->bakeryRoleName2 ``` *** **UI\_BAKERY\_SSO\_SYNC\_ROLES\_BY\_NAME** By default is set to `true`. You can set it to `false` to control role syncing exclusively using the mapping `UI_BAKERY_SSO_ROLE_MAPPING` variable. *** **UI\_BAKERY\_SSO\_HARD\_SYNC\_ROLES** By default, it's `false`. When set to `true`, UI Bakery overwrites all roles, removing existing ones and adding new ones received from the Identity Provider even if there are no roles provided. {% hint style="warning" %} Please note, that if no roles are matched, the user will be removed from the organization and will no longer be able to access it. {% endhint %} *** **UI\_BAKERY\_SSO\_SYNC\_ROLES\_FOR\_EDITOR\_AND\_ADMIN** By default, UI Bakery syncs roles only for end-users, leaving admin and editor roles untouched. Set it to `true` to sync roles for all users. {% hint style="warning" %} Please note, that in a case of malformed configuration, admin accounts may lose access to the system {% endhint %} *** #### UI\_BAKERY\_SSO\_ROLE\_CLAIM By default has `role` value. You can change this variable to configure which claim is used as the source for roles.