Enterprise
Cursor Enterprise: Identity & Access Management (SSO, SCIM, roles)
Identity and access management controls who can use Cursor and what they can do. Cursor recommends a fixed order: set up SAML SSO first, enable SCIM to automate the user lifecycle, deploy MDM policies to enforce allowed team IDs and extensions, then assign the three team roles. SCIM and the advanced MDM controls require Enterprise with SSO enabled.
On this page
What order should we set up Cursor identity controls?
Identity and access management controls who can use Cursor in your organization and what they can do: authentication, user provisioning and device-enforced policies. Cursor recommends implementing the controls in a specific order so each one builds on the last.
- 1Set up SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool. so centralized authentication works first.
- 2Enable SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. to automate user lifecycle management.
- 3Deploy MDM policies to enforce allowed team IDs and extensions.
- 4Assign roles to grant admin access to the right people.
How does SSO and SAML work in Cursor?
SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool. lets users authenticate to Cursor with your existing identity provider instead of separate Cursor passwords. Cursor supports SAMLAn enterprise standard that powers single sign-on. 2.0 with providers like Okta, Azure AD, Google Workspace and OneLogin. When you enable SSO you can require it for all team members, which prevents password-based authentication entirely.
If your company has multiple linked teams, Cursor recommends a shared org-level SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool. model through Organizations. Team-level SSO setups are still supported for team-specific identity requirements.
What does SCIM provisioning automate?
SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. 2.0 provisioning automatically manages team members and directory groups through your identity provider. It is available on Enterprise plans with SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool. enabled. Without SCIM you add and remove users in Cursor by hand; with it, the identity provider drives membership.
- New employees get Cursor access automatically when added to the right group.
- Departing employees lose access when removed from your IdP.
- Group membership changes propagate automatically.
What roles do Cursor teams have?
- Role
- Members
- What it is
- Standard team members who use Cursor.
- Role
- Admins
- What it is
- Administer the team.
- Role
- Unpaid Admins
- What it is
- Administer the team without consuming a paid seat.
| Role | What it is |
|---|---|
| Members | Standard team members who use Cursor. |
| Admins | Administer the team. |
| Unpaid Admins | Administer the team without consuming a paid seat. |
Cursor teams have three roles. See Members, Roles, and Seat Types for the full breakdown.
Which device policies can MDM enforce?
Mobile Device Management (MDM) systems enforce policies on user devices. Cursor supports MDM-based policies on macOS and Intune / Group Policy on Windows. An MDM policy overrides the equivalent user-configured Cursor setting on each device.
- Allowed Team IDs
AllowedTeamIdpermits only listed team IDs to log in; overridescursorAuth.allowedTeamId.- Allowed Extensions
AllowedExtensionscontrols installable extensions; overrides the admin portal andextensions.allowed.- Workspace Trust
WorkspaceTrustEnabled(boolean) forces the trust prompt on or off; overridessecurity.workspace.trust.enabled.- The .cursor folder
- Project settings, indexing cache and rules created at the repo root; can be committed to source control.
As soon as you add any entry to extensions.allowed, only explicitly allowed entries are permitted and everything else is blocked. There is no implicit allow-all. Setting {"anysphere": false} blocks every other publisher too, because nothing else is on the allowlist. To block specific extensions while keeping the rest, add the "*": true wildcard alongside the entries you deny.
How does the Allowed Team IDs policy stop personal accounts?
The most important MDM policy prevents users from logging into personal Cursor accounts on corporate devices. When you set an allowed team ID policy, Cursor only permits authentication to those specific team IDs. The cursorAuth.allowedTeamId setting accepts a comma-separated list, so "1,3,7" allows users from those three team IDs. To manage it centrally, configure the AllowedTeamId policy through your MDM, which overrides the local setting.
- A user who tries to log in with a team ID not on the list is forcefully logged out immediately.
- An error message is displayed.
- Further authentication attempts are prevented until a valid team ID is used.
Setting the allowed team ID to your enterprise team ID stops employees from accidentally using personal accounts that might not have Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code. enabled.
Frequently asked questions
Does SCIM require SSO and Enterprise?
Yes. SCIM 2.0 provisioning is available on Enterprise plans with SSO enabled. Set up SAML SSO first, then enable SCIM so user and directory-group changes flow from your identity provider.
How do I reset Cursor clients back to allowing all extensions?
Clearing the admin portal field stops pushing a new value but does not remove the policy clients already applied locally. To reset everyone, deploy {"*": true} first, wait for clients to pick it up, then clear the field. Admin portal configuration for allowed extensions requires Cursor client version 2.1 or later.
Is it safe to commit the .cursor folder to source control?
It can be checked in so teammates share rules and settings, but those configurations are visible to anyone with repository access. Review the folder before committing and keep sensitive information out of rules files.
Sources & last verified
- Cursor - Identity & Access Management
- Cursor - Organizations
- Cursor - SSO and SAML setup
- Cursor - SCIM provisioning
- Cursor - Members, Roles, and Seat Types
- Cursor - Deployment Patterns (MDM configuration)
Cursor ships frequently. Facts verified against primary sources on June 25, 2026.