Just-in-time user provisioning framework in a multitenant environment

I claim: 1. A computer-implemented method of provisioning organization users new to a remote service provider, including: receiving a request from a user enrolled with an identity provider to access a system of the remote service provider via a single sign-on protocol, wherein the request requires creation of an organization user account for access to the system of the remote service provider; receiving, as part of the request, stored user attributes including a role attribute associated with an existing account of the user from the identity provider via the single sign-on protocol; receiving data specifying a plurality of rules to apply when setting up the user as a new user to access the system of the remote service provider; storing the plurality of rules with a system user profile of a system user with account creation rights; upon receipt of the request from the user, retrieving at least one rule of the plurality of rules from the system user profile; deriving a permission, as specified by the at least one rule, for accessing an object within the system based on the stored user attributes, by: matching the role attribute associated with the existing account to the at least one rule; determining the permission for accessing the object within the system based on applying the at least one rule to the role attribute, and the matching; and creating, at the remote service provider, the organization user account with the permission for accessing the object based on the request. 2. The method of claim 1 , wherein the single sign-on protocol includes SAML (Security Assertion Markup Language), OAuth (Open standard for Authorization), or OpenID. 3. The method of claim 1 , wherein the role attribute is a first role attribute, and further including requesting, from a client device, a second role attribute not included in the request. 4. The method of claim 1 , wherein the creating further includes: creating a management account object at least based on an account identifier attribute; creating a contact object at least based on a contact identifier attribute and the management account object; and creating a new portal user account at least based on the management account object and the contact object. 5. A computer-implemented method of initializing rules for provisioning organization users, enrolled with an identity provider, new to a remote service provider, including: receiving a request via a single sign-on protocol to access a system of the remote service provider, wherein the request requires creation of an organization user account for access to the system; receiving, at a provisioning framework device via a network, data specifying a plurality of rules to apply when setting up the user as a new user to access the system of the remote service provider, as well as stored user attributes associated with an existing account of the user from the identity provider; storing the plurality of rules with a system user profile of a system user with account creation rights; matching, by the provisioning framework device, at least one of the stored user attributes to at least one of the plurality of rules; determining, at the provisioning framework device, an access right value associated with an object of the system based on applying the at least one of the plurality of rules to the at least one of the stored user attributes, and the matching; and creating, at the remote service provider, the organization user account with the access right value based on the request. 6. The method of claim 5 , wherein the at least one of the stored user attributes includes a role attribute based on a role hierarchy. 7. The method of claim 6 , wherein the at least one of the plurality of rules includes a rule specifying how to derive the access right value based on the role attribute. 8. A computer system for provisioning organization users new to a remote service provider, the computer system including one or more processors configured to perform operations including: receiving a request from a user enrolled with an identity provider to access a system of the remote service provider via a single sign-on protocol, wherein the request requires creation of an organization user account for access to the system of the remote service provider; receiving, as part of the request, stored user attributes including a role attribute associated with an existing account of the user from the identity provider via the single sign-on protocol; receiving data specifying a plurality of rules to apply when setting up the user as a new user to access the system of the remote service provider; storing the plurality of rules with a system user profile of a system user with account creation rights; upon receipt of the request from the user, retrieving at least one rule of the plurality of rules from the system user profile; deriving a permission, as specified by the at least one rule, for accessing an object within the system based on the stored user attributes, by: matching the role attribute associated with the existing account to the at least one rule; determining the permission for accessing the object within the system based on applying the at least one rule to the role attribute, and the matching; and creating, at the remote service provider, the organization user account with the permission for accessing the object based on the request. 9. The computer system of claim 8 , wherein the single sign-on protocol includes SAML (Security Assertion Markup Language), OAuth (Open standard for Authorization), or OpenID. 10. The computer system of claim 8 , wherein the role attribute is a first role attribute, and the wherein the one or more processors are configured to further perform operations including requesting, from a client device, a second role attribute not included in the request. 11. The computer system of claim 8 , wherein the creating further includes: creating a management account object at least based on an account identifier attribute; creating a contact object at least based on a contact identifier attribute and the management account object; and creating a new portal user account at least based on the management account object and the contact object. 12. A computer system for initializing rules for provisioning organization users, enrolled with an identity provider, new to a remote service provider, the computer system including one or more processors configured to perform operations including: receiving a request via a single sign-on protocol to access a system of the remote service provider, wherein the request requires creation of an organization user account for access to the system; receiving, at a provisioning framework device via a network, data specifying a plurality of rules to apply when setting up the user as a new user to access the system of the remote service provider, as well as stored user attributes associated with an existing account of the user from the identity provider; storing the plurality of rules with a system user profile of a system user with account creation rights; matching, by the provisioning framework device, at least one of the stored user attributes to at least one of the plurality of rules; determining, at the provisioning framework device, an access right value associated with an object of the system based on applying the at least one of the plurality of rules to the at least one of the stored user attributes, and the matching; and updating, at the remote service provider, an organization user account to possess the access right value. 13. The computer system of claim 12 , wherein the at least one of the stored u