Marq allows Enterprise admins to control how their users are provisioned and subsequently given a license. This article will explore the differences between Auto Provisioning and Auto Licensing.
Auto Provisioning is available in a variety of forms through Marq and your IDP. This functionality allows admin to create users in Marq, but not determine their license type (Licensed vs. View Only) via these connections. In this scenario, user's licensing is determined by Marq. See the last bullet in this section for specific details and implications for licensing set up in the Admin Panel in your Marq account.
- SAML implementations allow for Just In Time provisioning. This means users who are assigned access via your IDP and do not have a Marq account will have an account created for them upon their first log in. See the last bullet in this section for the implications of your licensing settings on how users will request/receive a license
- SCIM allows administrators to create, update, and deactivate users in Marq directly from your SCIM instance. SCIM creates users in your Marq account without them having to log in. You can update user attributes via SCIM, and our connector lets you deactivate users so they do not have a license, can not log in, and do not have access to any projects. Once a user is deactivated you can delete them and transfer their projects to another user of your choice. See the last bullet in this section for the implications of your licensing settings on how users will request/receive a license.
- G-Suite allows G-Suite Admin to roll out Marq to your whole G-Suite instance. See the last bullet in this section for the implications of your licensing settings on how users will request/receive a license.
Enabling Google SSO as a sign on method first without setting up G-Suite will break domain lock down, so new users on your domain will not be directed to your target account and will be added as free users.
- Implications for licensing set up in the Admin Panel in your Marq account. You can find these settings in your admin panel under the Licensing tile. There are two scenarios for when users are created via a provisioning action.
- If you want all users to come in as a full editing licensed user, you will need to set first Licensing option (When a new user joins a team...) to "Automatically Grant."
- If you want all users come is as view only, you will need to set first Licensing option (When a new user joins a team...) to "Do Not Automatically Grant."
Auto Licensing lets Admin determine what kind of license a user should get via SCIM. Users can receive either a full editing license or a view only license. This license type is determined by an attribute call canEdit.
- canEdit is a boolean attribute that we expect to either be true/false or not to be included in the user attributes.
canEdit = false (user gets a View Only license)
canEdit = true (user gets a Full edit license)
- The canEdit attribute is pre-built into the Okta and OneLogin SCIM connectors. You can also create your own SCIM application with these attributes if you have experience doing so. If you are looking to build your own SCIM applications please reach out to your Customer Success Manager.
- Implications for licensing set up in the Admin Panel in Marq when using canEdit. You will need to set the first Licensing option (When a new user joins a team...) to "Do Not Automatically Grant." This setting ensures all users are not given a license after being created.
- Implications for users requesting a license. If you have users being created as licensed users this section is less important. If you want your users to come in a View only and then request a license from an Admin, you can set the second part of the licensing options (When a user requests a license...) to have Admin approve the request. If you let all users receive a license automatically, the next time you make a change in your SCIM instance, license allocation will revert to reflect what your SCIM connection is sending over, stripping any manually assigned licenses. We strongly recommend that you have a custom request dialog if you have users requesting from an admin. The custom dialog can link to your internal software request page and contain any information you deem pertinent to your users.