Skip to end of metadata
Go to start of metadata

Users need to be registered in the Team Server to be able to work together on model packages and projects. Users can be added manually to the Team Server, but also via import by means of an external identity provider like Active Directory, Azure AD, or a SAML-based identity provider. User import via an identity provider is part of the Team Server configuration, and is usually performed by application administrators. 

While using an external identity provider, manually adding users to the Team Server remains possible, for example, for registering external people like consultants or interns, but also system administrator users.

When using Azure AD, users are defined in Azure AD and added to the Team Server via provisioning. So are the groups and the users' group memberships. 

When using Active Directory or a SAML-based identity provider, users are defined by that identity provider. The users are added to the Team Server via synchronization (Active Directory) or provisioning (SAML). With SAML, group memberships of the users are defined in the identity provider. With Active Directory group memberships are manually arranged in the Team Server.

Users that are added manually are internal users, they are external when added via an identity provider. To see whether a user is internal or external you can check the user's origin on the user page.



When users are added, they can be assigned one or more roles for the Team Server. The role determines the user's permissions in the Team Server, in HoriZZon, and for Team Platform-related work in Enterprise Studio. The role also determines which information in the Team Server and in HoriZZon is visible to the user.

Users can be manually added one by one, but it is also possible to add multiple users at once. This is practical if multiple users must have the same role(s).


Required roles

Administrator or System Administrator: Manually create users.

System Administrator: Assign the System Administrator role to a user.

On this page:


Manually adding users

  1. In the sidebar menu, click Users, and then click Add users.



  2. In New user, add the e-mail address of the user you would like to add to the Team Server. You can add more than one user by adding multiple e-mail addresses.



  3. In Roles, set the role(s) for the user(s). If you have added multiple users, all users will get the same role(s).

    You can choose the following roles: Consumer, Contributor, Lead Designer, and Administrator. Only if you have the System Administrator role yourself, the System Administrator role is available to select for others. 

    If you do not select any role, the user can only view his or her personal details. If you are going to add the users to a group that only need to access HoriZZon to view site data, you leave the roles empty. By assigning them to groups they will get the right access. For more information about the roles, see User roles and permissions.



  4. Click Add user.


An e-mail message with an invitation to register will be sent to the user(s).

Conversion of internal users to external users

If you have already manually added users to the Team Server when you start adding users via an identity provider, these internal users may be converted to external users.

If you start provisioning in Azure AD, existing internal users are converted to external users if their name and e-mail address match the user name and e-mail address in Azure AD. During provisioning, the origin of the user changes from internal to external. From that point on the converted user can only sign in to the Team Server and HoriZZon using their Azure AD account.

In Active Directory, any internal users are also converted to external users if their name and e-mail address match. After users have been synchronized in the Team Server, the "converted" users can only sign in with their Windows account.

With a SAML-based identity provider, matching internal users are converted to external users during provisioning in the identity provider. The user can still sign in with their Team Server credentials until they start using the identity provider account. Once signed in via their identity provider the user is converted to external and can no longer sign in using the Team Server credentials.