SCIM user management rules
An Organization administrator role is required. For information, see User roles.
SCIM user management rules assign roles and tenant access based on group membership in your IdP. When a user is added to a group linked to a rule, they receive the access defined by that rule. When a user is removed from the group, their assigned role and tenant access are removed. For more information, see Understanding SCIM user management rules.
Important: Users managed by a user management rule appear in the User Management page with a SCIM badge. If no badge appears next to a user's email, the user is not managed by a user management rule.
Jump to:
Default user management rules
A set of default user management rules such as the Nintex Participant rule is available to help you get started. To use a default rule, create a group in your IdP with the same name and add users to it. The assigned role applies to users in the tenant where SCIM is configured. If you don’t want to use a default rule, you can delete it. The following table lists the default rules and their assigned roles.
| Group name | Role |
|---|---|
| Nintex Participants | Participant |
| Nintex Designers | Designer |
| Nintex Developers | Developer |
| Nintex Automation Admins | Automation Admin |
| Nintex Administrators | Global Admin |
After you set up a directory, you can configure user management rules for your tenant. When a rule is added, disabled, enabled, or deleted, it only affects new messages or changes from the IdP. To update access for users already in the system, the admin must re-sync the organization.
Understanding SCIM user management rules
SCIM user management rules let you manage user roles and access in Nintex tenants based on group membership in your IdP. For example, if you create a group named HR-Designers in your IdP, you can create a rule that assigns its members a Nintex role such as Designer or Developer in a tenant of your choice.
When a user is added to a group linked to a user management rule:
-
The assigned role and tenant access are applied.
-
SCIM user management rules manage the user and control their access.
If the user is later removed from the group:
-
The assigned role and tenant access are removed.
-
Even if a user was assigned a role before SCIM was enabled, they retain only the access defined by current user management rules. If no rules apply, the user may lose access entirely. For more information, see SCIM user management rules.
If a user is marked as inactive in your IdP, SCIM syncs the status and marks the user inactive in the tenant. SCIM user management rules help you manage access consistently as users change groups or roles.
Add, sync and delete user management rules
Add a rule
- Go to Settings > Organization.
- Click SCIM.
-
In the User management rules section, click Add a rule.
-
Select an IdP group from the drop-down list.
-
Select the Nintex Workflow tenant to which you want to provide access.
-
Select the Nintex Workflow role you want to assign.
-
(Optional) Select an existing Nintex Workflow group to assign.
-
Click Add.
Sync rules
Rules are applied for any updates to new users and groups from your IdP. Any rules you add or delete will apply to future updates of users and groups from your IdP.
To apply new or deleted rules to existing users and groups, sync the rules after making changes.
- Partial sync of a rule: On the SCIM page, under the User management rules section, click
next to the rule, and then select Sync.Note: Partial sync is available for disabled and deleted rules. To view them, select the corresponding filter option.
-
Complete sync of all rules: On the SCIM page, under the User management rules section, click Sync rules.
Note: Syncing may take some time depending on the size of your directory and the number of rules. Perform a full sync only if required.
Delete a rule
After deleting a rule, it no longer applies to incoming changes from the IdP for users and groups. You must sync rules to remove access granted by the deleted rule.
-
On the SCIM page, under the User management rules section, to the right of the rule you want to remove, click
and then select Delete.
Enable and disable user management rules
Important: When a rule is added, disabled, enabled, or deleted, it only affects new messages or changes from the IdP. To update access for users already in the system, the admin must re-sync the organization.
Enable a rule
-
On the SCIM page, under the User management rules section, to the right of the rule you want to enable, click
and then select Enable.
Disable a rule
-
On the SCIM page, under the User management rules section, to the right of the rule you want to disable, click
and then select Disable.
View active, inactive, and deleted rules
You can view active, inactive, and deleted rules on the SCIM page under the User management rules section:
Select the Active rules tab to see currently enabled rules.
Select the Inactive rules tab to see disabled rules.
Select the Deleted rules tab to see removed rules.
Select the All rules tab to see the complete list of rules.