security: update manage members and SSO users FAQs (#22021)

sarahsanders-docker · web-flow · commit 6c3cc9396c08 · 2025-02-13T09:04:07.000-05:00
## Description - During Kapa triage, I noticed two uncertain answers: one regarding SCIM enablement impact on existing licensed users and one about deleting a user with SSO enabled - These updates address both to improve future Kapa convos and sources - Update to `members.md` that adds a callout about removing members from an org, clarifying that SSO w/ SCIM enabled is a little different (must be done in IdP) - Update to `user-faqs.md` that adds a new FAQ clarifying the impact of enabling SCIM for existing licensed users ## Related issues or tickets - https://docker.atlassian.net/browse/ENGDOCS-2404 - https://docker.atlassian.net/browse/ENGDOCS-2403 ## Reviews - [ ] Technical review - [ ] Editorial review
diff --git a/content/manuals/admin/organization/members.md b/content/manuals/admin/organization/members.md
@@ -141,6 +141,10 @@ To add a member to a team with the Admin Console:
 
 ### Remove a member from a team
 
+> [!NOTE]
+>
+> If your organization uses single sign-on (SSO) with [SCIM](/manuals/security/for-admins/provisioning/scim.md) enabled, you should remove members from your identity provider (IdP). This will automatically remove members from Docker. If SCIM is disabled, you must manually manage members in Docker.
+
 Organization owners can remove a member from a team in Docker Hub or Admin Console. Removing the member from the team will revoke their access to the permitted resources.
 
 {{< tabs >}}
diff --git a/content/manuals/security/faqs/single-sign-on/users-faqs.md b/content/manuals/security/faqs/single-sign-on/users-faqs.md
@@ -100,3 +100,7 @@ No, we don't differentiate the two in product.
 ### Is user information visible in Docker Hub?
 
 All Docker accounts have a public profile associated with their namespace. If you don't want user information (for example, full name) to be visible, you can remove those attributes from your SSO and SCIM mappings. Alternatively, you can use a different identifier to replace a user's full name.
+
+### What happens to existing licensed users when SCIM is enabled?
+
+Enabling SCIM does not immediately remove or modify existing licensed users in your Docker organization. They retain their current access and roles, but after enabling SCIM, you will manage them in your identity provider (IdP). If SCIM is later disabled, previously SCIM-managed users remain in Docker but are no longer automatically updated or removed based on your IdP.
