Users & Groups

Each tenant has its own set of users and groups. Tenant Administrators manage these from the tenant administration interface, creating RAMP Internal users, organizing users into groups, and managing provisioned members from external identity providers.

User Types

RAMP supports two types of users within a tenant:

User Type	Description	How They Are Created
RAMP Internal Users	Users with credentials stored directly in the RAMP database	Created manually by a Tenant Administrator
External IDP Users	Users authenticated through LDAP, OIDC, or Windows Auth	Automatically provisioned on first login

Creating a User

RAMP Internal users are created manually within a tenant.

1. Navigate to Tenants, then select the target tenant.
2. Open the RAMP Tenant Members tab.
3. Click Create User.
4. Fill in the user details:
   • Username — must be unique within the tenant
   • Email — the user’s email address
   • First Name and Last Name
   • Password — set an initial password for the user
5. Click Create.

Note

RAMP Internal users can only be created in tenants that have the RAMP Internal authentication provider configured.

Editing a User

1. Navigate to the tenant’s user list.
2. Click on the user you want to edit.
3. Modify profile information such as display name, email, or active status.
4. Click Save.

Assigning the Administrator Role

To give a tenant user Administrator access within their tenant:

1. Navigate to Tenants, then select the tenant.
2. Open the RAMP Tenant Members tab.
3. Locate the user and click Assign Administrator.
4. The user will have Administrator privileges within this tenant.

Tip

The Administrator role within a tenant allows the user to manage settings, members, groups, and roles for that tenant. It does not grant access to other tenants or to the Tenant Administration area.

Managing Groups

Groups help organize users and simplify role management. Instead of assigning roles to individual users, you can assign roles to a group and all members inherit those roles.

Creating a Group

1. Navigate to Tenants, then select the tenant.
2. Open the Groups tab.
3. Click Create Group.
4. Enter a name and optional description for the group.
5. Click Create.

Managing Group Members

1. Navigate to the Groups tab and click on the group.
2. Use the Members section to add or remove members.
3. Members can include:
   • Individual users (RAMP Internal or provisioned external users)
   • External IDP groups (when directory browsing is enabled)
   • Nested groups (groups within groups)
4. Click Save to apply changes.

Assigning Roles to Groups

Groups can have application roles assigned to them. All members of the group inherit these roles.

1. Navigate to the group and open the Roles tab.
2. Click Add Role.
3. Select the desired application role from the dropdown.
4. Click Assign.

Role inheritance flows through the group hierarchy:

• Direct group membership inherits all group roles
• Nested group membership inherits roles from parent groups
• External IDP group mappings inherit roles from the mapped RAMP group

External IDP Groups

When using LDAP or OIDC providers with directory browsing enabled, you can view and manage groups from external identity providers.

1. Navigate to Tenants, then select the tenant.
2. Open the External IDP Groups tab.
3. View groups from the connected identity providers.
4. Click Sync to refresh the group list from the provider.

Note

External IDP groups are read-only within RAMP. Membership changes must be made in the source identity provider. RAMP syncs group information when users log in or when a manual sync is triggered.

Provisioned Members

When external IDP users log in for the first time, they are automatically provisioned as tenant members. You can view these auto-provisioned users on the Provisioned Members tab. See Provisioned Members for more details.

Shared Users

When RAMP is configured for shared user mode, users can be members of multiple tenants with a single account.

1. Navigate to Shared Members in the top-level Tenant Admin menu.
2. Create or manage shared user accounts.
3. Shared users can log in to any tenant they are a member of.

Tip

Shared user mode is useful in organizations where staff work across multiple departments or business units, each represented as a separate RAMP tenant.

Role Assignments

All application roles except TenantAdministrator can be assigned to users and groups within a tenant.

Available Roles

Category	Roles
Administrative	Administrator, SuperUser
Template (Global)	GlobalTemplateOwner, GlobalTemplateEditor, GlobalTemplateViewer, GlobalTemplateApprover
Instance (Global)	GlobalInstanceHead, GlobalInstanceDeputyHead, GlobalInstanceEditor, GlobalInstanceExecutor, GlobalInstanceObserver
Content Creation	TemplateCreator
System & Calendar	SystemManager, CalendarManager
Notifications	MessageSubscriber, PreEscalationSubscriber, EscalationSubscriber

For a detailed explanation of each role, see Roles.

Next Steps

After setting up users and groups, you can map external IDP groups to automate role assignments based on identity provider group membership.

Related topics

Provisioned Members View and manage users automatically provisioned from identity providers

IDP Group Mappings Map external identity provider groups to RAMP roles for automatic role assignment

Members Manage tenant members, assign application-level roles, and control access