> ## Documentation Index
> Fetch the complete documentation index at: https://www.truefoundry.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Manage Users

> Detailed guide to how to add, manage and delete users in Truefoundry

Users can be added manually to a tenant or in an automated way by setting up Single Sign-On (SSO) with your Identity Provider (IdP). This page explains how users are provisioned, invited, assigned roles, deactivated, and deleted.

<Note>
  We recommend setting up SSO since its more secure and also makes it easier to
  manage users. You can setup SSO with your Identity Provider (IdP) by reading
  [SSO Overview](/docs/sso).
</Note>

## User provisioning

<Info>
  The dedicated **Provisioning** settings page and the SCIM, JIT, and Invite-only provisioning modes described below are available starting from **v0.143**. On earlier versions, SCIM is configured inline in the SSO form. See the [Identity and Access Revamp announcement](/docs/change-announcements/identity-and-access-revamp-v0.143) for migration details.
</Info>

User provisioning controls how user accounts are created and removed in a TrueFoundry tenant. Provisioning is configured per tenant, so each tenant can have its own SSO and provisioning settings.

Go to **Settings > Security & Access > Provisioning** to configure the provisioning mode.

<Frame caption="Provisioning modes below SSO settings">
  <img src="https://mintcdn.com/truefoundry/xnxwG9wbAPzCd_DD/images/docs/platform/security-access-provisioning-settings.png?fit=max&auto=format&n=xnxwG9wbAPzCd_DD&q=85&s=96c7e4e0d9a1f30c82fe4c4cb2352096" alt="Provisioning settings showing SCIM, Just-in-time, and Invite-only modes" width="1024" height="559" data-path="images/docs/platform/security-access-provisioning-settings.png" />
</Frame>

TrueFoundry supports three provisioning modes:

| Mode                   | What it does                                                                                                | Best for                                                                                         |
| ---------------------- | ----------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------ |
| **SCIM**               | Your IdP syncs users and groups into TrueFoundry automatically. Deprovisioning is also handled by your IdP. | Organizations that want the IdP to be the source of truth for user and group lifecycle.          |
| **Just-in-time (JIT)** | TrueFoundry creates a user dynamically the first time a valid token is received from your IdP.              | Organizations that use SSO but do not want to configure SCIM sync.                               |
| **Invite-only**        | Admins manually invite users to the tenant.                                                                 | External collaborators, early rollouts, or tenants where every user should be approved manually. |

<Info>
  Provisioning creates or controls TrueFoundry user accounts. It is separate from [Identity Providers](/docs/platform/identity-providers), which validate externally issued JWTs for API and gateway access.
</Info>

### Capability matrix

| Capability                               | SCIM               | JIT                     | Invite-only |
| ---------------------------------------- | ------------------ | ----------------------- | ----------- |
| Create users automatically               | Yes, from IdP sync | Yes, on first SSO login | No          |
| Deactivate or remove users automatically | Yes, from IdP sync | No                      | No          |
| Sync groups or teams automatically       | Yes                | No                      | No          |
| Requires SSO                             | Recommended        | Yes                     | No          |
| Requires admin invite                    | No                 | No                      | Yes         |
| Best suited for external collaborators   | No                 | No                      | Yes         |

### Configure a provisioning mode

Each tenant uses exactly one provisioning mode at a time. Pick the tab below that matches the mode you've selected on the **Provisioning** page.

<Tabs>
  <Tab title="SCIM">
    TrueFoundry supports [SCIM (System for Cross-domain Identity Management)](https://scim.cloud/) to automatically create, update, and deactivate users and groups from your identity provider. SCIM is available for both OIDC and SAML v2 SSO configurations.

    <Info>
      SCIM enables automatic lifecycle management for both **users** and **teams**. Adding or removing a user in your IdP adds or removes the corresponding user in TrueFoundry, and IdP groups are synced as TrueFoundry teams. For team-specific behavior and the group name convention, see [Provision teams via SCIM](/docs/platform/team-management#provision-teams-via-scim).
    </Info>

    <Steps>
      <Step title="Enable SCIM provisioning">
        Turn on **SCIM** under **Settings > Security & Access > Provisioning**.
      </Step>

      <Step title="Get the SCIM URL">
        After saving your SSO configuration, expand the SSO configuration to view the SCIM URL along with other metadata. Copy this URL for your identity provider's SCIM settings.

        <img src="https://mintcdn.com/truefoundry/f3KTstSSq3H4Ys2R/images/scim_url.png?fit=max&auto=format&n=f3KTstSSq3H4Ys2R&q=85&s=856a4bdbb60d9ebe72a42569a3a81a58" alt="SCIM URL displayed in SSO configuration" width="1408" height="622" data-path="images/scim_url.png" />
      </Step>

      <Step title="Get the SCIM token">
        Click the **key icon** next to your SSO configuration to generate and copy the SCIM authentication token.

        <img src="https://mintcdn.com/truefoundry/83e0kg2LyHcfZ91Y/images/get_scim_token.png?fit=max&auto=format&n=83e0kg2LyHcfZ91Y&q=85&s=7fa1462dd1356c95b6f651b2e641b62d" alt="Get SCIM Token option" width="1388" height="588" data-path="images/get_scim_token.png" />

        <Warning>
          Store this token securely. You need it to authenticate SCIM requests from your identity provider.
        </Warning>
      </Step>

      <Step title="Configure your identity provider">
        In your identity provider's SCIM provisioning settings:

        * Set the **SCIM Base URL** to the SCIM URL from TrueFoundry.
        * Set the **Authentication** method to Bearer Token.
        * Use the SCIM token as the Bearer token value.

        Make sure IdP group names follow the naming rules described in [Provision teams via SCIM](/docs/platform/team-management#provision-teams-via-scim) so that they sync as valid TrueFoundry teams.
      </Step>
    </Steps>
  </Tab>

  <Tab title="Just-in-time (JIT)">
    Use **Just-in-time (JIT)** provisioning when you want TrueFoundry to create users dynamically at login. When a user signs in with SSO and TrueFoundry receives a valid token from your IdP, TrueFoundry creates the user if they do not already exist.

    Users see a button like `Login with Google|Azure|Okta|Keycloak` depending on the IdP you have set up.

    <img src="https://mintcdn.com/truefoundry/CPOiCulkYtSxMDPK/images/docs/platform/login-button-users.png?fit=max&auto=format&n=CPOiCulkYtSxMDPK&q=85&s=f148b5e2fc48ea43672c781203340a8d" alt="Login with IdP" width="3024" height="1634" data-path="images/docs/platform/login-button-users.png" />

    JIT is useful when your IdP is the source of truth for authentication, but you do not want to configure SCIM user sync.

    <Warning>
      JIT requires SSO to be enforced. Otherwise, users who are not yet present in TrueFoundry can still be added manually or invited depending on your tenant settings.
    </Warning>
  </Tab>

  <Tab title="Invite-only">
    Use **Invite-only** when admins should explicitly control who can join the tenant. In this mode, admins invite users from **Access > Users**. This is useful for external collaborators, early rollouts, or tenants where access should be granted manually instead of automatically from the IdP.
  </Tab>
</Tabs>

## Manage users

<AccordionGroup>
  <Accordion title="Invite a user">
    If you use Invite-only provisioning, or you want to invite users who are not part of your IdP, use the **Invite User** button on the **Access > Users** page. You need to enter the email of the user you want to add.

    <img src="https://mintcdn.com/truefoundry/5CkapnZ7CyjQJ4bx/images/docs/invite-user-dialog.png?fit=max&auto=format&n=5CkapnZ7CyjQJ4bx&q=85&s=7351d56f7ec83eebb0a910e43c184e58" alt="Invite User" width="3840" height="1870" data-path="images/docs/invite-user-dialog.png" />

    <Warning>
      While inviting users manually, there is a checkbox for `Send email to set
              password`. If you check this checkbox, the user will receive an email with a
      link to set their password. You should not check this box if you want the user
      to sign in via SSO - since no password needs to be set in that case.
    </Warning>
  </Accordion>

  <Accordion title="Deactivate a user">
    Admins can deactivate a user's account. This will prevent the user from logging in to the platform. This can be useful if you do not want to delete the user's account, but just want to deactivate them temporarily.

    <iframe href="https://app.supademo.com/embed/mgzGvinYK6OQa2491Uo7Z" typeofembed="iframe" height="475px" width="100%" src="https://app.supademo.com/embed/mgzGvinYK6OQa2491Uo7Z" style={{ border: "none", display: "flex", margin: "auto" }} />
  </Accordion>

  <Accordion title="Delete a user">
    Admins can delete a user's account that are no longer part of your organization. This will remove the user account from the list of users and will not affect any resources created by the user.

    <Frame caption="">
      <img src="https://mintcdn.com/truefoundry/9lYm7n0BF3i5yINM/images/platform-user-management-delete-user-2.png?fit=max&auto=format&n=9lYm7n0BF3i5yINM&q=85&s=052d2dd5e0c89b5f85cad229554e135b" width="1510" height="740" data-path="images/platform-user-management-delete-user-2.png" />
    </Frame>

    <Note>
      Before deleting the user, you MUST remove the user explicitly from all
      resources and teams, otherwise the system will not allow the deletion.

      <img src="https://mintcdn.com/truefoundry/9lYm7n0BF3i5yINM/images/platform-user-management-delete-user-1.png?fit=max&auto=format&n=9lYm7n0BF3i5yINM&q=85&s=e84e110d6c9d97897d78d7d0c8669c6f" width="3016" height="1712" data-path="images/platform-user-management-delete-user-1.png" />
    </Note>
  </Accordion>

  <Accordion title="Reset password for a user">
    This is needed only if you are managing users manually and have not set up SSO.

    **Admins** can initiate a password reset process for a user. This will send an email to the user with a link to reset their password.

    <iframe href="https://app.supademo.com/embed/_5X8B-50MA-Oom0qUMZA2" typeofembed="iframe" height="475px" width="100%" src="https://app.supademo.com/embed/_5X8B-50MA-Oom0qUMZA2" style={{ border: "none", display: "flex", margin: "auto" }} />
  </Accordion>
</AccordionGroup>

<Tip>
  * Looking for how to assign **Admin** or **Member** roles to a user? See [Assign a role to a user](/docs/platform/manage-user-roles-and-permissions#assign-a-role-to-a-user).
  * Looking for how to create or revoke **Personal Access Tokens (PATs)** for a user? See [API Keys — Personal Access Tokens (PATs)](/docs/generating-truefoundry-api-keys#personal-access-tokens-pats).
</Tip>

## Manage users programmatically

Admins can manage users programmatically using APIs. See the complete API reference [here](https://docs.truefoundry.com/api-reference/users/list-users).