Skip to main content
RBAC Groups is gradually being rolled out to our Enterprise customers. If you have an Enterprise subscription with Relevance AI and do not have access to this feature yet, please reach out to your sales representative to share your interest in this feature.You will not be able to access this feature if you are not on an Enterprise subscription.
RBAC Groups enables organizations to connect their identity provider (IDP) such as Entra ID or Okta directly to Relevance AI. This allows bulk assignment of users via groups to projects and assets, as well as setting their permissions. Instead of manually assigning hundreds of users individually, organizations can assign entire groups (like “Marketing Team” or “Sales Operations”) to projects and agents. This feature dramatically simplifies user management for large teams by leveraging your existing organizational structure from your identity provider.

Key Features

Direct IDP Integration

Connect identity providers like Entra ID or Okta directly to Relevance AI through WorkOS

Bulk User Assignment

Assign entire groups to projects and assets instead of managing individual users

Group-Level Permissions

Set permissions at the group level for efficient access control across your organization

Automatic Synchronization

Groups sync from your IDP approximately every 60 minutes

Read-Only Groups

IDP groups are managed at the source and cannot be edited within Relevance AI

Unified Interface

Manage group assignments alongside individual users in the same UI
Groups are managed through your identity provider and sync automatically to Relevance AI. Changes made in your IDP will be reflected in Relevance AI approximately every 60 minutes.

Setting Up RBAC Groups

To use RBAC Groups, your organization must first connect your identity provider through WorkOS. WorkOS provides secure integrations with major identity providers including Entra ID (formerly Azure AD) and Okta.
For detailed setup instructions, see the Setting Up Directory Sync section below.
Once your IDP is connected, groups from your identity provider will automatically sync to Relevance AI and become available for assignment.

Organization-Level Groups

Organization Groups Overview
Organization-level groups are only accessible to organization admins and owners.
At the organization level, you can view all groups that have been synced from your identity provider. This provides a centralized view of your organizational structure within Relevance AI.

Accessing organization groups

To view organization-level groups:
  1. Click Settings in the sidebar
  2. Select Organization
  3. Click the User Groups tab
The groups page displays the name, source (e.g., Entra ID, Okta), and member count for each group synced from your identity provider. To view who is in a group and the permissions they have, simply click on the group. You’ll see the complete membership list and group details.
IDP groups are read-only in Relevance AI. To modify group membership, make changes in your identity provider and they will sync automatically.

Project-Level Groups

Adding Groups to Projects Groups can be assigned to projects to give all group members access to that project. This is particularly useful for onboarding entire teams or departments to specific projects. When adding a group to a project, you’ll assign them a project-level role (Admin, Editor, Member, Chat, or Viewer) which determines what they can do within that project.

Adding groups to projects

To add a group to a project:
  1. Head to the Invite to project screen (either through Settings or by clicking your profile picture in Relevance AI)
  2. Click Assign Group
  3. Select the group(s) you want to add
  4. Select the role you want the group to have (Admin, Editor, Member, Chat, or Viewer)
When you add a group to a project, all members of that group will be added to the project with the specified role. If any group members are not already part of the project, they will be automatically added.

Asset-Level Groups

Adding Groups to Assets Groups can also be assigned directly to individual assets (agents, tools, knowledge bases, or workforces). This provides granular control over who can access and use specific resources. When adding a group to an asset, you’ll assign them an asset-level role (Admin, Member, or Viewer) which determines their permissions for that specific asset.

Adding groups to assets

To add a group to an asset:
  1. Open the asset you want to set permissions on
  2. Click Share
  3. Click Groups
  4. Choose the group you want to add
  5. Set the permission for the group (Admin, Member, or Viewer)
If a group is not already part of the asset’s parent project, adding it to the asset will automatically add all group members to the project as well.

How Group Synchronization Works

RBAC Groups maintains synchronization with your identity provider to ensure access control stays current with your organizational structure.

Hourly Sync

Groups automatically sync from your IDP approximately every 60 minutes

New User Sign-Up

Group permissions are applied automatically during the sign-up process for new users

Background Processing

Syncs happen automatically without user intervention

New User Sign-Up Process

When onboarding new users with Directory Sync and Groups enabled, follow this workflow:
1

Enable SSO for the user

Add the user to your identity provider and assign them access to the Relevance AI SSO application.
2

Verify required attributes

Ensure the user has the following required attributes correctly configured in your identity provider:
  • First name
  • Last name
  • Email address
These attributes are required for successful SSO sign-up. See the SSO Setup documentation for more details.
3

Add user to groups

Assign the user to the appropriate groups in your identity provider.
4

Wait for sync

The sync worker runs approximately every 60 minutes (could be slightly longer). Wait for the next sync cycle to complete.
5

User signs up

The user can now sign up to Relevance AI through SSO. Their group-based permissions will be automatically applied during the sign-up process.
6

User appears in Relevance AI

Only after the user completes sign-up and is officially created in the Relevance AI platform will their email address appear in the users list within groups in Relevance AI.
Important: Users will not appear in your Relevance AI groups or user lists until they have completed their first SSO sign-up. Group membership and permissions are configured during the sign-up process, not before.

Adding users to groups

When a user is added to an IDP group:
  1. The change is detected during the next sync (approximately every 60 minutes)
  2. The user automatically gains access to all projects and assets assigned to that group
  3. The user inherits the group’s role and permissions for each resource
  4. No manual intervention is required in Relevance AI
For users not yet signed up to the platform, their group permissions will be applied during the sign-up process. Once they sign up, the user will be reflected as a member in the group.

Removing users from groups

When a user is removed from an IDP group:
  1. The change is detected during the next sync (approximately every 60 minutes)
  2. The user’s group-based access to projects and assets is revoked
  3. If the user has individual (direct) permissions, those are retained
  4. If the user only had group-based access, they lose access to the resource
Users removed from IDP groups lose their group-based permissions immediately upon sync. Ensure you understand the impact before removing users from groups in your identity provider.

Setting Up Directory Sync

To use RBAC Groups, you need to configure directory sync between your identity provider and Relevance AI through WorkOS. This guide walks you through the complete setup process.

Prerequisites

Before setting up Directory Sync, you must first configure Single Sign-On (SSO) for your organization. Directory Sync builds on top of SSO to enable automated user provisioning and group management.

Setup Process

1

Enable the Groups feature

Contact your dedicated sales representative or reach out to our support team via your Slack channel or other support methods to enable the “Groups” feature for your organization. Wait for confirmation before proceeding to the next step.
2

Configure your identity provider

Follow the WorkOS integration guide for your specific identity provider:
Some UI elements in the WorkOS documentation may differ from their current interface.
3

Confirm setup with Relevance AI

After completing the configuration in your identity provider, contact your dedicated sales representative or reach out to our support team via your Slack channel or other support methods to confirm setup. We will monitor and validate that your sync is working correctly.

Current Limitations

The following features are not yet supported in the current version of RBAC Groups:
Automatic user removal is not currently available. Users must be manually removed from the organization when they leave.
Users who have access only through groups (with no direct access) will not appear in the project user list. They will still have access based on their group membership.If you want to give a specific user a different role than their group, you must:
  1. Invite them directly to the project (even if they already have access through a group)
  2. Assign them the desired role
The user will always receive the highest permission level from all their sources. For example, if they have Admin access through a group and you assign them Viewer access directly, they will retain Admin permissions because the highest permission always prevails.
Group membership is only visible on the organization settings page (requires admin access), not on the project invite page.
Folders without accessible agents will still be visible to users, even if they cannot access any agents within them.
Users can downgrade their own group’s permissions without warning or confirmation. Exercise caution when assigning admin permissions.
For questions or assistance with directory sync setup, contact your dedicated sales representative or reach out to our support team via your Slack channel or other support methods.

Frequently asked questions (FAQs)

No. RBAC Groups is available for Enterprise subscriptions only.
RBAC Groups supports major identity providers including Entra ID (formerly Azure AD) and Okta through WorkOS. For a complete list of supported providers, see the WorkOS integrations documentation.
Yes. A group can have different roles at the project level versus the asset level. For example, a group could be Members at the project level but Admins on a specific agent within that project.
If a user belongs to multiple groups assigned to the same resource with different roles, they receive the highest permission level among all their group memberships and individual assignments.
RBAC Groups requires users to authenticate via SSO through your identity provider. Users who sign in with email/password or other non-SSO methods cannot be managed through IDP groups.
RBAC (Role-Based Access Control) provides the permission framework and roles at organization, project, and asset levels. RBAC Groups extends this by allowing you to assign those roles to entire groups of users at once, rather than individually.