Groups

The SCIM Groups in Adra are a conversion of the access levels a user can obtain through the Adra Setup Portal for Engagement and Licensed Applications. See SCIM Groups

Adra SCIM Groups Naming Convention

The SCIM Groups contain a displayName property which Adra uses to represent the Access Level, separated by a pipe ( | ) into 3 sections. Engagement name | Application name | Access Level. For the User Access to Task Manager in the Ortiz and Sons engagement the group will show the following displayName:

Ortiz and Sons|TaskManager|User

Adra as SCIM Provider for Groups

Adra will provide the SCIM Groups so the SCIM Client can add or remove members. These groups will be dynamically generated based on the active engagements that the organization has access to. Therefore the Adra Groups can't be Created or Deleted from the outside. Group Members can be added, removed, or replaced from an Adra SCIM Group.

Group Member Provisioning is for SCIM Users

Only employees of the Organization (in Adra) are candidates to be added or removed from groups. These are the already provisioned SCIM Users. In other words, successful SCIM User provisioning must exists to expect a successful Group Membership for the same user. If multiple organizations have access to the same engagement, each organization can only add or remove its employees from the engagements. Since these are different SCIM Provisionings.

BPO and Concern Organizations Engagement Access

Because BPO and Concern Organizations are expected to manage all the engagements they have access to, these types of organizations will be able to assign employees to any active Engagement they have access to (under Organization Details → Engagements) Any other type of organization in Adra is limited to assigning users to the active Engagements in which it is registered as the "Financial owner" (under Organization Details → Engagements). This is also known as the "Company" Engagements.

Adra SCIM Groups for Licensed Applications are exclusive

If the company is using the principle of least privilege (PoLP), it will not run into the following issues. It is strongly recommended to use it.

At any given time, a user can only have one access level to log in to an Adra application. So given the following SCIM Groups:

Ortiz and Sons|Balancer|Auditor
Ortiz and Sons|Balancer|User
Ortiz and Sons|Balancer|Admin

Making a user member of more than one of these groups will result in the user not being able to log in to the application.

Furthermore, Engagement Admin and Auditor are also incompatible:

Ortiz and Sons|Balancer|Auditor
Ortiz and Sons|Engagement|Admin

Making a user member of these 2 groups will result in the user not being able to log in to the application.