Group‑Based Access Control & Pre‑Provisioned Team Memberships
S
Salama Alnuaimi
Current SCIM support in Port only handles user lifecycle (create, update, delete) and profile fields. It does not support SCIM group CRUD or “push groups” from the IdP.
The SCIM token is scoped only for user operations (no get:groups), so Entra/Okta group provisioning fails with 403 “Insufficient scope (get:groups)”.
Group/team memberships are only synced :
- When a SCIM user is created/updated, and
- When the user logs in to Port.
This means customers cannot fully pre‑provision team memberships or enforce group‑based roles/automations before first login.
Features requested here :
- SCIM group support :
Support SCIM group CRUD (including secure get:groups) from IdPs like Entra ID and Okta.
- Pre‑provisioned team memberships :
When a user is provisioned/updated via SCIM, Port should apply their IdP groups to Port teams without requiring login.
- Group‑based RBAC and automations :
Allow Port roles and workflows to be driven directly from IdP groups as soon as SCIM provisioning runs.
- Config controls :
Let admins choose which IdP groups SCIM manages and whether SCIM may create teams or only map to existing ones.