Skip to main content
Custom provisioning workflows automate access grants and revocations for resources without SCIM support. Define workflows using natural language instead of manual provisioning.
Use SCIM provisioning when available. Custom workflows are for resources without SCIM support where you want to avoid manual provisioning.

When to Use Custom Provisioning

  • The resource doesn’t support SCIM
  • You have API or CLI access to the resource
  • Manual provisioning would otherwise be required

How It Works

Custom provisioning requires two workflows:
  • Provisioning workflow: Grants access
  • Deprovisioning workflow: Revokes access
Both workflows must be explicitly defined. Workflows cannot reverse themselves.

Create a Provisioning Workflow

1

Open the role

In Access Manager, open the role you want to configure
2

Start a new workflow

Next to “Choose a provisioning workflow,” click +
3

Enter provisioning steps

In the workflow builder, enter your steps below the template line:
    Create a custom provisioning workflow with the following steps.
Do not delete or modify the template line. It identifies the workflow type.
4

Write instructions

Write the provisioning steps in natural language
Example: Create a custom provisioning workflow with the following steps.
  1. Check if the user has Slack user access
  2. If the user lacks Slack user access, provision it first
  3. Grant Slack admin access via API
5

Test the workflow

Click Test workflow to verify the logic
6

Publish

Click Publish when ready
Custom provisioning workflow builder interface

Custom provisioning workflow builder

Create a Deprovisioning Workflow

1

Return to the role

In Access Manager, open the same role
2

Start deprovisioning workflow

Next to “Choose a deprovisioning workflow,” click +
3

Enter deprovisioning steps

Enter your steps below the template line:
    Create a custom deprovisioning workflow with the following steps.
Do not delete or modify the template line.
4

Write instructions

Write the deprovisioning steps in natural language
Example: Create a custom deprovisioning workflow with the following steps.
  1. Remove Slack admin access via API
  2. Downgrade to Slack member access
For applications where users likely have base access, only remove elevated access, not overall access.
5

Test and publish

Test and publish the workflow
1

Select the role

In Access Manager, select the role
2

Link provisioning workflow

Under “Custom workflow,” select your published provisioning workflow
3

Link deprovisioning workflow

Under “Deprovisioning workflow,” select your published deprovisioning workflow
The workflows are now active and will run automatically based on your access policy.
Custom provisioning workflows execute only through access requests managed by the access policy. They cannot be triggered manually.
View all provisioning and deprovisioning workflows in the Workflow Builder. Provisioning workflows are marked with a green key icon, deprovisioning with red.
Workflow Builder showing provisioning and deprovisioning workflows with key icons

Workflows marked with key icons

Verify the Configuration

Test the complete flow:
  1. Submit an access request for the role
  2. Verify the provisioning workflow executes correctly
  3. Wait for the access period to expire or manually revoke access
  4. Verify the deprovisioning workflow executes correctly