Just in time provisioning
Release date: 5th June 2025
This release introduces the ability for you to set permissions as you create Dynamic Content user accounts, providing users with immediate access once their accounts are created.
To remove the time pressure of having to manually set permissions for each new user as soon as their account is created, you can assign initial roles ahead of time as you set up user accounts. This is provided by "just in time provisioning".
Depending on your organization, you might want to provide initial roles that give new users sufficient permissions to get started, and then revisit them. Alternatively, you can assign roles that are suitable from the start.
You can assign initial roles in several ways:
- Set permissions when sending invites for users to join an organization. You have the choice of adding new users to existing teams or cloning permissions from an existing user. Organization admins can modify the roles included in invites, even after sending them to users.
- With single sign-on (SSO) you can configure which teams users should be in, and put them straight into those teams. You will set this up in your own identity platform.
- Use ‘onboarding teams’ to assign initial roles to new user accounts automatically, without any additional steps when creating user accounts.
By combining these different approaches, you can be confident that new users will be able to access Dynamic Content as soon as their accounts are created. For example, you might set up an onboarding team with basic permissions, in case the person who sends invites forgets to set permissions.
Permissions through invitesLink copied!
When you create Dynamic Content user accounts through Account Management, your organization administrator now has the option to set initial permissions at the same time.
You can choose whether new users will receive permissions from existing teams, or by cloning permissions from an existing user.
In this example, we've chosen to clone permissions from an existing user:
Once the invitation has been sent, you can view and edit the permissions that have been set for the invited user.
For more information about how you can use just in time provisioning when creating user accounts from Account management, see inviting members.
Permissions through single sign-on (SSO)Link copied!
Permissions for Dynamic Content users can be set up as single sign-on claims, or manually once the user has logged in.
To apply permissions through SSO, you just need to configure SSO within your identity provider to use the ampTeams attribute.
For information about SSO configuration for just in time provisioning, see Configuring permissions via SSO.
Permissions through onboarding teamsLink copied!
Account Management uses teams as a way of setting permissions for groups of users. You can now classify teams to be used as 'onboarding teams' to provide a way of setting initial permissions for new user accounts.
"Onboarding teams" are designed to be used as a fallback for when permissions haven't been set for new users through an invite or SSO.
Once you've established onboarding teams, any permissions associated with them will be used by default to provide initial permissions. When initial permissions have been set for users by using invites or SSO, onboarding teams will be ignored.