Default permissions of new users

Newly created users have permissions based on their group membership upon account creation. For local users, an administrator manually assigns groups in the form during account creation (or are set using API). For remote users, group assignment occurs automatically based on two rules:

• Each group can have automatic mapping configured separately for each remote user source, such as AD, ADFS, or individual OIDC sources. If mapping is set for a specific source, the default group settings are ignored for that source, and only the mapping is used. At every login the groups of the user are set according to this mapping (removing unmapped and assigning mapped).

• Each group can be marked as a default group, meaning it will be automatically assigned to newly created remote users. This is done only if no mapping for the remote user source exists (see above).