# Group mapping
For IdP integration, **Xopero ONE** uses differentiated login levels (i.e., **Admin**, **Backup Operator**, **Viewer**, etc.). By default, single users are being authenticated with predefined permissions, based on the roles they are assigned. If you require multiple users to log in with consistent security policies, permissions, or access rights, you can implement group mapping.
The configuration process includes specifying two key parameters: **claim type** and **claim value**— for example, in **Azure Active Directory**, the following parameters refer to:
1. **Claim type** - name of the custom claim defined for the application on the **Azure AD** side to identify the group. In this example, **claim type** value is set to xoperogroup.
2. **Claim value** - a unique **Azure AD** group identifier (ID) to be mapped (**not its name**).
Group mapping configuration.
{% hint style="warning" %}
The only account not subject to group mapping permissions is the root admin— logging in using SAML with different group permissions doesn't change the root admin access level; user remains the root admin after signing in, and so do their root admin assigned permissions.
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://helpcenter.xopero.com/xopero-one-en/login-and-password/external-identity-providers-saml/group-mapping.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
