Skip to main content

SCIM Auto-Provisioning

Alteryx supports the ability to provision, update and deprovision Analytics Cloud users through the System for Cross-domain Identity Management (SCIM) protocol. By enabling SCIM, your organization can use security groups within your own identity provider (IdP) to set user access to individual workspaces, as well as individual applications within those workspaces.

Prerequisites

  • Your IdP supports the SCIM 2.0 protocol.

  • You have direct access to your identity provider and have sufficient administrative privileges.

  • You have direct access to your Analytics Cloud workspace and have been assigned the Workspace Admin role.

Overview

提示

Auto-provisioning is most effective when user access is managed through groups. Within your IdP, consider managing application access using security groups instead of assigning users to the application, one-by-one.

Provisioning Users and User Groups

When SCIM is enabled, and a security group is assigned to the IdP application for the first time, a user group will be created within the corresponding workspace. Users who are assigned to that security group within the IdP will be invited to the workspace (if applicable), and be made members of the corresponding user group within that workspace. If one or more roles have already been assigned to that user group within Analytics Cloud, those users will also inherit those roles and related permissions.

To learn more about assigning roles to user groups, see User Groups.

重要

When SCIM is enabled, workspace administrators can still manually manage users and user groups. SCIM can override manual changes.

Deprovisioning Users and User Groups

When SCIM is enabled, and a security group is removed from the IdP application, the corresponding user group will be deleted from that workspace. Users who are members of that user group may lose access to certain products and features if their access was granted exclusively through roles assigned to that user group. If a user was provided workspace access exclusively through that security group, that user will also be disabled and have their roles removed, preventing access to and within that workspace.

Configuration

Enable SCIM

  1. Within Analytics Cloud, navigate to your workspace’s Admin Console.

  2. Select User Provisioning in the left navigation menu.

  3. Select Automatic.

  4. Select Confirm.

  5. Note and copy the Tenant URL. You will need this later.

  6. Select Generate Token.

  7. Populate the Lifetime (Days) field or Expiration Date field.

  8. Select Generate.

  9. Note and copy the SCIM Token. You will need this later.

  10. Select Close.

  11. Reference your IdP’s documentation on how to enable SCIM using the Tenant URL and SCIM Token copied from your workspace.

Within your IdP, assign one or more security groups to workspace’s corresponding application.

Manage Group Access

  1. Within Analytics Cloud, navigate to your workspace’s Admin Console.

  2. Select User Groups in the left navigation menu.

  3. Hover over a user group, and use the 3-dot menu to select Assign Roles.

  4. Select one or more roles.

  5. Select Save.

Limitations

  • SCIM is not supported in the account. You can only enable SCIM Auto-Provisioning in individual workspaces, one at a time.

本节内容如下: