Set member roles via SCIM
Before you start
Who can use this feature
Supported on the Enterprise plan
Only organization admins can configure SAML SSO and SCIM.
You need admin access to your identity provider and automatic provisioning enabled to manage roles via SCIM.
Figma has two products: Figma design and FigJam. Everyone in an organization has a role on each product. A person's role determines their billing status; if they’re included in your billing.
It also controls what activities they can do in design or FigJam files. There are three roles: viewer, viewer-restricted, and editor.
Organization admins can manage roles for members and guests in Figma. Organizations using SAML SSO and SCIM may want to manage member roles using their identity provider.
On the Enterprise plan, there are a few ways you can assign design and FigJam roles:
- Set default roles for new members and guests
- Assign a member's role using SCIM
- Let Figma assign an introductory viewer role to anyone joining the organization
If you assign a person's roles via SCIM, Figma will use those roles. If you don't set member roles when you provision them, Figma will use the organization's default roles. This applies to both design and FigJam. How roles are assigned →
Note: SAML SSO and SCIM only applies to members and not guests. You can still manage roles for guests in Figma.
Configure role setting
The exact process for role setting will depend on your identity provider (IdP). We'll outline what attributes you need to add to your IdP to support role-setting.
Note: If you leave either of the variables blank, Figma will assign users a Viewer role for that product/file type.
Add Figma attribute
- Add a custom attribute to your identity provider.
- Give the attribute the name
figmaPermission
- Choose one of three values:
- Editor:
editor
- Viewer Restricted:
viewerRestricted
- Viewer:
null
- Editor:
- Set the data type to
string
(if applicable). - Set the external namespace to
urn:ietf:params:scim:schemas:core:2.0:User
Add FigJam attribute
- Add a custom attribute to your identity provider.
- Give the attribute the name
figjamPermission
- Choose one of three values:
- Editor:
editor
- Viewer Restricted:
viewerRestricted
- Viewer:
null
- Editor:
- Set the data type to
string
(if applicable). - Set the external namespace to
urn:ietf:params:scim:schemas:core:2.0:User
For an advanced setup, like assigning users based on groups, we recommend working with your identity provider directly. Learn more about adding custom attributes with our supported providers:
- Okta: How to create a new custom attribute in Okta
- OneLogin: Set custom attribute value in Onelogin
- Azure Active Directory: Define custom attributes in Azure Active Directory