# Group mapping

For IdP integration, **GitProtect** uses differentiated login levels (i.e., **Admin**, **Backup Operator**, **Viewer**, etc.). By default, single users are being authenticated with predefined permissions, based on the roles they are assigned. If you require multiple users to log in with consistent security policies, permissions, or access rights, you can implement group mapping.

The configuration process includes specifying two key parameters: **claim type** and **claim value** — for example, in **Azure Active Directory**, the following parameters refer to:

1. **Claim type** — name of the custom claim defined for the application on the **Azure AD** side to identify the group. In this example, **claim type** value is set to <kbd>xoperogroup</kbd>.
2. **Claim value** — a unique **Azure AD** group identifier (ID) to be mapped (<mark style="color:red;">**not its name**</mark>).

<figure><img src="https://696332517-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtsE6XtJyUIEKVdSxPlS3%2Fuploads%2Fgit-blob-eefae00c8ea1d443ee71978ecaf5cc3e17d25bcf%2Fimage%20(395).png?alt=media" alt="Azure AD group mapping"><figcaption><p><em>Group mapping configuration.</em></p></figcaption></figure>

{% hint style="warning" %}
The only account not subject to group mapping permissions is the root admin — logging in using **SAML** with different group permissions doesn't change the root admin access level; user remains the root admin after signing in, and so do their root admin assigned permissions.
{% endhint %}