Hello @gmesaper ,

To simplify, there’s two points that have to be accounted:

1. We import from the old rules to the new ones by parsing as follows: "if the rule is NOT egroups , we discard it as it is not supported under the new SSO, after which, we can only parse groups that are fully given, so if you had a rule for “~=drupal-admins”, we will try using just drupal-admins, however groups such as drupal-admins-gmesaper will not work and you will have to add it manually.

2. New rules can be formed by going to application-portal.web.cern.ch/ , then to the specific application, and on the roles you can change them, there’s documentation here to guide you:

You can follow the full flow either (the way the guide explains).