Search

Troubleshooting SCIM Provisioning Role Mismatch Issues

When using SCIM (System for Cross-domain Identity Management) to automate user provisioning, it's essential to ensure that the roles assigned in your identity provider (IdP) correctly reflect in your workspace. However, role mismatches can occur, and this article outlines common causes and solutions to help you resolve them effectively.

Common Causes of Role Mismatch

1. User Pre-existed Before SCIM Provisioning Was Enabled

One frequent cause of role mismatch is when a user was already invited to the workspace and assigned a role before SCIM provisioning was turned on. In such cases, the user's identity may not be properly linked to the SCIM system, resulting in incorrect or missing role assignments.

How to Fix It:

  • When SCIM is enabled, existing users will receive an email prompting them to join the workspace via Single Sign-On (SSO).

  • The user must accept the invitation and rejoin via SSO. This action re-links their account to the identity system, allowing SCIM to assign the correct role based on IdP settings.

2. Seat Allocation Has Been Maxed Out

Another possible issue is that the seat allocation for a specific role has been reached. If you've assigned the maximum number of users to a role (e.g., Admins or Editors), new users being provisioned may not receive the intended role because no additional seats are available.

How to Fix It:

  • Review your current seat allocation in your workspace's admin panel.

  • If the limit has been reached, the user may not be provisioned correctly or may be assigned a fallback role.

  • To increase seat capacity, please contact sales at sales@lottiefiles.com for assistance.


Need Help?

If you're still encountering issues after reviewing these steps, consider reaching out to your internal IT or IdP administrator to verify SCIM configurations, or contact support@lottiefiles.com for further assistance. 

To expedite the investigation, provide the following relevant information:

  • The affected user’s email address.
  • Expected role from the identity provider.
  • The actual role assigned in the workspace (if any).
  • Screenshot or logs from your IdP showing role attributes.
  • Confirmation of whether the user was added before or after SCIM was enabled.
  • Any error messages received during provisioning.
  • Confirmation of available seat allocation for the role.

 

 

Updated

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.