Understanding Provisioning Method Selection
The Four Provisioning Methods
Serval offers four ways to grant access:| Method | How it works | Best for | Speed |
|---|---|---|---|
| Linked Groups | Adds user to IdP group; IdP syncs to app | Apps connected to your IdP with SCIM | Depends on IdP sync (minutes to hours) |
| Direct | Serval calls app API directly | Apps with robust APIs, not in IdP | Seconds - configurable when importing a role |
| Custom Workflows | Multi-step automation you build | Complex provisioning with dependencies | Varies by workflow |
| Manual | Creates task for human to complete | Apps without automation options | Depends on human response |
Configure access provisioning
Common Provisioning Scenarios
Asana access for entire company
Asana access for entire company
Best method: Linked GroupsWhy: Simple app-level access, likely already using Okta or similar IdP for SSOSetup:
- Create “App-Asana-Users” group in Okta
- Configure Okta to provision Asana based on group membership
- In Serval, link the “Member” role to this Okta group
- When users request Asana access, Serval adds them to the group
- Okta syncs the change to Asana (typically within 15 minutes)
- When access expires, Serval removes them from the group
GitHub team access for engineering
GitHub team access for engineering
Best method: Direct provisioning or Custom WorkflowWhy: GitHub teams are resources within GitHub, not separate appsSetup with Direct:
- Create “Engineering” as a custom resource in Serval
- Configure “Member” and “Maintainer” roles with direct provisioning
- Serval uses GitHub API to add/remove users from the team
- Access granted in seconds
- Create workflow that calls GitHub API to add user
- Send Slack notification to team lead
- On expiration, call API to remove user
AWS access requiring license purchase
AWS access requiring license purchase
Best method: Custom WorkflowWhy: Multi-step process with dependenciesSetup:
- User requests AWS access
- Workflow creates Linear task: “Purchase AWS license”
- Workflow opens GitHub PR to Terraform config
- Workflow waits for Linear task completion
- Auto-merge PR when task marked done
- Apply Terraform to grant actual AWS access
Proprietary internal tool with no API
Proprietary internal tool with no API
Best method: Manual ProvisioningWhy: No automation possible yetSetup:
- Configure manual provisioning with clear instructions
- Assign tasks to tool owner
- Owner manually adds user in the tool
- Owner marks task complete in Serval
- For temporary access, Serval creates removal task when access expires
Different Provisioning Strategies in a Single Application
You can use different provisioning methods for different roles in the same application. Example: GitHub- App-level “Member” access → Linked Groups (via Okta)
- Team-specific “Maintainer” access → Direct provisioning (via GitHub API)
- Organization “Owner” access → Manual provisioning (too sensitive to automate)
Linked Groups
Access granted by adding the user to a group in your Identity Provider (Okta, Google, Rippling, Entra). When access expires, the user is automatically removed.How It Works
1
Request approved
User requests access and it’s approved per the access policy
2
Serval adds to group
Serval automatically adds the user to the specified IdP group
3
IdP provisions access
Your IdP’s existing rules provision the actual application access
4
Automatic removal
When access expires, Serval removes the user from the IdP group
When to Use Linked Groups
✓ Use when
- Your IdP already provisions access via groups
- You want automatic cleanup when access expires
- You need audit trails in your IdP
- You’re managing access to multiple apps with one group
✗ Don't use when
- The application doesn’t integrate with your IdP
- You need more complex provisioning logic
- Group membership would grant too much access
Custom Workflow
Access granted through a custom process—like using an API to send an email invite or opening a GitHub PR for a Terraform change.How It Works
You define a workflow that Serval executes when access is granted. Workflows can include multiple steps, conditional logic, and integrations with various tools. Read more about how to set up custom access workflows here.Examples
Simple: GitHub team management
Simple: GitHub team management
Add or remove users from a GitHub team that controls repository access.Steps:
- Use GitHub API to add user to team
- Send Slack notification to user and team lead
- On expiration, remove user from team
Multi-step: Infrastructure access
Multi-step: Infrastructure access
Open a GitHub PR for Terraform group membership, create a Linear task to purchase a license, auto-merge the PR when the task is complete.Steps:
- Create Linear task: “Purchase AWS license for [user]”
- Open GitHub PR to add user to Terraform AWS group
- Wait for Linear task completion
- Auto-merge GitHub PR
- Apply Terraform to grant actual AWS access
Complex: Onboarding workflow
Complex: Onboarding workflow
Coordinate access across multiple systems during employee onboarding.Steps:
- Create accounts in internal apps
- Send welcome email with credentials
- Add to Slack channels
- Create onboarding tasks in project management tool
- Schedule follow-up check-in with manager
When to Use Custom Workflows
✓ Use when
- You need multi-step provisioning processes
- Access requires API calls to multiple systems
- You want to coordinate with other tools (Linear, GitHub, etc.)
- Your provisioning logic has conditional branches
✗ Don't use when
- A simpler method (Linked Groups or Direct) would work
- You’re not comfortable building workflows
- The process is entirely manual anyway
Direct Provisioning
Pre-built API provisioning for common applications. Serval uses the application’s API to grant access directly.How It Works
1
Request approved
User requests access and it’s approved per the access policy
2
Serval calls API
Serval makes an API call directly to the application to grant the specified role
3
Access granted immediately
The user receives access within seconds, no manual intervention needed
4
Automatic removal
When access expires, Serval calls the API again to revoke access
Supported Applications
Direct provisioning is available for select applications with robust APIs.When to Use Direct Provisioning
✓ Use when
- The application supports direct provisioning in Serval
- You want fully automated provisioning without IdP groups
- The application isn’t connected to your IdP
- You need immediate access grants
✗ Don't use when
- The application doesn’t support direct provisioning yet
- You prefer provisioning through IdP groups for consistency
Manual Provisioning
Access granted through a task assigned to the application owner (via ticket or Slack). A human manually grants the access.How It Works
1
Request approved
User requests access and it’s approved per the access policy
2
Task created
Serval creates a task in your ticketing system or Slack assigned to the application owner
3
Owner grants access
The assigned person manually grants access in the application
4
Task marked complete
The owner marks the task complete in Serval
5
Removal task (for temporary access)
If access is temporary, Serval creates another task to remove access when it expires
When to Use Manual Provisioning
✓ Use when
- The application has no API or IdP integration
- Provisioning requires human judgment
- The process is very infrequent
- You’re still building automation
✗ Don't use when
- You have high-volume access requests
- Faster automated methods are available
- Manual intervention creates bottlenecks
Choosing the Right Method
Use this decision tree to select the best provisioning method:1
Is this app connected to your IdP with SCIM or group-based provisioning?
Yes → Use Linked Groups
- Most auditable approach
- Works across multiple apps consistently
- Best for apps your entire company uses
2
Does Serval support direct provisioning for this app?
Yes → Use Direct Provisioning
- Fully automated
- Access granted in seconds
- No IdP dependency
3
Do you need multi-step logic, external tool integration, or conditional provisioning?
Yes → Use Custom Workflow
- Most flexible option
- Can coordinate across multiple systems
- Handles complex approval chains
- Requires workflow building skills
4
Default to Manual Provisioning
Use Manual Provisioning when:
- No automation options are available yet
- Access requests are infrequent (< 5 per month)
- You’re building automation but aren’t ready yet
Start Simple, Then Automate
Don’t feel pressure to automate everything immediately. A pragmatic approach:- Week 1: Set up manual provisioning for all apps to establish the request → approval flow
- Week 2: Convert high-volume apps to Linked Groups or Direct provisioning
- Month 2: Build custom workflows for complex provisioning scenarios
- Ongoing: Automate manual processes as volume increases
Best Practices
Name IdP groups consistently
Use clear naming conventions for groups linked to Serval roles. Pattern:
App-[ApplicationName]-[RoleName]Examples: App-GitHub-Members, App-Asana-Admins, App-Figma-EditorsThis makes it obvious which groups are managed by access requests and easier to audit.Prefer automated methods
Start with Linked Groups or Direct Provisioning when possible. They scale better and reduce manual work.
Use IdP groups consistently
Linked Groups provide the best audit trail and work across multiple applications simultaneously.
Document manual processes
If you must use manual provisioning, write clear instructions for the person who will grant access.
Plan to automate
Start with manual provisioning if needed, but plan to build workflows or integrations as volume grows.
Consider deprovisioning complexity
The same method that provisions access must deprovision it. If you use a custom workflow to grant access, make sure it can also revoke access cleanly when time expires. Test the full lifecycle, not just the grant.