SCIM Provisioning allows Account Administrators to manage users in one spot and have ProductPlan handle users automatically.
SCIM (System for Cross-domain Identity Management) is a standard for managing user identities, capable of provisioning users and maintaining their status and group memberships over time. This is particularly useful for enterprise customers, allowing you to manage users in one central location, propagate statuses and group memberships to various applications. Additionally, the Flexible SCIM Team Provisioning feature allows you to map your organization's IdP groups directly to ProductPlan Teams, giving you the flexibility to align the organization's internal directory structures with ProductPlan's Team setup and selectively provision users with editor licenses.
The best practice is to ensure the necessary Teams are created within ProductPlan before configuring SCIM.
- To set up SCIM, Account Admins can navigate to the Security page under Account Settings, and click on the SCIM Provisioning subtab. Admins will need two key pieces of information:
- SCIM Base URL
-
-
Auth Token (for Bearer authentication)
- Both of these can be found on the Account/Security Settings page.
-
- The Customization table allows you to use the Flexible SCIM Team Provisioning feature to map existing IdP group names to ProductPlan teams, regardless of naming conventions. Within the Customization table, Admins will see the Teams that have already been created in ProductPlan alongside a text field called IdP Group. For each Team, enter the IdP Group name you would like to map to the existing Team in ProductPlan.
- Ensure that the spelling and capitalization of the IdP Group name is accurate when entering it into the text field.
- When SCIM provisioning syncs, ProductPlan checks the incoming IdP Group name for a mapped ProductPlan Team:
- If a mapping exists, users will be provisioned to the associated ProductPlan Team.
- If a mapping does not exist but the IdP Group Name is identical to an existing ProductPlan Team name, users will be provisioned to that matching Team.
- If a mapping does not exist and the IdP Group Name is different from all existing ProductPlan Team names, a new Team will be created with the title of that IdP Group Name. Users will be provisioned into this Team.
- Note that users can still belong to multiple Teams. If the user is a part of multiple IdP Groups that are configured to access ProductPlan, they will be provisioned to all of those Teams.
- Within the Customization table, Admins will see a checkbox column titled Editors. To provision users with an editor’s license on the corresponding ProductPlan team, this checkbox must be marked.
- By default, all users are provisioned as viewers. If this box is not selected, users will be provisioned with a viewer license.
- Users will only be given editor’s licenses as long as they are available. If all editor’s licenses are used, the user will be provisioned as a viewer.
- Click the Save button at the bottom of the page to save the configuration.
Supported standard SCIM attributes:
-
userName (required) - maps to user email and must be the user’s email address (this is fairly standard and configurable in identity providers)
-
displayName - maps to user name
-
user.givenName - used to build user name
-
user.familyName - used to build user name
For setting a user’s name, we give precedence to displayName. Otherwise, we will fall back to user.givenName and user.familyName. If none of these are set, we default to the first part of the user’s email address.
Supported standard SCIM attributes:
-
displayName - maps to a team name
-
members - maps to team memberships
In addition to using the Flexible SCIM Team Provisioning method outlined in the "Setting Up SCIM" section above, editor licenses can also be provisioned based on a group with the name “ProductPlan Editors” (case insensitive).
If a new team membership comes in through SCIM for the group ProductPlan Editors and the user is not already an editor...
-
We will give the user an editor license.
-
If there are no editor licenses left on the account, no changes will be made.
If a team membership is being removed through SCIM for the group ProductPlan Editors and the user is an editor, we remove their editor license.
-
User de-provisioning happens when a user’s Active status changes to false (this is part of the SCIM specification).
-
When a user is de-provisioned, the platform sets them as Removed in our system, but the user is kept on the account.
-
This allows the deactivated user’s data to remain on the account. Account Admins can do things like transfer roadmaps.
-
Other side effects: Team memberships and permissions are removed.
-
-
A removed user is unable to login.
-
A removed user shows up in the Inactive tab on the user management page.
- Q: If there’s a group within a group in Okta / EntraID, how does that translate over to us?
- EntraID only syncs group memberships for direct members of a group. Okta does not allow groups within groups. However, both have the concept of “dynamic” groups. (i.e. you can assign group memberships based on user attributes like department, etc.). Dynamic groups sync over properly.
- EntraID cycles/batches their provisioning (every 40 minutes). You can force provisioning to happen on-demand.
- This functionality is available for Enterprise level customers.
- The Flexible SCIM Team Provisioning method can be used alongside the "ProductPlan Editors" group provisioning method.
- Q: How are users that are provisioned outside of SCIM (i.e. a viewer provisioned by a privately shared URL) handled? Do they get ignored or deleted?
- When a user is added outside of the SCIM process, they'll remain untouched by SCIM. This holds true so long as that Team is not managed by SCIM. When a Team is managed via SCIM, SCIM will remain the source of truth.