**Provisioning** is how [users](/docs/users) and their access get created, updated, and removed _automatically_ from a customer's own systems — their identity provider or HR platform — instead of by hand. For enterprise customers this is table stakes: when someone joins or leaves the company, their access to your app should follow without a support ticket.

## The problem it solves

Without provisioning, every new hire at a customer signs up manually and every departure leaves a dangling account. Provisioning closes that loop by making the customer's directory the **source of truth**: their IdP or HRIS pushes changes to Authdog, and Authdog reflects them in your environment's [user store](/docs/users) and [roles](/docs/concepts/authorization).

Authdog supports two inbound channels, both exposed as token-authenticated REST endpoints scoped to one environment.

## SCIM 2.0 — identity provider sync

**SCIM** (System for Cross-domain Identity Management) is the standard that IdPs like Okta, Entra ID, and JumpCloud speak to provision users and groups. Authdog exposes a SCIM 2.0 service:

- **Endpoint:** `/v1/scim/v2`
- **Auth:** a bearer token prefixed `adscim_`, issued per environment in the console
- **Resources:** Users and Groups — create, update, deactivate, delete; group membership changes

The IdP is configured once with the endpoint and token; from then on it pushes user and group lifecycle events. Deactivating a user in the IdP suspends them in Authdog, which invalidates their [sessions](/docs/concepts/sessions-tokens).

## HRIS — HR-driven provisioning

Some organizations treat their **HR system** as the origin of truth rather than the IdP. Authdog's HRIS connector mirrors the SCIM slice for that world:

- **Endpoint:** `/v1/hris/v1`
- **Auth:** a bearer token prefixed `adhris_`
- **Resources:** Employees (users, with employment attributes like job title, manager, department, employment type, cost center, start/end dates) and Departments (groups)

This lets employment status — not just directory membership — drive access.

## Group-to-role mapping

Provisioning users is only half the story; they also need the right **access**. Authdog maps directory **groups** (SCIM groups or HRIS departments) to [roles](/docs/permissions) automatically:

```
IdP group "Engineering"      -> role "developer"
IdP group "Billing Admins"   -> role "billing-admin"
HRIS department "Support"    -> role "agent"
```

When a user's group membership changes upstream, their roles are recomputed — additively and case-insensitively — so RBAC [authorization](/docs/concepts/authorization) stays in sync with the customer's org chart. Mappings are matched by group display name or external id.

## Deprovisioning

The security payoff. When someone is removed or deactivated upstream:

- their Authdog user is **suspended or deleted**,
- outstanding [sessions](/docs/concepts/sessions-tokens) stop validating on the next check,
- and group-derived roles fall away.

Access ends when employment ends — no manual cleanup.

## How it fits together

<div class="mmodel pflow">
  <div class="pflow__pipeline">
    <div class="pflow__stage pflow__stage--source">
      <div class="pflow__stage-header">
        <span class="pflow__icon">
          <svg viewBox="0 0 24 24" fill="none" aria-hidden="true"><path d="M4 5h16v14H4V5zM8 9h2M14 9h2M8 13h2M14 13h2M8 17h8" stroke="currentColor" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round"/></svg>
        </span>
        <div>
          <span class="mmodel__eyebrow">Customer directory</span>
          <span class="mmodel__title">Source systems</span>
        </div>
      </div>
      <div class="pflow__sources">
        <span>IdP</span>
        <span>HRIS</span>
      </div>
    </div>
    <div class="pflow__connector" aria-hidden="true">
      <span>SCIM / HRIS push</span>
      <svg viewBox="0 0 20 38" fill="none"><path d="M10 2v26" stroke="currentColor" stroke-width="1.75" stroke-linecap="round"/><path d="M4 23l6 8 6-8" stroke="currentColor" stroke-width="1.75" stroke-linecap="round" stroke-linejoin="round"/></svg>
    </div>
    <div class="pflow__stage pflow__stage--core">
      <div class="pflow__stage-header">
        <span class="pflow__icon pflow__icon--brand">
          <img class="mmodel__brand-logo mmodel__brand-logo--light" src="/logo-color.svg" alt="" width="22" height="22" />
          <img class="mmodel__brand-logo mmodel__brand-logo--dark" src="/logo-dark-square.svg" alt="" width="22" height="22" />
        </span>
        <div>
          <span class="mmodel__eyebrow">Authdog environment</span>
          <span class="mmodel__title">Synchronizes identity and access</span>
        </div>
      </div>
      <div class="pflow__steps">
        <span><b>1</b> Create or update user</span>
        <span><b>2</b> Sync group membership</span>
        <span><b>3</b> Apply role mappings</span>
      </div>
    </div>
    <div class="pflow__connector" aria-hidden="true">
      <span>Current user and roles</span>
      <svg viewBox="0 0 20 38" fill="none"><path d="M10 2v26" stroke="currentColor" stroke-width="1.75" stroke-linecap="round"/><path d="M4 23l6 8 6-8" stroke="currentColor" stroke-width="1.75" stroke-linecap="round" stroke-linejoin="round"/></svg>
    </div>
    <div class="pflow__stage pflow__stage--app">
      <div class="pflow__stage-header">
        <span class="pflow__icon">
          <svg viewBox="0 0 24 24" fill="none" aria-hidden="true"><rect x="3" y="5" width="18" height="14" rx="2" stroke="currentColor" stroke-width="1.6"/><path d="M3 9h18M7 7h.01M10 7h.01" stroke="currentColor" stroke-width="1.6" stroke-linecap="round"/></svg>
        </span>
        <div>
          <span class="mmodel__eyebrow">Your app</span>
          <span class="mmodel__title">Authorizes with current roles</span>
        </div>
      </div>
      <div class="pflow__status">
        <svg viewBox="0 0 24 24" fill="none" aria-hidden="true"><path d="M12 3l7 3v5c0 4.5-3 7.5-7 9-4-1.5-7-4.5-7-9V6l7-3z" stroke="currentColor" stroke-width="1.75" stroke-linejoin="round"/><path d="M9 12l2 2 4-4" stroke="currentColor" stroke-width="1.75" stroke-linecap="round" stroke-linejoin="round"/></svg>
        <span>Access reflects latest directory state</span>
      </div>
    </div>
  </div>
</div>

Provisioning is configured **per [organization](/docs/concepts/organizations)** for enterprise customers, alongside their [enterprise SSO](/docs/concepts/authentication) connection — the same customers who bring their own login also bring their own directory.

## Related

- [Users](/docs/users) — the records provisioning creates and manages
- [Roles & permissions](/docs/permissions) — where group-to-role mappings land
- [Authentication](/docs/concepts/authentication) — enterprise SSO, provisioning's companion
- [Integrations](/docs/integrations) — the full connector catalog
