Loading Azure AD Groups into Venio and Mapping Them to Roles

Venio uses Azure AD group mapping to control access instead of assigning permissions to each user individually. There are four access levels in Venio, each of which requires at least one group membership for every user.

1. VenioOne Admin Level Access

Controls the administrative level of the user within Venio.
Example groups:

• Venio Admin

• Non Admin

• Legal Admin

• OnDemand Client Admin

• OnDemand Client External User

• Project Admin

• Data Uploader

• User

2. VenioOne Application Access

Controls which Venio applications the user can access.
Example groups:

• Desktop

• Web ECA

• Review

• Venio Touch

• OnDemand

3. VenioOne Project Level Access

Controls project-level user group permissions within Venio.
Example groups:

• Site Admin Group

• Project Admin Group

• User Group

• Viewer Group

• OnDemand Group

• External User Group

• Data Uploader Group

• Reviewer Group

4. Active VenioOne Users

Controls whether a user can log in and actively use Venio.
Example group:

• Venio User

User Group Assignment Requirement

Each user must be a member of at least one group in each of the four access levels:

• One group under VenioOne Admin Level Access

• One group under VenioOne Application Access

• One group under VenioOne Project Level Access

• One group under Active VenioOne Users

Example

Let’s a user John Doe needs to access the application as:

• An Admin user

• Has access to Desktop and OnDemand applications

• Is a Site Admin at the project level

In Azure AD, John Doe must be added to:

• Venio Admin (for VenioOne Admin Level Access)

• Desktop, OnDemand (for VenioOne Application Access)

• Site Admin Group (for VenioOne Project Level Access)

• Venio User ( for Active VenioOne Users)

In Venio, when you map these Azure AD groups to the corresponding IdP groups:

• Admin Level Access → Venio Admin → IdP Group: Venio Admin

• Application Access → Desktop, OnDemand → IdP Groups: Desktop, OnDemand

• Project Level Access → Site Admin Group → IdP Group: Site Admin Group

• Active User Access → Venio User → IdP Group: Venio User

Once this mapping is completed, when John Doe logs in:

• He will log in as a Venio Admin.

• He will be a Site Admin in all projects.

• He will have access to both Desktop and OnDemand (VOD) applications.

• He will be recognized as an active user in Venio.

Local User Analogy (to Understand Access Levels)

If you’ve ever created a local user directly in Venio, you’ll notice the same four types of access apply there too:

1. Admin Level Access → set from the dropdown (e.g., Venio Admin, Project Admin, Non Admin).

2. Application Access → selected by checking boxes for Desktop, Review, OnDemand, etc.

3. Project Level Access → chosen by assigning the user to a Project Group (e.g., Site Admin Group, Reviewer Group).

4. Active User → automatically enabled when you create a user.

👉 With Azure AD group mapping, you’re essentially doing the same thing — except instead of selecting these access levels in Venio’s “New User” form, they’re inherited automatically from the AD groups the user belongs to.

Loading Groups into Venio

1. Go to SAML IDP Server Setting in Venio.

2. Click Load Groups.

3. Enable "Use IdP groups to control" for all four access levels.

4. Map each Venio role or application to its corresponding Azure AD group.

5. Click Apply to save.

Once complete, Venio will use Azure AD group membership to automatically control user roles, application access, and login permissions.

Note: In Azure AD, you need to create all 22 groups because no group mapping can be left empty.