Skip to main content

Overview

Custom provisioning workflows automate access grant and revocation for resources that don’t support SCIM provisioning. Instead of manual provisioning, you can define automated workflows using natural language instructions.
Note: Use SCIM provisioning when available. Custom workflows are designed for resources without SCIM support, where you do not want to do manual provisioning.

When to use custom provisioning

  • The resource doesn’t support SCIM
  • You have API or CLI access to the resource
  • Manual provisioning would otherwise be required

How it works

Custom provisioning requires two workflows:
  • Provisioning workflow: Grants access
  • Deprovisioning workflow: Revokes access
Workflows cannot reverse themselves, so both must be explicitly defined.

Creating a Custom Provisioning Workflow

  1. In Access Manager, open the role you want to configure.
  2. Next to “Choose a provisioning workflow,” click +.
  3. In the workflow builder, enter your provisioning steps below the template line:
   Create a custom provisioning workflow with the following steps.
Required: Do not delete or modify the template line. It identifies the workflow type.
  1. Write the provisioning instructions in natural language.
Screenshot2025 10 30at8 21 11PM Pn
**Example: **Create a custom provisioning workflow with the following steps.
  1. Check if the user has Slack user access.
  2. If the user lacks Slack user access, provision it first.
  3. Grant Slack admin access via API.
  1. Click Test workflow to verify the workflow logic.
  2. Click Publish when ready.

Creating the Deprovisioning Workflow

Create a deprovisioning workflow

  1. In Access Manager, return to the same role.
  2. Next to “Choose a deprovisioning workflow,” click +.
  3. Enter your deprovisioning steps below the template line:
   Create a custom deprovisioning workflow with the following steps.
Required: Do not delete or modify the template line.
  1. Write the deprovisioning instructions.

Example: Slack admin deprovisioning

Create a custom deprovisioning workflow with the following steps.
1. Remove Slack admin access via API.
2. Downgrade to Slack member access.
Note: If this is an application where a user likely has base access, only remove elevated access, not overall access.
  1. Test and publish the workflow.
Custom Deprovisioning Workflo
  1. In Access Manager, select the role.
  2. Under custom workflow, select your published provisioning workflow
  3. Under deprovisioning workflow, select your published deprovisioning workflow
The workflows are now active and will run automatically based on your access policy.
Note: Custom provisioning workflows cannot be triggered manually. They execute only through access requests managed by the access policy.
Link Custom Provisioning Wo
Note: You can view all provisioning and deprovisioning workflows in the Workflow Builder. Provisioning workflows are marked with a green key icon, deprovisioning with red.
Screenshot2025 10 30at8 26 46PM Pn

Verify the configuration

Test the complete flow:
  1. Submit an access request for the role
  2. Verify the provisioning workflow executes correctly
  3. Wait for the access period to expire or manually revoke access
  4. Verify the deprovisioning workflow executes correctly