Skip to main content
JIT provisioning automatically creates users and assigns roles the first time they authenticate, without manual pre-creation by an administrator.

How JIT provisioning works

  1. A user authenticates via Magic Link sent to their email address
  2. The Back Office validates the magic link and extracts the user email
  3. The system checks whether the user already exists
  4. If the user does not exist:
    • A new user record is created automatically
    • The user’s email is stored as the primary identifier
    • A role is assigned based on email-based rules
  5. The user is granted access according to the permissions of the assigned role
All permission checks after login are enforced by RBAC.

Role assignment during JIT provisioning

Role assignment during JIT provisioning is performed automatically based on the user’s email address.

Domain-based role mapping

Role assignment during JIT provisioning is performed exclusively based on the user’s email domain. When a user authenticates via magic link, the system extracts the domain part of the email address and assigns a role according to predefined domain-to-role rules. Examples:
  • @company.com → Member
  • @finance.company.com → Finance
  • @dev.company.com → Developer
  • @support.company.com → Support

Security considerations

  • JIT provisioning does not bypass RBAC — all actions remain permission-based
  • Role mappings should follow the principle of least privilege
  • High-privilege roles (Owner, Admin) should only be assigned via trusted IdP rules
If you need help configuring JIT provisioning or role mappings, please contact your account manager.