Getting started

Inviting your team

Workspaces are useless without people. Vigilo offers four ways to add members: a one-at-a-time email invitation, a CSV bulk upload, SCIM provisioning from…

Last updated

Overview

Workspaces are useless without people. Vigilo offers four ways to add members: a one-at-a-time email invitation, a CSV bulk upload, SCIM provisioning from your identity provider, and OIDC group mapping (auto-membership when a user signs in carrying a configured IdP group claim).

Most teams start with email invitations for the first ten people, then switch to SCIM or group mapping once they cross 25-30 members. Vigilo is designed so the manual and automated paths produce identical results — the audit log can't tell the difference.

Why it exists

Onboarding and offboarding is where access control quietly fails. If joining a team means "the manager emails IT, IT emails Vigilo, somebody clicks invite when they get round to it" — and leaving a team means "everybody assumes someone else removed access" — your audit log is fiction. By wiring Vigilo into the same IdP that provisions Slack, Google Workspace, and your VPN, membership becomes a side effect of HR's source of truth, not a separate to-do list.

Key concepts

  • Invitation — A token-bearing link sent by email. Single-use, 7-day expiry, scoped to one workspace + one role. The invitee signs in via OIDC; on first sign-in the membership is created.
  • Membership — The join table between a user and a workspace. Carries the role for that workspace. A user can have many memberships with different roles.
  • Role — One of viewer, member, approver, admin, owner. See the role matrix below.
  • SCIM token — A bearer token issued in Settings → SCIM that lets your IdP push membership changes via the /scim/v2/ endpoint. Revoke-able from the same page.
  • OIDC group mapping — A rule that says "anyone with the IdP claim groups: ['vigilo-admins'] becomes an admin of workspace acme." Evaluated on every sign-in, so removing a user from the group revokes access immediately on their next session refresh.

Common workflows

1. Invite one person

Sidebar → MembersInvite → enter the email, pick a role, click Send. Vigilo emails the invitee with a workspace-scoped sign-in link.

2. Bulk-invite via CSV

Members → Bulk import. Upload a CSV with columns email,role (optionally display_name). Vigilo validates the file, shows you a preview, and sends every invitation in one batch. Failures (invalid emails, role typos) are surfaced inline; valid rows still send.

3. Wire SCIM (Okta example)

  1. Settings → SCIM tokensCreate token → copy the bearer token.
  2. In Okta, create a SCIM 2.0 provisioning app pointing at https://vigilo.example.com/scim/v2/ with the token in the Authorization header.
  3. Map Okta groups to Vigilo roles via the app's attribute mapper.
  4. Push a test user; you should see them appear in Members within seconds.

4. Configure OIDC group mapping

Settings → AuthenticationGroup mappings → add a rule:

  • Claim path — usually groups
  • Claim value — the IdP group name, e.g. vigilo-acme-admins
  • Workspace — the target workspace
  • Role — the role to grant

Save. The mapping runs on every OIDC token refresh, so adding or removing the group in your IdP propagates within the user's session lifetime.

5. Remove a member

Members → click the row → Remove. The user keeps their account (they may belong to other workspaces) but loses access to this workspace immediately. The next API request invalidates their cached membership.

Permissions & gating

Action Roles allowed
View members All workspace members
Invite a member admin, owner
Bulk import CSV admin, owner
Change a member's role admin, owner
Promote to owner owner
Remove a member admin, owner
Issue SCIM token owner
Configure OIDC group mapping admin, owner

Role matrix

Role Read Create work Approve Admin settings Billing
viewer
member
approver
admin
owner

See Roles & RBAC for the per-endpoint breakdown.

Troubleshooting

  • "The invitation email never arrived." — Check spam first. If still missing, an admin can resend it from Members → row → Resend invite. If your tenant has SMTP issues, the invite link is visible in the row's detail panel — copy it manually.
  • "SCIM push fails with 401." — Token revoked or expired. Issue a new one and update the IdP config.
  • "OIDC group mapping isn't taking effect." — The mapping runs on token refresh, not retroactively on existing sessions. Ask the user to sign out and back in.
  • "I can't promote someone to owner." — Only existing owners can do this. The first owner is the workspace creator; ask them.
  • "Removing the last owner is blocked." — By design — promote someone else first, then demote yourself.

Related articles