Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.provisionr.io/llms.txt

Use this file to discover all available pages before exploring further.

Prerequisites

Before starting this tutorial, ensure you have:
  • The Provisionr CLI installed and authenticated
  • Directory users imported from your identity provider (with manager relationships)
  • A title dimension with attributes for job titles

What You’ll Build

By the end of this tutorial, you’ll have:
  • A Team dimension for organizing team membership
  • Three team attributes: IT Helpdesk, IT Applications, and IT Security
  • Policy rules that automatically assign users to teams based on their job title or manager
1

Create the Team Dimension

First, create a new Directory Dimension to organize your teams. We’ll set a 30-day expiration period for deprecated attributes.
prv directory-dimension:create --name="Team" --expires_after_days=30 --activate
The CLI will display the created dimension with its ID. Make note of the dimension ID (e.g., drdim_01abc123...) as you’ll need it for creating attributes.
Use prv directory-dimension:list to view all dimensions and find the ID later if needed.
2

Create the IT Helpdesk Attribute

Create the first team attribute for the IT Helpdesk team. Replace DIMENSION_ID with the ID from the previous step.
prv directory-attribute:create \
  --dimension_id=DIMENSION_ID \
  --name="IT Helpdesk" \
  --no_predecessor \
  --inherit_expiration \
  --activate
The attribute is now created and activated with an empty policy. The CLI will display the attribute details including its policy ruleset ID.
3

Create the IT Applications Attribute

Create the second team attribute for the IT Applications team.
prv directory-attribute:create \
  --dimension_id=DIMENSION_ID \
  --name="IT Applications" \
  --no_predecessor \
  --inherit_expiration \
  --activate
4

Create the IT Security Attribute

Create the third team attribute for the IT Security team.
prv directory-attribute:create \
  --dimension_id=DIMENSION_ID \
  --name="IT Security" \
  --no_predecessor \
  --inherit_expiration \
  --activate
You now have three team attributes, each with an empty policy ruleset ready for rules.
5

View Your Team Attributes

List all attributes in the Team dimension to see what you’ve created.
prv directory-attribute:list --dimension_id=DIMENSION_ID
You should see your three team attributes with their IDs and policy ruleset IDs. Each attribute’s policy currently has no rules, so no users are assigned yet.
6

Create a Rule for IT Helpdesk (Title-Based)

Now let’s add rules to automatically assign users to teams. First, we’ll create a rule that assigns users with the “IT Helpdesk Manager” title to the IT Helpdesk team.Start by finding the attribute ID for the “IT Helpdesk Manager” title in your title dimension.
prv directory-attribute:list --search="IT Helpdesk Manager"
Note the attribute ID (e.g., dratr_01helpdesk...).Now create a rule for the IT Helpdesk team. Use the IT Helpdesk team’s attribute ID as the resource.
prv policy-rule:create \
  --resource_type=directory-attribute \
  --resource_id=IT_HELPDESK_ATTRIBUTE_ID \
  --description="IT Helpdesk Managers by title"
When prompted to create a condition, select attribute as the type and enter the attribute ID for “IT Helpdesk Manager”.
Alternatively, you can create the rule without prompts using --no_conditions, then add conditions separately.
7

Create a Rule for IT Helpdesk (Manager-Based)

Create a second rule that includes all direct reports of a specific manager. First, find the user ID for Carlo Dach.
prv directory-user:list --search="Carlo Dach"
Note the user ID (e.g., drusr_01carlo...).Create a new rule with a manager condition.
prv policy-rule:create \
  --resource_type=directory-attribute \
  --resource_id=IT_HELPDESK_ATTRIBUTE_ID \
  --description="Direct reports of Carlo Dach"
When prompted for the condition type, select manager and enter Carlo Dach’s user ID. This will include all users who report directly to Carlo Dach in the IT Helpdesk team.
8

Activate the IT Helpdesk Rules

Rules are created in a staged state. Activate them to start assigning users.
prv policy-rule:list --resource_id=IT_HELPDESK_ATTRIBUTE_ID --state=staged
For each rule ID shown, activate it:
prv policy-rule:activate --id=RULE_ID --force
9

Create Rules for IT Applications Team

Repeat the process for the IT Applications team. First, find the required IDs.
# Find the IT Applications Manager title attribute
prv directory-attribute:list --search="IT Applications Manager"

# Find Stanford Harris user ID
prv directory-user:list --search="Stanford Harris"
Create the title-based rule:
prv policy-rule:create \
  --resource_type=directory-attribute \
  --resource_id=IT_APPLICATIONS_ATTRIBUTE_ID \
  --description="IT Applications Managers by title"
Select attribute as the condition type and enter the “IT Applications Manager” attribute ID.Create the manager-based rule:
prv policy-rule:create \
  --resource_type=directory-attribute \
  --resource_id=IT_APPLICATIONS_ATTRIBUTE_ID \
  --description="Direct reports of Stanford Harris"
Select manager as the condition type and enter Stanford Harris’s user ID.Activate both rules:
prv policy-rule:list --resource_id=IT_APPLICATIONS_ATTRIBUTE_ID --state=staged
prv policy-rule:activate --id=RULE_ID --force
10

Create Rules for IT Security Team (Multiple Conditions)

The IT Security team has a more complex structure. Senior managers must have both a specific title AND report to a specific person. Let’s create a rule with multiple conditions.First, find the required IDs:
# Find the Senior IT Security Manager title attribute
prv directory-attribute:list --search="Senior IT Security Manager"

# Find Adele Swaniawski user ID (the executive they report to)
prv directory-user:list --search="Adele Swaniawski"
Create a rule for the senior managers:
prv policy-rule:create \
  --resource_type=directory-attribute \
  --resource_id=IT_SECURITY_ATTRIBUTE_ID \
  --description="Senior IT Security Managers reporting to Adele Swaniawski"
When prompted, add the first condition:
  • Type: attribute
  • Attribute ID: The “Senior IT Security Manager” attribute ID
After the first condition is created, you’ll be prompted to add another condition. Add the second condition:
  • Type: manager
  • Manager ID: Adele Swaniawski’s user ID
When a rule has multiple conditions, ALL conditions must be met for a user to match. This means users must have BOTH the “Senior IT Security Manager” title AND report to Adele Swaniawski.
11

Create Rules for IT Security Individual Contributors

For individual contributors on the IT Security team, they should report to either Damian DuBuque or Houston Johnston. Since this is an OR condition (report to either manager), we need two separate rules.Find the manager user IDs:
prv directory-user:list --search="Damian DuBuque"
prv directory-user:list --search="Houston Johnston"
Create a rule for Damian DuBuque’s direct reports:
prv policy-rule:create \
  --resource_type=directory-attribute \
  --resource_id=IT_SECURITY_ATTRIBUTE_ID \
  --description="Direct reports of Damian DuBuque"
Select manager as the condition type and enter Damian DuBuque’s user ID.Create a second rule for Houston Johnston’s direct reports:
prv policy-rule:create \
  --resource_type=directory-attribute \
  --resource_id=IT_SECURITY_ATTRIBUTE_ID \
  --description="Direct reports of Houston Johnston"
Select manager as the condition type and enter Houston Johnston’s user ID.
Multiple rules on the same attribute work as an OR condition. A user matching ANY rule will be assigned to the team.
12

Activate All IT Security Rules

List and activate all staged rules for the IT Security team:
prv policy-rule:list --resource_id=IT_SECURITY_ATTRIBUTE_ID --state=staged
Activate each rule:
prv policy-rule:activate --id=RULE_ID_1 --force
prv policy-rule:activate --id=RULE_ID_2 --force
prv policy-rule:activate --id=RULE_ID_3 --force
13

Verify Team Membership

After activating all rules, verify that users are being assigned correctly by syncing the policy rulesets:
prv policy-ruleset:sync
You can view users assigned to each team by examining the policy users:
prv policy-user:list --resource_id=IT_HELPDESK_ATTRIBUTE_ID
prv policy-user:list --resource_id=IT_APPLICATIONS_ATTRIBUTE_ID
prv policy-user:list --resource_id=IT_SECURITY_ATTRIBUTE_ID

Summary

You’ve successfully created a Team dimension with three IT team attributes. Each team uses policy rules with conditions to automatically assign membership:
TeamRule TypeCondition Logic
IT HelpdeskTitle + ManagerUsers with “IT Helpdesk Manager” title OR direct reports of Carlo Dach
IT ApplicationsTitle + ManagerUsers with “IT Applications Manager” title OR direct reports of Stanford Harris
IT SecurityMulti-condition + ManagerSenior managers with specific title AND reporting to Adele Swaniawski, OR direct reports of either Damian DuBuque or Houston Johnston

Key Concepts

  • Multiple rules = OR: Users matching ANY rule are included in the attribute
  • Multiple conditions in a rule = AND: Users must match ALL conditions in a single rule
  • Staged vs Active: Rules are created staged and must be activated to take effect
  • Manager conditions: Include all direct reports of a specified manager

Next Steps