Skip to main content
Collabase gives you full control over who can access your instance, what they can do, and how they are provisioned. All user and group management lives under Settings → Users and Settings → Groups.

Global roles

Every user in Collabase has a single global role that determines their baseline access to the platform.
RoleWhat they can do
AdminFull access to all settings, spaces, and system configuration. Admins can manage users, groups, and identity providers.
CollaboratorCan create and edit content in any space they are granted access to. Cannot access system settings.
ViewerRead-only access to spaces and pages they are explicitly granted. Cannot create or modify content.
Global roles set the ceiling for what a user can do. Space-level roles further restrict access within a specific space. See Permissions for the full model.

Managing users

Navigate to Settings → Users to see all users in your instance. The users table shows each user’s name, email, global role, creation date, last login, and directory source (Local, LDAP, Google, GitHub, Microsoft, etc.).

Adding a user

1

Open the add user dialog

Click Add New User in the top-right corner of Settings → Users.
2

Enter the user's details

Fill in the user’s full name and email address.
3

Assign a global role

Choose Viewer, Collaborator, or Admin. You can change this at any time.
4

Note the generated password

Collabase generates a one-time password automatically. Copy the credentials and share them securely with the new user. The user must change their password on first login.
5

Click Onboard User

The account is created immediately and appears in the users table.

Changing a user’s role

In the users table, use the role dropdown on any row to change that user’s global role. The change takes effect immediately.

Disabling and re-enabling a user

Click the disable button (the ban icon) on a user’s row to prevent them from logging in without deleting their account. Their content and history are preserved. Click the enable button (the checkmark icon) to restore access.
You cannot disable or delete your own account from the UI — this prevents accidental self-lockout.

Editing a user’s profile

Click a user’s name to open the profile panel. You can update their full name, email, phone, job title, and department. For users managed by an external identity provider (LDAP or SSO), profile fields are locked and can only be updated from your external directory.

Removing a user

Click the trash icon on any user row to permanently delete the account. This action cannot be undone.

Unlocking a locked account

If brute-force protection is enabled, accounts lock after too many failed login attempts. A locked indicator appears on the user’s row. Open the user profile panel and click Unlock Account to restore access immediately.

Groups

A group is a named collection of users. Instead of granting space access to individual users, you grant access to the group — all members of the group inherit that access automatically. Use groups to manage access for teams, departments, or any logical set of users. When someone joins or leaves a team, you add or remove them from the group rather than updating every space individually.

Creating a group

1

Navigate to Settings → Groups

Click New Group in the top-right corner.
2

Name the group

Enter a name (required) and an optional description that explains the group’s purpose.
3

Click Create

The group appears in the group grid.

Adding members to a group

1

Open the group

Click any group card to open the group detail panel.
2

Go to the Members tab

The Members tab shows all current members. Scroll down to the Add Member section.
3

Search and add users

Type a name or email in the search box and click Add next to the user you want.
To remove a member, hover over their row and click the remove button.

Granting a group access to a space

1

Open the group and go to the Space Access tab

This tab lists all spaces the group currently has access to.
2

Select a space

Choose the space from the dropdown. Only spaces your instance knows about are listed.
3

Select a role

Choose the role the group members will have within that space (available roles are defined in the space’s role configuration).
4

Click Save Access

Members of the group can now access the space with the assigned role.
To revoke access, hover over the space row in the Space Access tab and click the remove button.

SCIM v2 provisioning

Collabase implements SCIM 2.0, which lets your identity provider (Okta, Microsoft Entra, JumpCloud, etc.) automatically provision and deprovision users and groups. SCIM endpoints:
ResourceEndpoint
Users/api/scim/v2/Users
Groups/api/scim/v2/Groups
Service provider config/api/scim/v2/ServiceProviderConfig
Schemas/api/scim/v2/Schemas
All SCIM requests must include a bearer token in the Authorization header.

Generating a SCIM token

1

Navigate to Settings → Users

Scroll to the SCIM section or look for the SCIM token management area in the settings page.
2

Generate a new token

Click Generate Token. Collabase displays the token once — copy it immediately and store it securely.
3

Configure your identity provider

Paste the token into your identity provider’s SCIM bearer token field, and set the SCIM base URL to your Collabase instance URL.
The plaintext token is shown only once at generation time. If you lose it, delete the token and generate a new one.

How SCIM provisioning works

When your identity provider pushes a user or group to Collabase via SCIM:
  • New users are created with the default global role configured on your identity provider connection.
  • Updated users have their profile fields (name, department, job title) synced from the directory.
  • Deprovisioned users have their accounts disabled in Collabase — their content is not deleted.
  • Groups are created or updated in Collabase and their memberships are kept in sync.
Users provisioned via SCIM are marked with their external identity source in the Directory column of the users table. Their profile fields are locked in the Collabase UI — changes must be made in your identity provider.