Automate Grist workspace permissions from OIDC group claims

Developers
,
1
Component Version / Notes
Directory Microsoft Identity Manager (MIM)
OIDC Provider Sign&Go Authenticator (federated with MIM)
Target App Grist-Core (self-hosted)
Goal One folder per business unit. Anyone whose OIDC token says they belong to Service A should land in Grist with Editor rights on /Service A/, but nothing else. All provisioning must be automatic.

What already works

  • Grist is successfully configured as an OIDC client.
  • Sign&Go issues an ID token that contains the claims we need,

e.g.:

{
  "sub": "jdoe",
  "name": "John Doe",
  "dir":  "Finance",
  "svc":  "Accounting",
  "groups": ["Accounting", "Payroll"]
}

Pain point

After login, Grist simply creates the user but does nothing with the OIDC claims (dir, svc, groups). It does not natively map these claims to workspace permissions. This means that users must be manually assigned access to their folders/workspaces through the UI, which defeats the purpose of using OIDC for seamless access control.

I am struggling to find a way to automatically assign workspace permissions (e.g., Editor role) based on the user’s group or service information from the OIDC token (e.g., a user in the “Finance” group should have Editor access to the “Finance” folder).

Questions

  1. Did I miss a native feature?
    Is there any hidden-away option (plug-in, env var, webhook…) that lets Grist map OIDC claims ⟶ folder-level ACLs out of the box?

  2. If custom code is required, what’s the right hook?

  • I can call the Grist API to POST /api/workspaces/{wId}/access – no problem.
  • But: how do I trigger that call on every successful login, with the fresh token in hand? Middleware? Reverse-proxy? Custom OIDC callback?
  1. Would you tackle it outside Grist instead?
    An alternative would be a scheduled script (or MIM sync rule) that pre-creates workspaces and sets permissions daily, before users even sign in. Has anyone tried that approach, and have you hit any concurrency/race issues when the first user logs in before the script runs?

What I’m after

  • A clean pattern (built-in or custom) to keep Grist ACLs in perfect sync with groups in the OIDC token, without human clicks.
  • Pointers to examples or good practice are welcome