User & Group Management
This guide covers user and group management for org admins. It describes how to invite users, create and manage groups manually, import groups from an identity provider via SCIM, and configure per-group settings including DLP overrides and model access.
User management
Section titled “User management”Inviting users
Section titled “Inviting users”Users are added to an Arbitex organization by one of two methods:
- Email invitation — an admin sends an invite link to a user’s email address
- SCIM provisioning — users are automatically provisioned from your IdP (Entra ID, Okta) when assigned to the Arbitex application
For SCIM provisioning setup, see Entra ID SCIM provisioning and SSO Configuration Guide.
User roles
Section titled “User roles”| Role | Description |
|---|---|
USER | Standard user — access to the AI gateway within their group’s policy |
ADMIN | Organization admin — full access to Settings, policy configuration, audit logs, and user management |
New users receive the USER role by default. Promote a user to ADMIN from Settings → Users → [user] → Edit role.
User provisioning via SCIM
Section titled “User provisioning via SCIM”SCIM-provisioned users are created with the USER role and the display name and email from the SCIM payload. They authenticate via SSO (OIDC or SAML) — no password is set for SCIM-provisioned accounts.
When a SCIM DELETE operation is received for a user, Arbitex sets is_active=false rather than deleting the user record. This preserves audit history and conversation records. The user cannot log in after deactivation.
To reactivate a deactivated user, restore the user in your IdP and trigger a SCIM sync, or contact your platform operator.
Group management
Section titled “Group management”Groups are used to apply policy rules, DLP configurations, model access controls, and compliance bundles to sets of users.
Groups overview
Section titled “Groups overview”The Groups panel in Settings → Groups shows a two-column layout:
- Left: list of all groups with member counts
- Right: group detail — metadata, members, DLP config, compliance bundles, model access
Groups display whether they are linked to an Entra AD group (Entra AD linked label in the group list).
Create a group (manual)
Section titled “Create a group (manual)”- Navigate to Settings → Groups.
- Click New Group.
- Fill in:
- Name (required): display name for the group, max 255 characters
- Description (optional): purpose or scope of the group
- Entra AD Group ID (optional): link this group to an Entra AD group for automatic membership sync (see Import from IdP)
- Click Create.
The group is created with no members. Add members manually or via SCIM.
Edit a group
Section titled “Edit a group”- Select the group from the list.
- Click Edit in the group detail panel.
- Modify the name, description, or Entra AD Group ID.
- Click Update.
Delete a group
Section titled “Delete a group”- Select the group from the list.
- Click Delete in the group detail panel.
Deletion is permanent. Members are not deleted — they remain as users without the group’s policy assignments. If a policy rule uses this group as a condition, the rule no longer matches any users.
Group membership
Section titled “Group membership”Add a member manually
Section titled “Add a member manually”- Select the group.
- In the Members panel, enter a user ID (UUID format) in the input field.
- Click Add.
The user must already exist in the system. If you need to look up a user ID, check Settings → Users or the audit log.
Remove a member
Section titled “Remove a member”- Select the group.
- In the Members list, click Remove next to the user you want to remove.
The user is removed from the group immediately. Policy rules using this group as a condition no longer apply to the removed user.
Import groups from an IdP
Section titled “Import groups from an IdP”To automatically sync group membership from Entra ID or Okta, use SCIM provisioning:
- Set up SCIM provisioning as described in Entra ID SCIM provisioning.
- Rotate the SCIM bearer token for your org as described in SSO Configuration Guide — SCIM token rotation.
- In your IdP, configure group provisioning to sync selected groups to Arbitex.
When your IdP provisions a group via SCIM:
- Arbitex creates the group with the display name from the SCIM payload
- Group members are populated from the SCIM
membersarray - Subsequent SCIM PATCH operations update membership incrementally
To link an existing manually-created group to an Entra AD group:
- Edit the group.
- Enter the Entra AD Group ID (the GUID of the Entra group, found in the Azure Portal under the group’s Properties → Object ID).
- Save.
When SCIM provisions a group with a matching externalId, Arbitex associates the provisioned membership with the linked group.
Per-group DLP configuration
Section titled “Per-group DLP configuration”Each group can override the global DLP pipeline behavior per detector. Group-level DLP configuration takes precedence over the org-level default.
Configure DLP overrides
Section titled “Configure DLP overrides”- Select the group.
- In the DLP Configuration panel, click Edit.
- For each detector override:
- Select the Detector (
regex,ner,gliner,dictionary,bloom_filter) - Set the Action (
SKIP,BLOCK,CANCEL,REDACT) - Toggle On/Off
- Select the Detector (
- Use + Add Detector to add additional overrides.
- Click Save.
| DLP Action | Behavior |
|---|---|
SKIP | Skip this detector entirely for users in this group |
BLOCK | Block the request when this detector fires |
CANCEL | Cancel the request silently when this detector fires |
REDACT | Redact detected content and continue processing |
If no DLP override is configured for a group, the global org defaults apply.
Per-group compliance bundles
Section titled “Per-group compliance bundles”Compliance bundles are pre-configured policy packs for regulatory frameworks. You can assign specific bundles to a group, overriding or supplementing the org-level bundle assignments.
Assign compliance bundles
Section titled “Assign compliance bundles”- Select the group.
- In the Compliance Bundles panel, click Edit.
- Enter the Bundle UUID in the input field and click Add for each bundle to assign.
- Bundle UUIDs are found in Settings → Policies → Policy Packs (bundle pack IDs)
- Click Save.
To remove a bundle assignment, click X next to the bundle in the edit view, then save.
Available compliance bundle IDs and their associated frameworks are listed in Compliance frameworks reference.
Per-group model access
Section titled “Per-group model access”Model access controls which AI providers and models are available to users in a group. Configure model access in the Model Access panel within the group detail view.
For full model access configuration options, see Groups & RBAC.
API reference
Section titled “API reference”Group management operations are available via the admin API at /api/admin/groups/. Member management, DLP config, and bundle assignments are sub-resources of the group endpoint.
For SCIM-based group provisioning, see the SCIM endpoint reference in SSO Configuration Guide.
See also
Section titled “See also”- Entra ID SCIM provisioning — Automated user and group sync from Entra ID
- SSO Configuration Guide — SAML IdP setup and SCIM token rotation
- Groups & RBAC — Group-based access control and model access reference
- Policy Engine user guide — How group conditions affect policy rule matching
- Compliance frameworks reference — Bundle IDs and framework mapping