Auto-Provisioning allows your organization to automatically create, activate, and deactivate administrator accounts based on rules defined using employee data from your HRIS or SFTP employee file.

Instead of manually creating admin accounts one at a time, you define conditions (for example, department, job title, or manager status). The system automatically provisions administrator access for employees whose records meet those conditions.

Because access is managed through Single Sign-On (SSO), auto-provisioned admins do not receive invitation emails. Once their account has been provisioned, they can simply sign in through your organization’s SSO portal to access the dashboard.

Prerequisites

Before configuring Auto-Provisioning, ensure the following requirements are met.

How Auto-Provisioning Works

Auto-Provisioning uses a rule-based system that continuously evaluates employee data.

Rule Creation

You define rules using employee fields from your HRIS integration or employee file.

Examples of common rule conditions include:

• Department

• Location

• Job title

• Manager status

Each rule also specifies the admin role that matching employees should receive.

Automatic Account Creation

When an employee record meets all conditions in a rule, the system automatically:

1. Creates an admin account

2. Assigns the defined admin role

3. Marks the account as Active

No invitation email is sent. The user can immediately sign in through SSO.

Automatic Deactivation

If an employee record no longer meets the rule conditions, the system automatically marks their admin account as Inactive.

This can occur if:

• The employee changes roles

• The employee leaves the company

• Their department or manager status changes

If the employee later meets the rule conditions again, their admin account is automatically reactivated.

The IsManager Field

A commonly used rule condition is the IsManager field.

This field is automatically derived from your HRIS data. If an employee appears as the manager of at least one other employee (based on the Manager ID field), the system sets:

• IsManager = True

If the employee manages no one:

• IsManager = False

Because this value is calculated dynamically from your HRIS data, provisioning rules based on manager status automatically reflect changes in your organization’s reporting structure.

Manually Created Admins

Admin accounts that were created manually (not through Auto-Provisioning) are not affected by provisioning rules.

This means:

• They will not be deactivated

• Their roles will not be modified

• Their access will not change, even if their employee record matches a rule

Manual admins must continue to be managed directly by an administrator.

Managing Auto-Provisioned Admins

Viewing the Auto-Provisioned Admin List

In the Auto-Provisioning section, you can view all admins created through provisioning rules.

For each admin, you can see:

• The rule that provisioned the account

• The assigned admin role

• The account status (Active or Inactive)

This view helps identify which rule granted admin access to a specific employee.

Admin Status Lifecycle

Status changes occur automatically during employee data syncs.

If employee data later changes so that the rule conditions are met again, the account is automatically reactivated.

No manual action is required.

Handling Conflicting Rules

If multiple Auto-Provisioning rules exist, an employee may match more than one rule.

When this occurs:

Conflict Detection

When creating or editing a rule, the system checks for overlapping conditions with existing rules. If employees could match multiple rules with different roles, the system will notify you.

Rule Precedence

If an employee matches multiple rules:

• The first rule created takes precedence.

• The employee will be provisioned with the role defined in that rule.

Existing Admin Accounts

If an employee already has an auto-provisioned admin account and a new conflicting rule is later created:

• The system will not overwrite the existing role

• The original rule that provisioned the account continues to control access.

To avoid confusion, we recommend designing rules with non-overlapping conditions whenever possible.

Frequently Asked Questions

Will auto-provisioned admins receive an invitation email?

No. Because authentication is handled through SSO, invitation emails are not sent. Once an admin account is provisioned, the user can sign in through your organization’s SSO portal.

What happens to admins I created manually?

Manual admin accounts are not affected by Auto-Provisioning. Their roles and access remain unchanged unless an administrator updates them manually.

Can I use Auto-Provisioning without an HRIS integration?

Yes. If your organization does not use an HRIS integration, you can use an SFTP employee file as the employee data source. Provisioning rules will evaluate the fields included in the uploaded file.

What if an employee matches multiple rules with different roles?

The first rule created takes precedence. If the employee already has an active auto-provisioned admin account, new rules will not overwrite the existing role.

How quickly are changes reflected?

Auto-Provisioning rules are evaluated each time employee data syncs.

Typical sync timing:

• HRIS integrations: usually daily

• SFTP files: each time a new file is uploaded and processed

Changes to employee data will affect admin access after the next successful sync.

Can I deactivate an auto-provisioned admin manually?

Auto-provisioned admin accounts are managed automatically by the system.

If you need to remove access for a specific employee, you can:

• Update the provisioning rule conditions, or

• Delete the provisioning rule

Manual status changes are not supported because the system would restore the rule-based status during the next data sync.