My organization has thousands of potential clients who may need to submit requests to our marketing production unit. We are using SSO to authenticate our users. We would like to define 2 Active Directory groups to manage our users. AD Group 1: All production staff, product managers, system admins, leadership, etc. This group has a variety of Access Levels to which anyone could be assigned. We would like to manually manage these Access Level assignments. AD Group 2: Everyone else. This group would authenticate into WF and automatically map Access Level = Reviewer. Though not a networking expert, my goal is a process such as... User visits domain.workfront.com. If they are found in AD Group 1, they are authenticated into WF without any Access Level mapping . They are assigned whatever Access Level we have manually assigned in WF. If they are NOT in AD Group 1, they are passed to AD Group 2. If there, they are authenticated into WF and mapped to Access Level=Reviewer . They can then navigate WF with Reviewer access. My IT contact suggests this isn't possible, because AD can either map EVERYONE or NO ONE. I'd like a second opinion. Has anyone configured their SSO/AD as I hope to do so? Steve Teitelbaum Federal National Mortgage Association (Fannie Mae)