If SCIM is enabled for you and the configuration for SSO is complete, network admins will have access to the User Provisioning tab in the Identity Provider setup page. Once the SCIM service has synced user groups into Kno2fy, network admins can map Organizations to user groups for access.
Prerequisites for mapping User Groups
Complete the Identity Provider Setup, the User Provisioning Setup, SYNC users and user groups.
All users synced through SCIM should be incorporated into groups. The groups should align to the organizations they will need access to. It is common practice to have a group for all the admins if they have the same access.
Expect to have one group for each collection of users in an organization.
Should have at least one group of Organization admins.
Must have one group of Network Admins.
Groups will be mapped to the organizations to grant access.
User group management should be done in the IdP only, e.g. group name updates and membership.
While the same set of users are possibly Organization Admins as well as Network Admins, the system requires a separate group be designated as Network Admins.
Additional notes regarding User management
Additional notes regarding User management
All user management (create and update) should be done in the IdP only, e.g. username updates, name and contact updates, status updates.
Deleting a user from the IdP is treated as a soft delete in Kno2 - access is no longer available and the username is released for future use.
Removing a user from a group = disabling a user from a mapped organization; send permissions and routing rules are intact and available if a user is re-added.
Disabling a user in the IdP = disabling a user from all organizations; send permissions and routing rules are intact and available if a user is re-enabled.
Consider removing routing rules and send permissions before doing any of the items above if appropriate.
Mapping Organizations to User Groups
Log in as a Network Administrator and navigate to Settings > Identity Provider.
Select the User Provisioning tab. Confirm that User Groups and Users have been synced over from your Identity provider.
Select the Group Mapping tab. Map Organizations to User Groups.
Map Organization: Enter the Organization to map.
To User Group: Enter the User Group that maps to the Organization.
With Org Role: Select a Role to apply to the User Group - User or Org Administrator.
Select Add.
Confirm the number of users in the User Group matches the number in your IDP’s User Group.
In the choice of User or Org Administrator, a person can only be designated as one or the other. In the event of an overlap of roles like when a user has membership in two groups, the higher role will always win. The Network Administrator role is a special case and does not compete with the standard roles.
A group that has been assigned a role will have that role designated for all the subsequent mappings of that group. If a group needs to get the role changed, all configurations for that group must be removed first and then reset.