---
title: Automated user provisioning
url: https://www.tines.com/docs/admin/user-administration/user-provisioning/
updated: 2025-10-15T19:43:03+00:00
---

*[tines.com](https://www.tines.com/llms.txt) › [Docs](https://www.tines.com/llms.txt) › [Admin](https://www.tines.com/llm/docs/admin.md) › [User administration](https://www.tines.com/llm/docs/admin/user-administration.md)*

# Automated user provisioning

*[View on tines.com](https://www.tines.com/docs/admin/user-administration/user-provisioning/)*

### User provisioning options

You can configure your tenant to use JIT or SCIM for user provisioning, instead of manually inviting users and assigning them to specific teams and roles.

You can choose from the following options:

- **Default user provisioning**: Invite users directly and assign them to teams and roles manually.
- **SCIM provisioning**: Automatically sync users and groups from your identity provider. Best for centralized, admin-managed provisioning.
- **Just-in-time user provisioning**: Create user accounts automatically the first time someone signs in with SSO. Best for simpler setups without automated user sync.
  
  - **Enhanced Just-in-time syncing**: In addition to automated user provisioning upon first login, also update user permissions using the latest information from the identity provider on subsequent logins.

Please note that manual user invitations may be disabled under certain circumstances:

- When [JIT](https://www.tines.com/docs/jit/) with "**Enhanced Just-in-time syncing"** is enabled, since users are provisioned just-in-time and synced with the IdP on subsequent logins. 
- When [SCIM](https://www.tines.com/docs/scim/) is enabled, since users are created automatically by the IdP using the SCIM protocol.
- When the "**Restrict user invitations to tenant owners**" setting is enabled, only tenant owners can send out invites.

### User group mappings

In order for users to be granted permissions automatically, tenant owners can configure a mapping between IdP groups and Tines permissions in the tenant's Authentication Settings. 

> **IMPORTANT:** These mappings will be used to assign users to teams, roles and permissions. When using JIT, the mappings will only be applied on the first sign in of a user. When using "enhanced just-in-time syncing", users will be updated every time they log in according to the most recent mappings and the user's latest group memberships. When using SCIM, users will be kept in sync any time a SCIM operation is performed or the mappings are updated.

For example, the following would assign users in the `Administrators` group to be Tenant Owners, and members of several groups to join specific teams with different roles and permissions:

```json
{
  "tenant_owners_groups": ["Administrators"],
  "mappings": [
    { "group_name": "Administrators", "team_name": "Analytics", "role_name": "TEAM_ADMIN" },
    { "group_name": "Managers", "team_name": "Analytics", "role_name": "TEAM_ADMIN" },
    { "group_name": "Managers", "team_name": "Incident Response", "role_name": "EDITOR" },
    { "group_name": "Analysts", "team_name": "Analytics", "role_name": "EDITOR" },
    { "group_name": "Everyone", "team_name": "Incident Response", "role_name": "VIEWER" }
  ],
  "tenant_permissions": [{ "group_name": "Managers", "permission": "AUDIT_LOG_READ" }]
}
```

#### **Mapping team memberships**

In order for your Idenitity provider groups to be mapped into [Tines Teams](https://www.tines.com/docs/teams/) and [Case Groups, ](https://www.tines.com/docs/case-groups/)you need to configure a list of correspondences between IdP groups and Tines Teams via `mappings`.  

This will specify how the users from the target IdP group are mapped into the destination Tines Teams or Case Groups, as well as the Role they will be assigned.

Each entry in the `mappings` array must have:

- `group_name` field with the *source *name of an IdP group from your identity provider.
  
  - Note: `group_name` used to be called `sso_group`. This syntax is deprecated.
- `team_name` corresponding to a *destination* Tines Team or Case Group. Case sensitive.
- `role_name` is an existing Tines team role (`VIEWER`, `EDITOR`, `TEAM ADMIN`, `CASE_MANAGER` or a custom role). Role names are case-insensitive.

> **INFO:** Although the mapping key is `team_name`, the value can refer to either the Team name or the Case Group name.

In scenarios where a user is a member of more than one source IdP group that is mapped to a multiple roles on the same team or case group, the first applicable entry in the list will be used.

For example:

```json

{
  "mappings": [
    { "group_name": "Managers", "team_name": "Analytics", "role_name": "TEAM_ADMIN" },
    { "group_name": "Managers", "team_name": "Incident Response", "role_name": "EDITOR" },
    { "group_name": "Analysts", "team_name": "Analytics", "role_name": "EDITOR" },
    { "group_name": "Everyone", "team_name": "Incident Response", "role_name": "VIEWER" }
  ]
}
```

In this case, if a user belongs to the `Everyone` and to the `Managers` source IdP Groups, they would get the `EDITOR` role in the Incident Response team since that is stated at the top of the list.

#### **Mapping tenant owners**

In the example above, the `tenant_owners_groups` lists an IdP group (called "Administrators") that should get promoted to "Tenant Owner" . When `tenant_owners_groups` is configured, any existing users who are Tenant Owners and do not belong to a group listed here will be downgraded to regular user. Please make sure that group memberships are being synchronized correctly before making changes to this field.

- Note: `tenant_owners_groups` used to be called `tenant_owners_group` (and support one group name only). This syntax is deprecated.

#### **Mapping tenant permissions**

The `tenant_permissions` field can be used to assign [tenant permissions](/docs/admin/user-administration/#permissions) to IdP groups.