How Can I Remove a User's Account Role While SCIM Provisioning Is Active?

Question

I want to remove a user's account-level role, such as Account Administrator, without deactivating their account. However, Okta or Microsoft Entra ID don't support sending a null or none value for the account role through SCIM.

How can I remove a user's account role while SCIM provisioning is active?

Environment

• Account settings
• Identity Provider: Okta or Microsoft Entra ID SCIM

Answer

To remove a user's account role while SCIM is enabled, briefly disable SCIM, manually update the user's role, then re-enable SCIM:

1. In your identity provider, remove the user from any groups that are mapped to Fivetran account roles.
   If the user remains in a mapped group, SCIM overwrites your manual change and reassigns the role during the next synchronization.

2. In Fivetran, go to Account Settings > General.
3. Select the Account Settings tab.
4. Under SCIM Config, set the Enable SCIM Provisioning toggle to OFF.
5. Go to Account Settings > Users & Permissions.
6. Select the Users tab.
7. Select the user you want to edit.
8. Under Account Role, click Edit user.
9. In the Account Role drop-down menu, select No Account Role.
10. Click Save changes.
11. Return to Account Settings > General.
12. Set the Enable SCIM Provisioning toggle to ON.

Alternative methods

If you don't want to disable SCIM, use one of the following options:

• Move the user to an IdP group mapped to a lower-level role, such as Account Reviewer, to reduce their permissions.
• Create a custom role in Fivetran with no permissions enabled, then map that role to the user through SCIM.
• If the user no longer needs access to Fivetran, unassign them from the application in your IdP to deactivate their account.