# Role synchronization ### Enable role syncronization By default, UI Bakery does not sync any roles provided by the Identity Provider. To enable role synchronization, set the following environment variables: ``` UI_BAKERY_SSO_SYNC_ROLES=true UI_BAKERY_SSO_SYNC_ROLES_ON_LOGIN=true ``` Out of the box, UI Bakery will attempt to match received roles by names. UI Bakery will try to retrieve the role name(s) from a claim (attribute) named `role`. If a match is found (e.g., the SSO returned a `role=support` claim, and UI Bakery has a `support` role in the workspace), the user's current roles will be replaced with the matched SSO role(s). ### Advanced settings You can fine-tune role synchronization with the variables below. #### UI\_BAKERY\_SSO\_SYNC\_ROLES\_ON\_LOGIN By default, it is set to `false`, and roles are synchronized only during sign-up. If set to `true`, roles are synchronized every time during login and sign-up. For OpenID providers, it is also possible to sync roles with every [token refresh](/on-premise/sso/openid/token-refresh.md). *** **UI\_BAKERY\_SSO\_ROLE\_MAPPING** Set up a mapping between SSO provider roles/groups and UI Bakery roles when they aren't matched by name, e.g: ```bash UI_BAKERY_SSO_ROLE_MAPPING=identityRoleName->bakeryRoleName,identityRoleName2->bakeryRoleName2 ``` *** **UI\_BAKERY\_SSO\_SYNC\_ROLES\_BY\_NAME** By default is set to `true`. You can set it to `false` to control role syncing exclusively using the mapping `UI_BAKERY_SSO_ROLE_MAPPING` variable. *** **UI\_BAKERY\_SSO\_HARD\_SYNC\_ROLES** By default, it's `false`. When set to `true`, UI Bakery overwrites all roles, removing existing ones and adding new ones received from the Identity Provider even if there are no roles provided. {% hint style="warning" %} Please note, that if no roles are matched, the user will be removed from the organization and will no longer be able to access it. {% endhint %} *** **UI\_BAKERY\_SSO\_SYNC\_ROLES\_FOR\_EDITOR\_AND\_ADMIN** By default, UI Bakery syncs roles only for end-users, leaving admin and editor roles untouched. Set it to `true` to sync roles for all users. {% hint style="warning" %} Please note, that in a case of malformed configuration, admin accounts may lose access to the system {% endhint %} *** #### UI\_BAKERY\_SSO\_ROLE\_CLAIM By default has `role` value. You can change this variable to configure which claim is used as the source for roles. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.uibakery.io/on-premise/sso/role-syncronization.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.