Upgraded access control: SAML support & easier role management

Today, we’re releasing two new features that will make it easier to control access to Sanity and the actions users can take inside Sanity Studio.

First, we’re releasing expanded support for single sign-on (SSO) using the Security Assertion Markup Language (SAML) standard for Business and Enterprise plans.

Second, you can now administer and configure roles in the management interface. Customers on all plans have the ability to assign roles for the users in their projects, and Enterprise customers have the added ability to create custom roles and configure granular permissions against content edited within the Studio.

Together, these two releases provide better security and easier administration for your teams.

A key way to improve security and compliance efforts is to enable Single Sign-On (SSO) for your organization. Not only does using SSO allow better access control and help maintain compliance, but it makes managing large groups of users a lot easier and provides a more streamlined experience for your team. Sanity has offered Custom SSO to clients on Enterprise plans for some time, letting you connect to your own custom logic solutions like Active Directory or Kerberos.

Starting today, customers on the Business and Enterprise plans can use the SAML standard to log into Sanity. SAML is one of the most widely used ways of exchanging credentials between identity providers (like Okta, Google, etc.), which means more of our community will be able to take advantage of SSO on Sanity.

To learn how to set up SAML in Sanity Studio, check out our docs. In a few easy steps, you can get SAML configured on all Business and Enterprise projects you choose.

Earlier this year we announced a revamped roles API, and introduced new roles for assignment (depending on your plan) that addressed most of the use cases for content control. That release also included a new version of Sanity Studio that had built-in detection of roles, which automatically controlled access and actions users could take.

Today, we’ve added support in our management interface for managing users and roles, defining custom roles (Enterprise plan feature), and specifying which roles can access specific content within datasets (Enterprise plan feature). That means it’s easier than ever to quickly create and change permissions for individuals or groups with just a few clicks.

To manage roles for a user, navigate to the Members tab, find the user you want to update, and simply choose the new role in the dropdown.

Defining custom roles (Enterprise plan feature) is straightforward too! Just go to the Access tab and click Create new role.

You’ll be asked to name the new role (Marketing Team) and specify which resources and actions this role should have access to. In addition to choosing individual datasets, you now have the ability to tag multiple datasets and grant or remove access to the tag, letting you further simplify role configuration across your team. For example, you may want to have consistent permissions for all datasets that store development, staging, or production content. Appending a dev, staging, or prod tag to the appropriate datasets keeps permissions in sync as long as the tag is enabled.

For more information about how to administer roles in the management interface, check out our docs.

With these two releases, our Enterprise customers can now automatically assign new users who authenticate via SAML SSO to a previously created custom role. For example, you can give all new team members view-only permissions to start, and easily update the default role or an individual team member’s role down the road to help mitigate risk.

We hope you enjoy the added security and convenience of our improved access control features which make logging into Sanity and defining actions a user can take a whole lot easier.