License Management pertains to allowing admins (or CSMs) to manage how many licenses a company has purchased vs. how many they’ve allocated across the team. Right now, we might sell X licenses but admins can’t really tell how many they’ve allocated across the team (who has/doesn’t have one, yet).
RBAC
Role-based access control (RBAC) allows admins to define their own roles within Gem.
For example, admins can create a role called “Recruiter++” that has access to product modules (or even individual features) A, B, C and another called “Intern Sourcer” that has access to product modules A, D, E.
SCIM
System for Cross-domain Identity Management (SCIM) is a standard for automating the exchange of user identity information between identity domains, or IT systems.
For example: as new employees are onboarded and existing employees off-boarded, they are added and removed from the company’s electronic employee directory or Identity Provider (IdP). SCIM can be used to automatically add/delete (or, provision/de-provision) accounts for those users in external systems such as Google Workspace, Office 365, or Salesforce.com. Then, a new user account would exist in the external systems for each new employee, and the user accounts for former employees would be automatically removed from those systems.
Gem supports SCIM via an integration with WorkOS via their Directory Sync integration.
Note: SCIM is separate from SAML SSO. SSO is how users are authenticated into Gem, but it does not dictate how they can be managed by integrated systems. SCIM does not manage authentication, but it manages how data is kept in sync between their IdP and Gem.
SCIM setup
Because there are additional infrastructure costs associated with SCIM, it is not enabled for all customers. For ENT customers only, please work with EPD to enable SCIM.
- [Internal step] A Gem super admin must go to the teams support dashboard, and provision WorkOS via this button. This should only be done for enterprise customers that request this feature, as we are charged per team that enables Directory Sync.
Out of Sync Data
If Gem’s data ever goes out of sync with WorkOS, we have a script that is always safe to run which can put Gem back in sync: scripts/action/sync_workos_directory_users.py. Use this to resolve any conflicting data between Gem and WorkOS, where WorkOS Directory Sync is the source of truth.
SCIM Limitations (internal only)
- User groups are not supported as of Aug, 2025.
- New users cannot be invited after SCIM is enabled. Users must be added through the IdP
- User roles are configured by the IdP group → Role mapping. Team admins are not able to set user roles in Gem UI
- Custom roles need to be synced manually by an engineer.