If someone is added to my Identity Provider (IdP), will they have access to my Heroku Team without me adding them explicitly?
Yes, we do. A user that is not a Heroku user yet (as denoted by the email the IdP sends us) will be created. The user will still need to verify the email address with us. The user will have the default role in the Team, as selected by the Team admins. You can update the default role from the Settings tab for your Heroku Enterprise Team in Dashboard. The default role is
member if it has not been set by an admin.