Primary navigation

Groups and provisioning

Understand group membership sources and their workspace access boundary

Groups organize ChatGPT workspace access for a set of members and can carry custom roles. Group membership is separate from local runtime policy and permissions in connected systems.

For the complete control model, see Roles and workspace permissions.

Compare membership sources

Each group has one authoritative membership source:

Group typeMembership sourceWhen it applies
Manually managedChatGPT workspace administrationThe group is small, temporary, or not managed through directory sync
Identity-provider managedYour identity provider through SCIMMembership should follow the organization’s directory and member-removal process

Manual and identity-provider-managed groups can coexist. For synchronized groups, the identity provider is the membership source; later provisioning updates can overwrite workspace-side changes. The Help Center owns current SCIM behavior, supported attributes, and setup steps.

Understand the access boundary

SCIM provisions workspace membership and group assignments. It doesn’t grant permissions in GitHub, Google Drive, Slack, or another connected system. It also doesn’t replace local runtime requirements or Platform API organization access.

Workspace RBAC and local runtime requirements are separate control systems. A group can be relevant to both, but don’t infer a managed-requirements matching or precedence rule from workspace group order. Use Managed configuration for the documented delivery and local precedence rules.

Use current setup procedures

Workspace administration details can change. Use these sources for current UI steps, availability, and limits: