I have setup a global role without inventory read rights. Currently I can assign inventory roles to users giving them access only to one or more device groups.
As I have also configured Single Sign-on all users in the customers Azure Active Directory will be created as a user in Cumulocity upon login.
Based on an attribute from the directory I would like to map the users to device groups and only give them access to the appropriate device group.
Currently this only seems to be possible by mapping the inventory roles on a user and not on a group or role. This way after initial login of a user an administrator manually has to add the inventory roles to user even through the user might be added to a global role or not.