> ## Documentation Index
> Fetch the complete documentation index at: https://help.skillsdb.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SCIM Groups and Permissions

> How SkillsDB maps SCIM groups to permission levels, including the two default groups, custom SCIM groups, automatic Manager promotion, and how to create and manage custom groups.

<Info>
  **Quick Summary:** SkillsDB has two default SCIM groups that grant Admin or Full Access permissions, plus administrator-managed custom SCIM groups that can be set to Admin, Full Access, or Basic. A Basic user with direct reports is automatically promoted to Manager.
</Info>

## Overview

SCIM groups are how SkillsDB determines what a provisioned user can do. When a SCIM event arrives from your identity provider, SkillsDB looks at the user's current group memberships and sets their SkillsDB permission level based on the highest-privilege group they belong to.

There are two kinds of SCIM groups:

* **Default SCIM groups** — two built-in groups (`SkillsdbGlobalAdmins` and `SkillsdbFullAccess`) that administrators cannot delete. These grant Admin and Full Access respectively.
* **Custom SCIM groups** — any other group provisioned from your identity provider. These are either auto-created when the first member is provisioned, or created manually by a SkillsDB administrator. Each custom group has a configurable permission level and can trigger automatic career assignment.

SkillsDB has three permission levels: **Admin**, **Full Access**, and **Basic**. A fourth role, **Manager**, is not set by SCIM groups directly — SkillsDB assigns it automatically to Basic users who have direct reports.

## Prerequisites

Before managing SCIM groups, make sure you have:

* **Permission level**: SkillsDB administrator
* **Setup requirement**: An active SCIM connection (see [SCIM Setup](/identity-and-provisioning/scim-setup))
* **Access requirement**: **Settings > SSO & SCIM > Configure SSO and SCIM settings**

## Default SCIM groups

SkillsDB ships with two default SCIM groups. Create groups in your identity provider with exactly these names — any user added to one of them receives the corresponding SkillsDB permission level on the next sync.

| Identity provider group name | SkillsDB permission level | What the user can do                                                                             |
| ---------------------------- | ------------------------- | ------------------------------------------------------------------------------------------------ |
| `SkillsdbGlobalAdmins`       | Admin                     | Full system access, including configuration, libraries, and user management.                     |
| `SkillsdbFullAccess`         | Full Access               | Access to all people, skills, training, and reports across the company. No configuration access. |

Default groups cannot be deleted through SCIM — SkillsDB ignores delete events for them and preserves existing memberships. If a default group does not exist when the first user is provisioned, SkillsDB creates it automatically.

To see the current membership counts for each default group, navigate to **Settings > SSO & SCIM > Configure SSO and SCIM settings** and look at the **Default SCIM Groups** table. The **Active Users** column links to a filtered People list showing every user in that group.

## Custom SCIM groups

Any SCIM group you provision from your identity provider that is not one of the two default groups is treated as a custom SCIM group. Custom groups are useful when:

* You want to grant Full Access or Admin through a group name that matches your organization's naming conventions
* You want to assign careers automatically when users join a specific group (see [SCIM Career Automations](/identity-and-provisioning/scim-career-automations))
* You want to deactivate provisioning for a specific group without removing it from your identity provider

Custom groups are created in one of two ways:

* **Auto-created**: When a user is provisioned with membership in a group that does not yet exist in SkillsDB, the group is auto-created with **Basic** permission and no career automations. An administrator can upgrade it later.
* **Manually created**: An administrator creates the group in SkillsDB before provisioning users into it. This is the right approach when you want to set the permission level and career automations before the first user arrives.

### How permission levels resolve when a user belongs to multiple groups

A user's effective SkillsDB permission level is the highest among their active SCIM group memberships, evaluated in this order:

1. If the user belongs to any active group with permission **Admin**, they receive **Admin**
2. Otherwise, if the user belongs to any active group with permission **Full Access**, they receive **Full Access**
3. Otherwise, the user receives **Basic**
4. Basic users who have direct reports assigned to them are automatically promoted to **Manager**

If a user is removed from all SCIM groups, SkillsDB deactivates them through the resulting member-removal events from your identity provider. See [Azure Sync Considerations](/identity-and-provisioning/azure-sync-considerations) for the full deactivation behavior.

### How to create a custom SCIM group

<Steps>
  <Step title="Open the SSO & SCIM settings">
    Navigate to **Settings > SSO & SCIM** and select **Configure SSO and SCIM settings**.
  </Step>

  <Step title="Open the Create SCIM Group modal">
    In the top right of the page, select **Create SCIM Group**.
  </Step>

  <Step title="Enter the group details">
    Enter a **Group Name** that exactly matches the group name in your identity provider. Group names must be 100 characters or fewer and may only contain letters, numbers, dots, hyphens, and underscores. The group name cannot be changed after the group is created.

    Optionally enter an **Internal Description** to help other administrators understand the group's purpose. This description is only visible to SkillsDB administrators — it is not synced to the identity provider.
  </Step>

  <Step title="Select the permission level">
    Choose one of **Admin**, **Full Access**, or **Basic** from the **Permission Level** dropdown.

    <Warning>
      **Warning:** Selecting **Admin** grants full system access, including the ability to modify company configuration. Only use this for groups that should hold administrator rights.
    </Warning>
  </Step>

  <Step title="Optionally add career automations">
    In the **Career Automations** section, select **+ Add Career Automation** to attach one or more careers that should be automatically assigned when users are provisioned into this group. See [SCIM Career Automations](/identity-and-provisioning/scim-career-automations) for how to configure these.
  </Step>

  <Step title="Create the group">
    Select **Create**. The new group appears in the **Custom SCIM Groups** table.
  </Step>
</Steps>

Once the group exists in SkillsDB, users provisioned into the matching identity-provider group receive the configured permission level on their next sync.

### How to edit a custom SCIM group

Select the edit icon in the **Action** column of the **Custom SCIM Groups** table. The edit modal lets you change the description, permission level, and career automations. The group name is disabled in edit mode and cannot be changed.

Permission-level changes apply to existing members on the next sync — SkillsDB recalculates each member's effective permission level after the change.

### How to deactivate or reactivate a custom SCIM group

Select the archive icon in the **Action** column. Deactivated groups stop affecting SkillsDB users:

* New SCIM events referencing a deactivated group are silently ignored
* Existing members keep their current permission level (derived from their other active groups)
* The group remains visible in the **Custom SCIM Groups** table with an `Inactive` status badge

To reactivate a group, select the archive icon again. SCIM events for that group resume processing immediately.

Deactivation is reversible and preserves all group data, including career automations. Use it when you want to temporarily stop a group from provisioning users without removing it from your identity provider.

## Manager role

The Manager role is not configured through SCIM groups. SkillsDB sets it automatically when SCIM events establish a reporting relationship:

* When a SCIM event sets another user's manager to a Basic user, the Basic user is automatically promoted to **Manager**
* Users who already hold Admin, Full Access, or Manager are not changed
* Managers have additional capabilities in SkillsDB, including access to team-specific pages and the ability to assign learning plans to their reports

Manager promotion happens at the moment SCIM assigns a direct report. SkillsDB does not automatically demote a Manager back to Basic when their direct reports are reassigned — administrators can adjust the user's permission level manually if needed.

## Common Questions

<AccordionGroup>
  <Accordion title="Can I rename the default SCIM groups?">
    No. The names `SkillsdbGlobalAdmins` and `SkillsdbFullAccess` are hardcoded in SkillsDB. Create identity-provider groups with these exact names to grant the corresponding permission levels. If you need different names, use custom SCIM groups instead.
  </Accordion>

  <Accordion title="What happens to a user who is in both a custom Admin group and the default SkillsdbFullAccess group?">
    The user receives the higher permission level — Admin. SkillsDB evaluates all active group memberships and uses the highest permission level among them.
  </Accordion>

  <Accordion title="Do I need to create a custom SCIM group in SkillsDB before provisioning users into it?">
    No. If the group does not exist in SkillsDB when the first user is provisioned, it is auto-created with **Basic** permission and no career automations. However, creating it manually first lets you set the permission level and career automations before any users arrive.
  </Accordion>

  <Accordion title="What's the difference between deactivating a custom group and deleting it from my identity provider?">
    Deactivating a custom group in SkillsDB preserves the group and its settings — you can reactivate it later. Deleting it from your identity provider triggers a SCIM delete event, which removes users from the group. If the deleted group was a user's only SCIM group, the user is deactivated in SkillsDB. See [Azure Sync Considerations](/identity-and-provisioning/azure-sync-considerations) for ghost-group handling.
  </Accordion>

  <Accordion title="Why isn't a user I added to SkillsdbGlobalAdmins becoming an admin in SkillsDB?">
    Check the [SCIM Event Log](/identity-and-provisioning/scim-event-log) for that user. Common causes: Entra hasn't synced yet (wait up to 40 minutes, or use Provision on Demand), the user isn't assigned to the SCIM application itself (group membership alone isn't enough in some IdPs), or the group name doesn't exactly match `SkillsdbGlobalAdmins` (case-sensitive).
  </Accordion>

  <Accordion title="Can a user be in more than one custom SCIM group?">
    Yes. Users can belong to any number of SCIM groups, both default and custom. SkillsDB evaluates the highest permission level across all active memberships.
  </Accordion>
</AccordionGroup>

## Related Articles

<CardGroup cols={2}>
  <Card title="SCIM Setup" icon="gear" href="/identity-and-provisioning/scim-setup">
    Configure SCIM provisioning between your identity provider and SkillsDB.
  </Card>

  <Card title="SCIM Career Automations" icon="briefcase" href="/identity-and-provisioning/scim-career-automations">
    Attach career automations to custom groups to assign careers on provisioning.
  </Card>

  <Card title="SCIM Event Log" icon="clipboard-list" href="/identity-and-provisioning/scim-event-log">
    Troubleshoot group membership changes and permission recalculations.
  </Card>

  <Card title="Azure Sync Considerations" icon="triangle-exclamation" href="/identity-and-provisioning/azure-sync-considerations">
    Ghost group handling, manager assignment edge cases, and other Entra-specific behavior.
  </Card>
</CardGroup>

## Need More Help?

For help sizing your SCIM group structure or resolving permission-assignment issues, reach out to your organization's SkillsDB administrator or contact [SkillsDB Support](https://www.skillsdb.com/support).
