Skip to main content

Assigning SmartSuite Member Roles via SCIM

Peter Novosel avatar
Written by Peter Novosel
Updated over 2 weeks ago

SmartSuite supports assigning member roles directly through SCIM provisioning, allowing you to control user access automatically from your identity provider. This ensures that users are created with the correct permissions and stay in sync as role assignments change over time.

This feature is available for any SCIM-compliant identity provider, including Okta, Azure AD, and others.

Plan Availability

Enterprise, Signature

Permissions

Administrators

Related Reading

Configuring Single Sign-On (SSO)

What This Feature Does

When provisioning users into SmartSuite via SCIM, you can now specify the user’s member role as part of the SCIM payload. SmartSuite will apply that role during user creation and update it on future syncs.

This removes the need for manual role assignment inside SmartSuite and helps enforce consistent access policies.

Supported SmartSuite Roles

The following role values are supported via SCIM:

  • admin

  • solution_manager

  • general

  • guest

These values must be provided exactly as shown.

If no role is specified, SmartSuite assigns the default role:

  • general

How Role Assignment Works

  • Your identity provider sends a SCIM user payload that includes a roles attribute.

  • SmartSuite reads the roles value and maps it to the corresponding member role.

  • Roles are applied:

    • When a user is first created

    • When user attributes are updated via SCIM

  • Changes made in your identity provider are reflected in SmartSuite on the next SCIM sync.

Only supported role values are accepted. Invalid values are ignored.

Example SCIM User Payload

Below is an example of creating a user with the guest role via SCIM:

POST {{baseUrl}}/authentication/scim/Users {   "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],   "userName": "guestq1a@example.com",   "name": {     "givenName": "Guest134",     "familyName": "User42"   },   "emails": [     {       "value": "guestq1a@example.com",       "primary": true     }   ],   "roles": ["guest"] }

The user will be created in SmartSuite with the Guest role.

Configuring Role Mapping in Your Identity Provider

Your identity provider must be configured to send a roles attribute as a string array using the SCIM core User schema:

urn:ietf:params:scim:schemas:core:2.0:User

General Configuration Guidelines

  • Attribute name: roles

  • Data type: string array

  • Value must match one of the supported SmartSuite roles

  • Attribute does not need to be required

  • Apply mapping on both user creation and update

Most identity providers allow you to:

  • Map roles to an existing attribute

  • Or set a static value (for example, always assign general)

Refer to your provider’s SCIM documentation for exact steps.

Updating Roles After User Creation

If a user’s role changes in your identity provider:

  • Update the roles attribute value

  • Trigger a SCIM sync

  • SmartSuite will update the member’s role automatically

This ensures SmartSuite access stays aligned with your centralized identity policies.

Important Notes and Limitations

  • Only one SmartSuite role should be provided per user

  • Cross-workspace role assignment is not supported

  • Role changes made directly in SmartSuite may be overwritten by SCIM on the next sync

  • This feature applies only to SCIM-provisioned users

Troubleshooting

If a role is not applied as expected:

  • Verify the roles attribute is included in the SCIM payload

  • Confirm the value matches a supported SmartSuite role exactly

  • Ensure your SCIM app is configured to apply updates on user changes

If issues persist, contact SmartSuite Support with details about your identity provider and SCIM configuration.

Using SCIM-based role assignment helps you maintain consistent, automated access control across your organization while reducing manual administration inside SmartSuite.

Related Articles
Connecting SmartSuite to Noloco
Configuring SCIM
Did this answer your question?