Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.provisionr.io/llms.txt

Use this file to discover all available pages before exploring further.

User Management

All users are created just-in-time the first time that they authenticate using single sign-on (SSO) with Open ID Connect (OIDC). We do not currently support SCIM provisioning and deprovisioning. In a future release, Authentication Users and Directory Users will be linked. This will allow us to automate creating Auth Users automatically when they are provisioned in the Integration (ex. Okta). With tightly integrated features with Directory Users, we will be able to deprovision the Auth User as well as many other resources and user accounts that have been provisioned over time.

Single Sign-On (SSO)

Provisionr uses your single sign-on (SSO) provider for all human user authentication. When signing in, the SSO provider ID, first and last name, and email address is received in the SSO authentication response and is encrypted and saved in the Provisionr database. You can choose any of the following vendors when installing Provisionr:
  • Google
  • Okta Workforce Identity
Additional vendors may be added in the future if they are a supported provider. If your SSO provider is not supported, you should sign up for a free Okta Customer Identity (Auth0) account that supports native integrations with a wider range of vendors.

Password Management

We rely on your SSO provider for authentication. No passwords are managed or stored in Provisionr. You can configure password policies in your SSO provider. You can also configure passkey support in your SSO provider for a streamlined user experience.

Two Factor Authentication

We rely on your SSO provider for authentication. You can configure two factor policies and assign them to the Provisionr application configuration in your SSO provider.

API Authentication

The API endpoints are authenticated using access tokens and refresh tokens that are associated with a service account or user account. Each endpoint is associated with a permission that the service or user must be granted to be able to use the endpoint.

Personal Access Tokens (PAT)

When you need to test a GET, POST, PATCH, or DELETE endpoint, you can use a personal access token that is created in the UI at /user/pat. Provisionr PATs are only valid for 4 hours since they are designed for testing, not perpetual access with the full level of permissions that your user account has. This prevents the bad practice of an engineer using a PAT in their script or service that should use Service Accounts instead.

Service Accounts

Provisionr uses a secure-by-design approach with non-human (machine-to-machine) access to the API using Service Accounts with granular permissions. A Service Account is similar to a User Account, however it can only be authenticated with API tokens and there is no UI experience or SSO for service accounts. Service Accounts are for inbound requests to the Provisionr API from scripts or vendor services. The default permissions of a service account only include the ability to perform an authentication test and generate an access token using the service account’s refresh token. Each URL endpoint has a near 1:1 permission mapping that allows service accounts to only be granted access to the endpoints they actively use. Each Service Account has users associated that have permission to manage the service account. We refer to these as Service Account Managers and support least privilege and separation of duties.
  • admin: Can create/rotate tokens and grant permissions
  • permissions: Can grant permissions but cannot create/rotate/view tokens
  • tokens: Can create/rotate/view tokens but cannot edit permissions
  • audit: Has read-only access to see the metadata about the service account and the permissions, but cannot make any changes or create/rotate/view tokens.
Since API vendors and integrations come in all shapes and sizes, each service account can be configured to use the token strategy that makes the most sense:
  • Refresh token with up to 365 day expiration (configurable) with short-lived access tokens that last 60 minutes (configurable)
  • Access token with up to 365 day expiration

Roles and Permissions

Provisionr has fine-grained access control using roles and permissions that are assigned to human users and service accounts.

Permission Schema

{namespace}.{entity}.{action} Here is an example of the permissions for the DirectoryAttribute actions.
  • directory.attribute.view (applies to list and describe)
  • directory.attribute.export
  • directory.attribute.create
  • directory.attribute.update
  • directory.attribute.activate
  • directory.attribute.deprecate
  • directory.attribute.deactivate
  • directory.attribute.destroy
  • directory.attribute.sync
For models with sensitive data in child relationships (usually many-to-many relationships), we occasionally use an additional level of permissions.
  • directory.attribute.user.view
If the child relationship data is not sensitive, then we either defer to the related model’s permission or use the parent model’s permission, depending on the use case.

Role Schema

We were inspired by Google Cloud Platform (GCP) IAM roles and have created a standardized schema for role-based access control (RBAC) that has pre-defined the permissions that users need. We only assign users to roles that have predefined permissions, not to permissions directly.

Role Personas

  • Admin: Can perform all actions. Intended for change management practitioners or system administrators.
  • Ops: Can perform day-to-day changes and get things up and running. Must use deprecate to deactivate records.
  • Contributor: Can view and create records in a draft state, but cannot update, activate, deactivate, or deprecate them.
  • Auditor: Read-only with export permissions for CSV, JSON, YML, and Google Sheets.
  • Viewer: Read-only for exploring what is configured. Some companies may restrict this to specific users, while others may expose it to all employees for self-service information.

Role and Permission Mapping

PermissionAdminOpsContributorAuditorViewer
{namespace}.{entity}.view
{namespace}.{entity}.export
{namespace}.{entity}.create
{namespace}.{entity}.monitor
{namespace}.{entity}.manage
{namespace}.{entity}.update
{namespace}.{entity}.activate
{namespace}.{entity}.sync
{namespace}.{entity}.deprecate
{namespace}.{entity}.deactivate
{namespace}.{entity}.destroy

Entity Roles

SchemaExample
{namespace}.{entity}.admindirectory.attribute.admin
{namespace}.{entity}.opsdirectory.attribute.ops
{namespace}.{entity}.contributordirectory.attribute.contributor
{namespace}.{entity}.auditordirectory.attribute.auditor
{namespace}.{entity}.viewerdirectory.attribute.viewer

Global Roles

If your IT or Security team has a secondary admin/elevated account, it is best practice to assign global roles to that account rather than the user’s primary account.
Global RoleRisk LevelDescription
global.super.adminInsaneUnrestricted read-write-destroy. Equivalent to a break-glass root account. Assign to fewer than 5 people.
global.super.opsExtremeUnrestricted read-write. Day-to-day operations without permanent destruction or data import/export. Assign to fewer than 25 people.
global.super.auditorModerateUnrestricted read-only with export. For audit, compliance, and security assurance engineers.
global.super.viewerModerateUnrestricted read-only without export. For IAM stakeholders who need visibility into configuration. Can also be assigned to most employees if your organization encourages transparency.

Default Roles

When a new user authenticates, they are assigned the following roles by default. You can customize which roles are assigned by default to new users in the workspace settings.
RoleDescription
access.uiCan log in to the UI and view the dashboard. Each page is restricted based on the user’s roles and permissions.
access.patCan create short-lived personal access tokens (PATs) for API access to the API endpoints their roles allow.
access.cliCan authenticate with the CLI using their user account and access to the API endpoints their roles allow.
workspace.abbreviation.viewerCan view the abbreviations used for short-hand handle calculation.
workspace.role.viewerCan view the Roles & Permissions to see which roles they can request access to additional roles.

Default Role Catalog

Provisionr has a default catalog of roles and permissions that can be assigned to users. You can also create custom roles with specific permissions as needed.
List of Provisionr Roles
[
    "access.api",
    "access.cli",
    "access.pat",
    "access.svc",
    "access.ui",
    "aws.identity.group.admin",
    "aws.identity.group.auditor",
    "aws.identity.group.contributor",
    "aws.identity.group.ops",
    "aws.identity.group.viewer",
    "directory.attribute.admin",
    "directory.attribute.auditor",
    "directory.attribute.contributor",
    "directory.attribute.ops",
    "directory.attribute.viewer",
    "directory.dimension.admin",
    "directory.dimension.auditor",
    "directory.dimension.contributor",
    "directory.dimension.ops",
    "directory.dimension.viewer",
    "directory.identity.admin",
    "directory.identity.auditor",
    "directory.identity.contributor",
    "directory.identity.ops",
    "directory.identity.viewer",
    "directory.user.admin",
    "directory.user.auditor",
    "directory.user.contributor",
    "directory.user.ops",
    "directory.user.viewer",
    "gitlab.group.admin",
    "gitlab.group.auditor",
    "gitlab.group.contributor",
    "gitlab.group.ops",
    "gitlab.group.viewer",
    "gitlab.project.admin",
    "gitlab.project.auditor",
    "gitlab.project.contributor",
    "gitlab.project.ops",
    "gitlab.project.viewer",
    "global.super.admin",
    "global.super.auditor",
    "global.super.contributor",
    "global.super.ops",
    "global.super.viewer",
    "google.cloud.folder.admin",
    "google.cloud.folder.auditor",
    "google.cloud.folder.contributor",
    "google.cloud.folder.ops",
    "google.cloud.folder.viewer",
    "google.cloud.project.admin",
    "google.cloud.project.auditor",
    "google.cloud.project.contributor",
    "google.cloud.project.ops",
    "google.cloud.project.viewer",
    "google.drive.doc.admin",
    "google.drive.doc.auditor",
    "google.drive.doc.contributor",
    "google.drive.doc.ops",
    "google.drive.doc.viewer",
    "google.drive.file.admin",
    "google.drive.file.auditor",
    "google.drive.file.contributor",
    "google.drive.file.ops",
    "google.drive.file.viewer",
    "google.drive.folder.admin",
    "google.drive.folder.auditor",
    "google.drive.folder.contributor",
    "google.drive.folder.ops",
    "google.drive.folder.viewer",
    "google.drive.sheet.admin",
    "google.drive.sheet.auditor",
    "google.drive.sheet.contributor",
    "google.drive.sheet.ops",
    "google.drive.sheet.viewer",
    "google.drive.slide.admin",
    "google.drive.slide.auditor",
    "google.drive.slide.contributor",
    "google.drive.slide.ops",
    "google.drive.slide.viewer",
    "google.identity.group.admin",
    "google.identity.group.auditor",
    "google.identity.group.contributor",
    "google.identity.group.ops",
    "google.identity.group.viewer",
    "google.workspace.drive.admin",
    "google.workspace.drive.auditor",
    "google.workspace.drive.contributor",
    "google.workspace.drive.ops",
    "google.workspace.drive.viewer",
    "google.workspace.group.admin",
    "google.workspace.group.auditor",
    "google.workspace.group.contributor",
    "google.workspace.group.ops",
    "google.workspace.group.viewer",
    "maintenance.admin",
    "maintenance.auditor",
    "maintenance.ops",
    "maintenance.viewer",
    "okta.app.admin",
    "okta.app.auditor",
    "okta.app.contributor",
    "okta.app.ops",
    "okta.app.viewer",
    "okta.group.admin",
    "okta.group.auditor",
    "okta.group.contributor",
    "okta.group.ops",
    "okta.group.viewer",
    "policy.role.admin",
    "policy.role.auditor",
    "policy.role.contributor",
    "policy.role.ops",
    "policy.role.viewer",
    "policy.rule.admin",
    "policy.rule.admin.admin",
    "policy.rule.admin.contributor",
    "policy.rule.admin.ops",
    "policy.rule.auditor",
    "policy.rule.contributor",
    "policy.rule.ops",
    "policy.rule.viewer",
    "policy.user.admin",
    "policy.user.auditor",
    "policy.user.contributor",
    "policy.user.ops",
    "policy.user.viewer",
    "slack.channel.admin",
    "slack.channel.auditor",
    "slack.channel.contributor",
    "slack.channel.ops",
    "slack.channel.viewer",
    "slack.group.admin",
    "slack.group.auditor",
    "slack.group.contributor",
    "slack.group.ops",
    "slack.group.viewer",
    "workspace.abbreviation.admin",
    "workspace.abbreviation.auditor",
    "workspace.abbreviation.contributor",
    "workspace.abbreviation.ops",
    "workspace.abbreviation.viewer",
    "workspace.device.admin",
    "workspace.device.auditor",
    "workspace.device.contributor",
    "workspace.device.ops",
    "workspace.device.viewer",
    "workspace.global.token.admin",
    "workspace.global.token.auditor",
    "workspace.global.token.contributor",
    "workspace.global.token.ops",
    "workspace.global.token.viewer",
    "workspace.integration.admin",
    "workspace.integration.auditor",
    "workspace.integration.contributor",
    "workspace.integration.ops",
    "workspace.integration.viewer",
    "workspace.role.admin",
    "workspace.role.auditor",
    "workspace.role.contributor",
    "workspace.role.ops",
    "workspace.role.permission.admin",
    "workspace.role.permission.contributor",
    "workspace.role.permission.ops",
    "workspace.role.service.admin",
    "workspace.role.service.auditor",
    "workspace.role.service.contributor",
    "workspace.role.service.ops",
    "workspace.role.service.viewer",
    "workspace.role.user.admin",
    "workspace.role.user.auditor",
    "workspace.role.user.contributor",
    "workspace.role.user.ops",
    "workspace.role.user.viewer",
    "workspace.role.viewer",
    "workspace.service.admin",
    "workspace.service.admin.admin",
    "workspace.service.admin.contributor",
    "workspace.service.admin.ops",
    "workspace.service.auditor",
    "workspace.service.contributor",
    "workspace.service.ops",
    "workspace.service.token.admin",
    "workspace.service.token.contributor",
    "workspace.service.token.ops",
    "workspace.service.viewer",
    "workspace.token.admin",
    "workspace.token.auditor",
    "workspace.token.contributor",
    "workspace.token.ops",
    "workspace.token.viewer",
    "workspace.user.admin",
    "workspace.user.auditor",
    "workspace.user.contributor",
    "workspace.user.ops",
    "workspace.user.token.admin",
    "workspace.user.token.auditor",
    "workspace.user.token.contributor",
    "workspace.user.token.ops",
    "workspace.user.token.viewer",
    "workspace.user.viewer"
]