Hi @icy-accountant-52329, thanks for the reply! 😃
That’s some nice insight, thanks for sharing!
Agreed, I think it’s very dependent on institutional mandates or preferences, but I do see some great use cases and reasons for each strategy. I would even dare say that a hybrid strategy like that has more pros.
One key aspect is exactly what you mentioned, the delegation of Team memberships to Team admins and not having to deal with IdP directly. What’s also great about this is that access to the Pulumi Org is still governed by that initial SCIM group, as members need to be in a SCIM group before being added to any other Team, so SAML SSO authentication is still required by enabling SCIM.
Seems like the idea of deciding to create a new local Team is, or may be primarily governed by, some bespoke group of individuals working on “X” possibly from different SCIM Teams that may not necessarily work in the same group/department…or something like that.
It’s an interesting “problem” to think about and seems like there is no “standard best practice” as it’s all possible, and unique to each Org 🤔 …a personal decision.
Thanks for listening my thought dump, and thanks again for your feedback!