Auto user provisioning

Auto user provisioning allows you to map and automatically assign your Clumio users' roles and OUs based on their association with IdP Groups. Configure provisioning rules to enable automatic assignment of OUs and roles to users that are members of those IdP groups.

This feature is enabled from the Settings > Access management > Auto User Provisioning page. When you enable Auto User Provisioning, all existing permissions are overwritten and users will be evaluated based on their group membership within the IdP and against the rules configured for the said groups within Clumio. Once enabled, you cannot manually assign roles and OUs to users.

The feature can only be enabled by a Super Admin user in Clumio. Before you can enable this feature, you must first create a rule to assign a Super Admin role to the global OU. Only Super Admins can manage auto assignment rules. You cannot delete the Super Admin rule, otherwise you will lose all access to the portal.

Each time a user logs into the Clumio portal, their role and OU assignment is evaluated to determine their permissions and level of access. It can take up to five minutes for role and OU changes to take effect in Clumio when any changes are made to IdP group memberships.

Creating a user provisioning rule

  1. Click Get Started to launch the rule creation wizard.
  2. Type a name for the rule. The name must be unique.
  3. Next, create a condition for the rule. Type a group name and select one of the conditions from the drop down list. If you select conditions with ANY or ALL, click the plus sign to add more groups.
  4. Select a role and organizational unit to assign to the group based on the conditions you selected in step 2. You can only select one role, but you can select more than one OU to assign to a group.
  5. Click Create. You will have created a rule for a group to the effect:
    If the rule name rule for group name that meets the condition, then assign the following role and the following OU(s). Groups that fulfill the conditions will be assigned a role and OU(s) per that rule.

If a user is a member of several groups with different rules, then that user is assigned the role with the lowest permission and access to all assigned OUs. If a user is a member of a group that does not have a role assigned, then that user is denied access to the Clumio portal.

To update or delete a rule, click the relevant icons in the Action column of the rules table.

Setting up SSO with different IdPs

For details about how to enable provisioned users with the following specific IdPs; Okta, Azure, Idaptive, refer to the following KB articles:

For any other IdPs contact us at [email protected].