Overview

User management in Admin Center covers organization member lifecycle: invitations, activation, team assignment, role binding, and deprovisioning. Accurate user records underpin RBAC enforcement, audit attribution, and remediation approval non-repudiation.

Enterprise deployments typically integrate corporate identity through SSO while using Console invitations for contractors, partners, or pre-SSO onboarding. Both paths must align with your access provisioning and offboarding runbooks.

User records are organization-scoped. Members see only projects, runs, and resources permitted by their team membership and assigned roles.

Who should read this

Organization administrators and IT identity teams managing Console access provisioning.

Prerequisites

Admin Center Directory permission to manage users
Corporate email domain verification or SSO configuration for enterprise tenants
Documented onboarding checklist including team and role assignment standards

When to use this workflow

Onboarding new team members to Zof terminology and workflows
Authoring internal runbooks aligned with Console labels
Designing CI/CD or webhook integrations against documented behavior

Step-by-step procedure

Plan access before invitation

Identify the user's team ownership, required Console areas, and approver responsibilities.

Select appropriate roles following least-privilege principles, avoid default administrator assignment.

Confirm the user's corporate email or approved alternate identity for tenant association.

Send invitation or verify SSO provisioning

Open Admin Center → Directory → Users and invite the member by email.

For SSO-enabled tenants, verify just-in-time provisioning creates records on first sign-in if applicable.

Track pending invitations and resend or revoke stale invites per security policy.

Assign teams and roles

Add the user to teams reflecting their operational ownership of applications and projects.

Bind roles granting access to required Console areas, Operate, Quality, Automation, Governance, Platform.

Verify the user can access intended destinations after sign-in without excessive permissions.

Complete onboarding verification

Confirm the user completes MFA enrollment if required by identity policy.

Direct new members to Getting Started documentation and persona-appropriate Console tour material.

Validate audit logs capture invitation acceptance and role assignment events.

Manage lifecycle changes

Update team and role assignments when users change function or organizational unit.

Transfer ownership of projects and applications before removing users from owning teams.

Document access changes in change tickets where regulated environments require evidence.

Deprovision promptly on departure

Remove or deactivate users immediately upon termination or contract end.

Revoke API keys and integration tokens owned by departing users.

Verify audit logs reflect deprovisioning actions for compliance records.

Key concepts

Organization scope: All Zof Console and API operations are isolated to your authenticated tenant.
Governed execution: Agent output and remediation follow policy packs with human approval when configured.

Best practices

Automate offboarding checks against HR termination feeds where integration is available.
Prohibit shared user accounts, audit trails require identifiable individuals.
Review dormant accounts quarterly and deactivate unused memberships.
Use group or team-based role assignment patterns to reduce individual configuration drift.
Include Console access in standard employee onboarding and exit checklists.

Common issues

Invitation not received: Verify email address, corporate spam filters, and domain verification status. Resend invitation or confirm SSO provisioning path.
User lands in wrong organization tenant: Multi-tenant users must select correct organization context at sign-in. Verify domain auto-assignment rules with your administrator.
SSO user missing expected permissions: SSO provisioning may create users without team or role bindings. Complete directory assignment after first sign-in.