Automated user provisioning

User provisioning options

You can configure your tenant to use JIT or SCIM for user provisioning, instead of manually inviting users and assigning them to specific teams and roles.

You can choose from the following options:

Default user provisioning: Invite users directly and assign them to teams and roles manually.
SCIM provisioning: Automatically sync users and groups from your identity provider. Best for centralized, admin-managed provisioning.
Just-in-time user provisioning: Create user accounts automatically the first time someone signs in with SSO. Best for simpler setups without automated user sync.
- Enhanced Just-in-time syncing: In addition to automated user provisioning upon first login, also update user permissions using the latest information from the identity provider on subsequent logins.

Please note that manual user invitations may be disabled under certain circumstances:

When JIT with "Enhanced Just-in-time syncing" is enabled, since users are provisioned just-in-time and synced with the IdP on subsequent logins.
When SCIM is enabled, since users are created automatically by the IdP using the SCIM protocol.
When the "Restrict user invitations to tenant owners" setting is enabled, only tenant owners can send out invites.

User group mappings

In order for users to be granted permissions automatically, tenant owners can configure a mapping between IdP groups and Tines permissions in the tenant's Authentication Settings.

❗️Important

For example, the following would assign users in the Administrators group to be Tenant Owners, and members of several groups to join specific teams with different roles and permissions:

{
  "tenant_owners_groups": ["Administrators"],
  "mappings": [
    { "group_name": "Administrators", "team_name": "Analytics", "role_name": "TEAM_ADMIN" },
    { "group_name": "Managers", "team_name": "Analytics", "role_name": "TEAM_ADMIN" },
    { "group_name": "Managers", "team_name": "Incident Response", "role_name": "EDITOR" },
    { "group_name": "Analysts", "team_name": "Analytics", "role_name": "EDITOR" },
    { "group_name": "Everyone", "team_name": "Incident Response", "role_name": "VIEWER" }
  ],
  "tenant_permissions": [{ "group_name": "Managers", "permission": "AUDIT_LOG_READ" }]
}

Mapping team memberships

In order for your Idenitity provider groups to be mapped into Tines Teams and Case Groups, you need to configure a list of correspondences between IdP groups and Tines Teams via mappings.

This will specify how the users from the target IdP group are mapped into the destination Tines Teams or Case Groups, as well as the Role they will be assigned.

Each entry in the mappings array must have:

group_name field with the source name of an IdP group from your identity provider.
- Note: group_name used to be called sso_group. This syntax is deprecated.
team_name corresponding to a destination Tines Team or Case Group. Case sensitive.
role_name is an existing Tines team role (VIEWER, EDITOR, TEAM ADMIN, CASE_MANAGER or a custom role). Role names are case-insensitive.

ℹ️Info

In scenarios where a user is a member of more than one source IdP group that is mapped to a multiple roles on the same team or case group, the first applicable entry in the list will be used.

For example:


{
  "mappings": [
    { "group_name": "Managers", "team_name": "Analytics", "role_name": "TEAM_ADMIN" },
    { "group_name": "Managers", "team_name": "Incident Response", "role_name": "EDITOR" },
    { "group_name": "Analysts", "team_name": "Analytics", "role_name": "EDITOR" },
    { "group_name": "Everyone", "team_name": "Incident Response", "role_name": "VIEWER" }
  ]
}

In this case, if a user belongs to the Everyone and to the Managers source IdP Groups, they would get the EDITOR role in the Incident Response team since that is stated at the top of the list.

Mapping tenant owners

In the example above, the tenant_owners_groups lists an IdP group (called "Administrators") that should get promoted to "Tenant Owner" . When tenant_owners_groups is configured, any existing users who are Tenant Owners and do not belong to a group listed here will be downgraded to regular user. Please make sure that group memberships are being synchronized correctly before making changes to this field.

Note: tenant_owners_groups used to be called tenant_owners_group (and support one group name only). This syntax is deprecated.

Mapping tenant permissions

The tenant_permissions field can be used to assign tenant permissions to IdP groups.

Solutions

By product

Professional services

By team

Tines for

Partners

Blog

Tines Blog →

Discover & Learn

Case studies

Library

University

Tines Explained ^↗

Customer center

Join the team

Careers

Company

About

Tines Store ^↗

User provisioning options

User group mappings

❗️Important

Mapping team memberships

ℹ️Info

Mapping tenant owners

Mapping tenant permissions

Platform

Solutions

Resources

Company

Connect

RSS

By product

Professional services

Partners

Tines Blog →

Case studies

Library

University

Tines Explained ↗

Customer center

Careers

About

Tines Store ↗

User provisioning options

User group mappings

❗️Important

Mapping team memberships

ℹ️Info

Mapping tenant owners

Mapping tenant permissions

Tines Explained ^↗

Tines Store ^↗