Skip to main content

Setting up SCIM Provisioning into Planhat

Automatically provision and manage Users and Roles in Planhat directly from your Identity Provider (IdP) via SCIM

J
Written by Josefine Thoren
Updated over 3 weeks ago

Summary

  • Use SCIM 2.0 to automatically provision, update, and deactivate users in Planhat directly from your identity provider (IdP), such as Okta or Microsoft Entra ID

  • Manage Planhat Roles and permissions through group assignments in your IdP — group membership automatically defines User Roles in Planhat

  • Centralize access control, reduce manual work, and ensure consistent, secure onboarding and offboarding across your organization

Who is this article for?

  • Admins managing user access and permissions in Planhat through an enterprise IdP

Series

This article is part of a series on SCIM:

  • Setting up SCIM Provisioning into Planhat ⬅️ You are here

  • How to set up the SCIM integration in Okta

  • How to set up the SCIM integration in Microsoft Entra ID

Article contents

Introduction

The Planhat SCIM (System for Cross-domain Identity Management) integration enables automated User Provisioning and Role management from your organization’s identity provider (such as Okta or Microsoft Entra ID) into Planhat. This means you can:

  • Automatically create, update, or deactivate users in Planhat when changes are made in your IdP

  • Control user Roles and Permissions in Planhat by assigning users to specific groups in your IdP

In simple terms, user provisioning ensures that when someone joins, changes roles, or leaves your company, their Planhat access updates automatically.

This integration makes access management simpler, more secure, and fully aligned with your company’s centralized identity processes.

This is part 1 of the SCIM integration setup where we go over the steps in Planhat, for a step-by-step guide in your chosen IdP, please see:

What is the SCIM integration?

The Planhat SCIM integration provides a SCIM 2.0-compatible API for provisioning and managing Planhat users from your IdP. Once configured:

  • User provisioning and deprovisioning are fully automated.

  • Role assignments in Planhat are managed by group membership in your IdP

  • Admins can easily view and manage mappings between IdP groups and Planhat roles from the Planhat UI

Why use the SCIM integration?

Using SCIM for user provisioning and access management provides several key benefits:

  • Automated user lifecycle management: New employees get instant access to Planhat; departing users lose access automatically

  • Centralized control: Manage all User Permissions and Roles from your IdP - no manual edits in Planhat required

  • Improved security: Reduces risk of unauthorized access or outdated User Roles.

  • Standardized process: SCIM is an industry-standard protocol supported by leading identity providers

  • Time savings: Simplifies onboarding/ offboarding for enterprise-scale teams

📌 Important to note

You can also add/manage Users manually in Planhat

How the sync works

  1. Your IdP connects to Planhat’s SCIM 2.0 API

  2. When a user is created, updated, or deleted in the IdP:

    • Planhat automatically provisions, updates, or deactivates the corresponding user record

  3. When a user is added to or removed from a mapped group in the IdP:

    • Their Planhat Role updates automatically

  4. Group names in the IdP are matched exactly to Planhat Roles defined in the SCIM configuration

Supported SCIM endpoints:

  • /Users — for create, update, deactivate

  • /Groups — for group-based Role mapping

How to set up the SCIM integration in Planhat

Start by setting SCIM up in Planhat. To enable User Provisioning in Planhat go to Settings in the Global Setting Tool:

  1. Roles → Workflow Permission → SCIM User Provisioning → Enable it

  2. Data Model Permission → Find ServiceAccount and enable all actions


📌 Important to note

If you cannot see the SCIM User Provisioning in the Permissions, please speak to your CSM/ TDS

You should now be able to see "User Provisioning" under "Security" in your Settings (you might need to refresh page for it to appear).

  1. Go to Security → User Provisioning

  2. Enable "SCIM User Provisioning"

  3. Configure the Default User Role

    • This Role is used if a user is assigned directly (not via a group)

  4. Configure Group Mappings

    1. Input the Group Name (name should be something that represents the User Roles you want to configure, i.e, ph-admin, ph-csm)

    2. Input the User Role

📌 Important to note

  • If a User is assigned via Group in Planhat, the mapped User Role will take precedence over the Default Role, by removing the Default Role if the User has it

  • Group Names → User Role mappings need to be an exact match (i.e ph-admin should represent an Admin Role)

  • If a User is no longer part of a Group, i.e., she’s removed from it, the User Role from that group will be removed

Next steps

Next up you need to configure the setup on your designated enterprise IdP side. See following articles for next instructions:

Did this answer your question?