Manage seats via SCIM using Okta
In this guide, you'll learn how to manage seats in Figma using Okta, including how to:
- Configure Okta Groups for provisioning
- Add custom attribute mappings
- Map custom attributes to Okta assignment groups
- Test user provisioning
Caution:
- Make sure you have installed the Figma Application from the Okta App Catalog. Creating your own custom application will not work.
- You must be an Okta Administrator who has scopes to Add/Update Groups and Applications.
- You must be an organization admin in Figma on the Enterprise plan.
Configure Okta Groups for provisioning
- Under Directory > Groups, you will need to create 6 different groups that represent all seat-type license combinations that are possible between Figma, Figjam, and Dev Mode.
- Here’s what each of these access groups represent:
Okta Group Name | Description | Recommended Titles |
Figma (Full) | Users inherit a license to Figma (Design), which also grants them access to Dev Mode. They will be a restricted viewer in Figjam. | Designers, Product Designers, Design System Managers, Design System Operations, Design Operations, Brand Design |
Figjam (Full) | Users inherit a license to Figjam. They will be a restricted viewer in Figma (Design), which also grants them access to Dev Mode. | Can be used by all! Product Managers, Product Operations Managers, Designers, Design Operations, Product Marketing Managers. |
Figma (Dev Mode Only) | Users inherit a license to Dev Mode within Figma (Design) but cannot edit design files. They will be a restricted viewer in Figjam. | Developers, Software Engineers, Design System Engineers, Front End Engineer, Front End Developer |
Figma (Full) + Figjam (Full) | Users inherit full access to all of Figma’s product lines including Figma (Design), Dev Mode, and Figjam. | Designers, Product Designers, Design System Managers, Design System Operations, Design Operations, Brand Design |
Figma (Dev Mode Only) + Figjam (Full) | Users inherit a license to Dev Mode within Figma (Design) but cannot edit design files. They will also be able to edit within Figjam. | Developers, Software Engineers, Design System Engineers, Front End Engineer, Front End Developer |
Figma (Viewers Only) | Users will be a restricted viewer in all of Figma’s products. They cannot edit design files, use Dev Mode, or edit Fgijam boards, but will be a free viewer and can comment on Figma and Figjam files. | Everyone else in your organization that would need to know or collaborate on your company’s designs |
Add custom attribute mappings
Caution: Make sure you have completed setting up automatic provisioning via SCIM in Okta before proceeding.
- Navigate to Applications > Figma > Provisioning > Figma Attribute Mappings.
- Click Go To Profile Editor.
- Click Add Attribute.
- You will need to create an attribute representing each of Figma’s licenses for each product. Use the following table below to create an attribute for each of Figma’s products. You will repeat this step as well as step 5 for each Figma Product.
Figma Product | Display Name | Variable Name | External Name | External Namespace |
Figma | Figma Permission | figmaPermission | figmaPermission | urn:ietf:params:scim:schemas:extension:figma:enterprise:2.0:User |
Figjam | Figjam Permission | figjamPermission | figjamPermission | urn:ietf:params:scim:schemas:extension:figma:enterprise:2.0:User |
Dev Mode | Dev Mode Permission | devModePermission | devModePermission | urn:ietf:params:scim:schemas:extension:figma:enterprise:2.0:User |
5. For each custom attribute, each will need a defined list of Enumerated Values.Use the following table to define each Display Name | Value pair under Attribute Members.
Display Name | Value |
Full | full |
Viewer Restricted | viewerRestricted |
Null | null |
6. All other custom attribute settings can be left as their default values. Click Save.
Map custom attributes to Okta assignment groups
- Navigate to the Assignments tab within your Figma Application.
- Under the Groups filter. You will see assignment groups that will assign Figma for SSO (if configured) as well as for SCIM provisioning. Click the Assign drop-down menu and click Assign to Groups.
- Add the 6 groups you created in the Configure Okta Groups for Provisioning step.
- For each of the 6 groups, click the pencil icon and set the custom attributes figmaPermission, figjamPermission, and devModePermission to the following values:
Group Name | figmaPermission | figjamPermission | devModePermission |
Figma (Full) + Figjam (Full) | Full | Full | Full |
Figma (Dev Mode Only) + Figjam (Full) | Viewer Restricted | Full | Full |
Figma (Full) | Full | Viewer Restricted | Full |
Figjam (Full) | Viewer Restricted | Full | Viewer Restricted |
Figma (Dev Mode Only) | Viewer Restricted | Viewer Restricted | Full |
Figma Viewers | Viewer Restricted | Viewer Restricted | Viewer Restricted |
- Click Save for each value.
- Within the Assignments view, set the Priority by dragging/dropping the Okta app assignment groups into the same order as mentioned in the table above. This will ensure in the edge case that a user is assigned to multiple groups, the top-most level group assigns the most permissive combination of licenses. (Note that the assignment group model used in this guide assumes an Okta user will be assigned to one Okta Group that assigns Figma at a time).
Test user provisioning
- Assign a test user to one of your Okta assignment groups.
- Navigate to Applications > Figma > Provisioning
- Ensure Provisioning to App: Create Users and Update Users are Enabled, at minimum.
- Under Figma Attribute Mappings click Force Sync – this will push any test SCIM users you have assigned to access groups to Figma.
- You can validate a successful push SCIM event under Applications > Figma > View Logs.
- Within Admin in Figma, navigate to Members. You should see your test user reporting “Pending SCIM” with the appropriate license combination associated with that Okta App Assignment Group.
- You may repeat the above test for other test cases, for example: Remove that test user from one Okta App Assignment Group and add to another. This should update the user’s licenses in Figma.