Issue
After making changes to the SSO configuration and introducing a default organization role, the role is not automatically assigned to users who were previously without a role. Even after signing out and a fresh login they still see Access restricted.
Administrators expect all SSO users without a role to automatically receive the default organization role, but the role is not being applied.
Cause
This behavior occurs when the default organization role for SSO was configured or changed after users had already logged in via SSO for the first time.
If users have already authenticated via SSO before the default role setting was introduced or updated, they will not automatically receive the new default role and may experience access restrictions, as changes to the default organization role configuration are not applied retroactively to existing SSO users.
Things to consider
- When an SSO user logs in for the first time a new user principal is created and that principal is added to the organization. The default organization role is assigned at that time only.
- Transition to Manual Management: As soon as an Admin manually changes a user’s role, the system stops managing that user automatically. The platform assumes the Admin is now in full control of that specific identity.
- If an Admin removes a high-level role (like Admin), the system does not revert the user to the default Viewer role. It leaves the user with no roles until an Admin explicitly assigns a new one.
Additional Information
https://developer.hashicorp.com/hcp/docs/hcp/iam/sso/default-role
Need Help?
If you need further assistance, contact HashiCorp Support