# Synchronizing SSO groups with Structural

On a self-hosted instance, you can limit the groups that are allowed in Tonic Structural,

## Identifying the allowed groups <a href="#sso-groups-identify-allowed" id="sso-groups-identify-allowed"></a>

To identify the SSO groups that are allowed in Structural, in the Structural web server container, set the value of the `TONIC_SSO_GROUP_FILTER_REGEX` [environment setting](/app/admin/environment-variables-setting.md) to a regular expression that identifies the allowed groups.

If you do not configure this setting, then Structural does not synchronize or load any groups from your SSO provider.

For example, to allow all groups that contain the word "Structural", set `TONIC_SSO_GROUP_FILTER_REGEX` to `.*Structural.*`.

To allow all SSO groups, set `TONIC_SSO_GROUP_FILTER_REGEX` to `.*`.

## Cleaning up non-matching groups <a href="#sso-group-remove-non-matching" id="sso-group-remove-non-matching"></a>

When the value of `TONIC_SSO_GROUP_FILTER_REGEX` changes, Structural does not automatically remove groups that were previously imported into Structural. Groups that no longer match the filter might continue to display in Structural.

For example, you might initially configure `TONIC_SSO_GROUP_FILTER_REGEX` with a permissive value and then edit it to use a more restrictive filter.

To remove the groups that no longer match the filter:

1. [Display the list of SSO groups.](/app/admin/tonic-user-access/single-sign-on/sso-view-groups-list.md)\
   \
   If there are non-matching groups, then the **Clean Up Groups** button is enabled.
2. To remove the non-matching groups:
   1. Click **Clean Up Groups**.
   2. On the **Clean Up Groups** dialog, review the list of groups to remove.
   3. To confirm the removal, click **Remove Groups**.

When a group is removed, it is also removed from any workspaces that it was granted access to.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.tonic.ai/app/admin/tonic-user-access/single-sign-on/sso-limit-groups.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.