Automatically add new users to an organization

Is there a way to configure Grist (self-hosted for now) to automatically add new users to an organization? I’m using the GRIST_SINGLE_ORG configuration and SAML login, and everything works flawlessly, except for the organization assignment part. This is what a new user sees when logging in:

I could add this behavior myself, but maybe upstream Grist already has something like this :slight_smile:

1 Like

Hi @Ivan_Filgueiras, we don’t have that behavior yet. You’re not the first to ask about it. There is a way to add users in bulk, but you still need their email addresses up front. If you do add the behavior yourself, a pull request would be very welcome :slight_smile:

1 Like

Will do!

What do you think about making this the default behavior if the deployment is using GRIST_SINGLE_ORG? I’m trying to figure out how to approach this in the code.

Off the top of my head, a good hook might be here:

At this point the page is loading, the user is known, and we’ve determined they don’t currently have access to whatever they are trying to look at.

Or, on the back end, you could look at tweaking the endpoints that serve landing pages:

I’d say if you do make a PR, we wouldn’t want this to be the default behavior, since it could be a surprise for existing users. Presumably some extra configuration is needed, to express what level of access is to be granted automatically? Presence or absence of that configuration could be what determines whether this behavior kicks in?

1 Like

Ok. Will design it this way. I’ll probably use an environment variable to define an auto-assign org or something similar.

1 Like

Meanwhile, until this is resolved, which would be the recommended way to manually add users to an organisation?

Hi @yala1, an owner of a organization’s team site should be able to manage users as described here:

@paul-grist Has there been any updates yet? How would I even add a single user to the organization if I enabled GRIST_SINGLE_ORG and GRIST_FORCE_LOGIN?

Hi @Andrew_Singley, you should be able to use the “Manage Team” button to do that:

No, I haven’t seen any updates for the original problem in this thread, where users on a particular domain are automatically granted rights to a site.

I figured out the solution to my problem. I needed to set GRIST_DEFAULT_EMAIL to initialize the owner of my organization with my saml account’s email. This was never discussed in the docs outside of the telemetry section. I strongly recommend moving this information to the authentication section because the telemetry section shouldn’t solely contain critical authentication setup variables needed for any user using SAML. please add the email variable to the auth docs as a required variable. It would have saved me a headache. Finally, please update the session state store to output when a user was unauthorized rather than throwing a general error about not being able to retrieve the session. I successfully deployed grist now and I think those changes would help a lot of people. Finally, it would be nice if saml attributes could contain Organization information to allow a user to access. Thank you so much!