Skip to content
RAMP Documentation

Provisioned Members

When external identity provider users (LDAP, OIDC, or Windows Auth) log in to RAMP for the first time, they are automatically provisioned as tenant members. The Provisioned Members view gives Tenant Administrators visibility into these auto-created user accounts.

How Auto-Provisioning Works

Section titled “How Auto-Provisioning Works”

The provisioning process is automatic and transparent:

  1. A user authenticates through an external identity provider configured for the tenant.
  2. RAMP verifies the authentication and reads the user’s profile information (name, email, groups) from the identity provider.
  3. If the user does not yet exist in the RAMP tenant, a new member record is created automatically.
  4. The user is associated with the identity provider connection they used to log in.
  5. If any IDP group mappings match the user’s groups, the corresponding RAMP roles are assigned.

Viewing Provisioned Members

Section titled “Viewing Provisioned Members”
  1. Navigate to Tenants and select the tenant.
  2. Open the Provisioned Members tab.
  3. The list displays all users who have been automatically provisioned, along with:
    • User display name and email
    • The identity provider they authenticated through
    • When they were first provisioned
    • Their current status (active or inactive)

Managing Provisioned Members

Section titled “Managing Provisioned Members”

While provisioned members are created automatically, Tenant Administrators can still manage them after provisioning.

Viewing Details

Section titled “Viewing Details”

Click on a provisioned member to view their full profile, including:

  • The identity provider connection they used
  • Their group memberships from the external IDP
  • Any RAMP roles assigned through IDP mappings or manual assignment

Deactivating a Provisioned Member

Section titled “Deactivating a Provisioned Member”

If a user should no longer have access to the tenant, you can deactivate their account:

  1. Click on the provisioned member.
  2. Toggle their status to Inactive.
  3. Click Save.

Assigning Additional Roles

Section titled “Assigning Additional Roles”

Provisioned members can receive roles in two ways:

  1. Automatically — through IDP group mappings that match the user’s external group memberships.
  2. Manually — by navigating to the user’s role assignments and adding roles directly.

Provisioning with Directory Browsing

Section titled “Provisioning with Directory Browsing”

When directory browsing is enabled for an OIDC provider, Tenant Administrators gain additional capabilities:

  • Search for users who have not yet logged in and view their profile information from the identity provider.
  • Pre-assign roles by mapping IDP groups before users log in, so they receive the correct permissions on their first access.
  • Browse group memberships to understand the organizational structure before provisioning occurs.

Without directory browsing (CachedOnly mode), only users who have previously logged in appear in RAMP.

Provisioned Members vs. RAMP Internal Users

Section titled “Provisioned Members vs. RAMP Internal Users”
AspectProvisioned MembersRAMP Internal Users
CreationAutomatic on first loginManual by Tenant Administrator
AuthenticationExternal IDP (LDAP, OIDC, Windows)RAMP database (username/password)
Password managementManaged by external IDPManaged within RAMP
Group membershipSynced from external IDPAssigned manually in RAMP
Role assignmentVia IDP mappings and manualManual only

Troubleshooting

Section titled “Troubleshooting”

User Logged In but Not Appearing in Provisioned Members

Section titled “User Logged In but Not Appearing in Provisioned Members”
  1. Verify the user authenticated through an external IDP connection for this tenant.
  2. Check that the authentication provider is correctly configured for the tenant.
  3. Review the authentication provider logs for any errors during the provisioning step.

Provisioned Member Has No Roles

Section titled “Provisioned Member Has No Roles”
  1. Check if any IDP group mappings are configured for the tenant.
  2. Verify the user’s group memberships in the external identity provider.
  3. Ensure the external group names in the mappings match exactly with the provider.

Next Steps

Section titled “Next Steps”

To manage tenant-level settings such as name, slug, and status, see Tenant Settings.

Section titled “Related topics”
Users & Groups Create users, organize into groups, and assign roles within a tenant
IDP Group Mappings Map external identity provider groups to RAMP roles for automatic role assignment