Skip to main content

SCIM Auto-Provisioning

Alteryx supports the ability to provision, update and deprovision Analytics Cloud users through the System for Cross-domain Identity Management (SCIM) protocol. By enabling SCIM, your organization can use security groups within your own identity provider (IdP) to set user access to individual workspaces, products and features.

Prerequisites

  • Your IdP supports the SCIM 2.0 protocol.

  • You have direct access to your identity provider and have sufficient administrative privileges.

  • You have direct access to your Analytics Cloud workspace and have been assigned the Workspace Admin role.

Overview

Dica

Auto-provisioning is most effective when user access is managed through groups. Within your IdP, consider managing application access using security groups instead of assigning users to the application, one-by-one.

Provisioning Users and User Groups

When SCIM is enabled and a security group is assigned to the Alteryx application for the first time, a user group will be created within the corresponding workspace. Users who are assigned to that security group within the IdP will be invited to the workspace (if applicable), and be made members of the corresponding user group within that workspace. If one or more roles have already been assigned to that user group within Analytics Cloud, those users will also inherit those roles and related permissions.

Importante

When SCIM is enabled, workspace administrators can still manually manage users and user groups, however SCIM will override manual changes.

Profile Updates

When SCIM is enabled, and a user’s name has been updated in the Idp or source directory, that user’s name will also be updated in Analytics Cloud. This change will be reflected across Analytics Cloud, despite which other or additional workspaces that user may be a member of.

Deprovisioning Users and User Groups

When SCIM is enabled, and a security group is removed from the IdP application, the corresponding user group will be deleted from that workspace. Users who are members of that user group may lose access to certain products and features if their access was granted exclusively through roles assigned to that user group. If a user was provided workspace access exclusively through that security group, that user will also be disabled and have their roles removed, preventing access to and within that workspace.

Audit Log Events

System updates caused by SCIM auto-provisioning will contain CUSTOMER_SCIM as the originating_service value in all audit event payloads. This makes it easier to distinguish automated updates caused by changes within your IdP from manual changes made by workspace administrators.

Configuration

Dica

While you can integrate any IdP that supports the SCIM 2.0 protocol, Alteryx supports setup guides for the most popular SCIM-supporting IdPs:

Configure SCIM for Entra

Configure SCIM for OKTA

Enable SCIM

  1. Within Analytics Cloud, navigate to your workspace’s Admin Console.

  2. Select User Provisioning in the left navigation menu.

  3. Select Automatic User Provisioning.

  4. Select Enable.

  5. In the the Authentication Type dropdown, select “Alteryx Token Authentication”.

  6. Select Next.

  7. Note and copy the Tenant URL. You will need this later.

  8. Select Generate Token.

  9. In the Lifetime (Days) field, enter “365”.

  10. Select Generate.

  11. Note and copy the SCIM Token. You will need this later.

  12. Select Close.

  13. Reference your IdP’s documentation on how to enable SCIM using the Tenant URL and SCIM Token copied from your workspace.

Assign Groups

Within your IdP, assign one or more security groups to workspace’s corresponding application.

Permission Groups

  1. Within Analytics Cloud, navigate to your workspace’s Admin Console.

  2. Select User Groups in the left navigation menu.

  3. Hover over a user group, and use the 3-dot menu to select Assign Roles.

  4. Select one or more roles.

  5. Select Save.

To learn more about assigning roles to user groups, see User Groups.