Skip to main content

Documentation Index

Fetch the complete documentation index at: https://help.skillsdb.com/llms.txt

Use this file to discover all available pages before exploring further.

Quick Summary: SkillsDB has two default SCIM groups that grant Admin or Full Access permissions, plus administrator-managed custom SCIM groups that can be set to Admin, Full Access, or Basic. A Basic user with direct reports is automatically promoted to Manager.

Overview

SCIM groups are how SkillsDB determines what a provisioned user can do. When a SCIM event arrives from your identity provider, SkillsDB looks at the user’s current group memberships and sets their SkillsDB permission level based on the highest-privilege group they belong to. There are two kinds of SCIM groups:
  • Default SCIM groups — two built-in groups (SkillsdbGlobalAdmins and SkillsdbFullAccess) that administrators cannot delete. These grant Admin and Full Access respectively.
  • Custom SCIM groups — any other group provisioned from your identity provider. These are either auto-created when the first member is provisioned, or created manually by a SkillsDB administrator. Each custom group has a configurable permission level and can trigger automatic career assignment.
SkillsDB has three permission levels: Admin, Full Access, and Basic. A fourth role, Manager, is not set by SCIM groups directly — SkillsDB assigns it automatically to Basic users who have direct reports.

Prerequisites

Before managing SCIM groups, make sure you have:
  • Permission level: SkillsDB administrator
  • Setup requirement: An active SCIM connection (see SCIM Setup)
  • Access requirement: Settings > SSO & SCIM > Configure SSO and SCIM settings

Default SCIM groups

SkillsDB ships with two default SCIM groups. Create groups in your identity provider with exactly these names — any user added to one of them receives the corresponding SkillsDB permission level on the next sync.
Identity provider group nameSkillsDB permission levelWhat the user can do
SkillsdbGlobalAdminsAdminFull system access, including configuration, libraries, and user management.
SkillsdbFullAccessFull AccessAccess to all people, skills, training, and reports across the company. No configuration access.
Default groups cannot be deleted through SCIM — SkillsDB ignores delete events for them and preserves existing memberships. If a default group does not exist when the first user is provisioned, SkillsDB creates it automatically. To see the current membership counts for each default group, navigate to Settings > SSO & SCIM > Configure SSO and SCIM settings and look at the Default SCIM Groups table. The Active Users column links to a filtered People list showing every user in that group.

Custom SCIM groups

Any SCIM group you provision from your identity provider that is not one of the two default groups is treated as a custom SCIM group. Custom groups are useful when:
  • You want to grant Full Access or Admin through a group name that matches your organization’s naming conventions
  • You want to assign careers automatically when users join a specific group (see SCIM Career Automations)
  • You want to deactivate provisioning for a specific group without removing it from your identity provider
Custom groups are created in one of two ways:
  • Auto-created: When a user is provisioned with membership in a group that does not yet exist in SkillsDB, the group is auto-created with Basic permission and no career automations. An administrator can upgrade it later.
  • Manually created: An administrator creates the group in SkillsDB before provisioning users into it. This is the right approach when you want to set the permission level and career automations before the first user arrives.

How permission levels resolve when a user belongs to multiple groups

A user’s effective SkillsDB permission level is the highest among their active SCIM group memberships, evaluated in this order:
  1. If the user belongs to any active group with permission Admin, they receive Admin
  2. Otherwise, if the user belongs to any active group with permission Full Access, they receive Full Access
  3. Otherwise, the user receives Basic
  4. Basic users who have direct reports assigned to them are automatically promoted to Manager
If a user is removed from all SCIM groups, SkillsDB deactivates them through the resulting member-removal events from your identity provider. See Azure Sync Considerations for the full deactivation behavior.

How to create a custom SCIM group

1

Open the SSO & SCIM settings

Navigate to Settings > SSO & SCIM and select Configure SSO and SCIM settings.
2

Open the Create SCIM Group modal

In the top right of the page, select Create SCIM Group.
3

Enter the group details

Enter a Group Name that exactly matches the group name in your identity provider. Group names must be 100 characters or fewer and may only contain letters, numbers, dots, hyphens, and underscores. The group name cannot be changed after the group is created.Optionally enter an Internal Description to help other administrators understand the group’s purpose. This description is only visible to SkillsDB administrators — it is not synced to the identity provider.
4

Select the permission level

Choose one of Admin, Full Access, or Basic from the Permission Level dropdown.
Warning: Selecting Admin grants full system access, including the ability to modify company configuration. Only use this for groups that should hold administrator rights.
5

Optionally add career automations

In the Career Automations section, select + Add Career Automation to attach one or more careers that should be automatically assigned when users are provisioned into this group. See SCIM Career Automations for how to configure these.
6

Create the group

Select Create. The new group appears in the Custom SCIM Groups table.
Once the group exists in SkillsDB, users provisioned into the matching identity-provider group receive the configured permission level on their next sync.

How to edit a custom SCIM group

Select the edit icon in the Action column of the Custom SCIM Groups table. The edit modal lets you change the description, permission level, and career automations. The group name is disabled in edit mode and cannot be changed. Permission-level changes apply to existing members on the next sync — SkillsDB recalculates each member’s effective permission level after the change.

How to deactivate or reactivate a custom SCIM group

Select the archive icon in the Action column. Deactivated groups stop affecting SkillsDB users:
  • New SCIM events referencing a deactivated group are silently ignored
  • Existing members keep their current permission level (derived from their other active groups)
  • The group remains visible in the Custom SCIM Groups table with an Inactive status badge
To reactivate a group, select the archive icon again. SCIM events for that group resume processing immediately. Deactivation is reversible and preserves all group data, including career automations. Use it when you want to temporarily stop a group from provisioning users without removing it from your identity provider.

Manager role

The Manager role is not configured through SCIM groups. SkillsDB sets it automatically when SCIM events establish a reporting relationship:
  • When a SCIM event sets another user’s manager to a Basic user, the Basic user is automatically promoted to Manager
  • Users who already hold Admin, Full Access, or Manager are not changed
  • Managers have additional capabilities in SkillsDB, including access to team-specific pages and the ability to assign learning plans to their reports
Manager promotion happens at the moment SCIM assigns a direct report. SkillsDB does not automatically demote a Manager back to Basic when their direct reports are reassigned — administrators can adjust the user’s permission level manually if needed.

Common Questions

No. The names SkillsdbGlobalAdmins and SkillsdbFullAccess are hardcoded in SkillsDB. Create identity-provider groups with these exact names to grant the corresponding permission levels. If you need different names, use custom SCIM groups instead.
The user receives the higher permission level — Admin. SkillsDB evaluates all active group memberships and uses the highest permission level among them.
No. If the group does not exist in SkillsDB when the first user is provisioned, it is auto-created with Basic permission and no career automations. However, creating it manually first lets you set the permission level and career automations before any users arrive.
Deactivating a custom group in SkillsDB preserves the group and its settings — you can reactivate it later. Deleting it from your identity provider triggers a SCIM delete event, which removes users from the group. If the deleted group was a user’s only SCIM group, the user is deactivated in SkillsDB. See Azure Sync Considerations for ghost-group handling.
Check the SCIM Event Log for that user. Common causes: Entra hasn’t synced yet (wait up to 40 minutes, or use Provision on Demand), the user isn’t assigned to the SCIM application itself (group membership alone isn’t enough in some IdPs), or the group name doesn’t exactly match SkillsdbGlobalAdmins (case-sensitive).
Yes. Users can belong to any number of SCIM groups, both default and custom. SkillsDB evaluates the highest permission level across all active memberships.

SCIM Setup

Configure SCIM provisioning between your identity provider and SkillsDB.

SCIM Career Automations

Attach career automations to custom groups to assign careers on provisioning.

SCIM Event Log

Troubleshoot group membership changes and permission recalculations.

Azure Sync Considerations

Ghost group handling, manager assignment edge cases, and other Entra-specific behavior.

Need More Help?

For help sizing your SCIM group structure or resolving permission-assignment issues, reach out to your organization’s SkillsDB administrator or contact SkillsDB Support.