Provisioning

Provisioning enables automated account lifecycle management by connecting Hydden.Control to external identity and ticketing systems. When access review decisions are made or data changes occur, provisioning rules can automatically create tickets, provision accounts, modify group memberships, or disable access in connected systems.

Overview

Provisioning consists of three components:

Component	Purpose
External Systems	Connections to identity providers (Entra ID) or ticketing systems (Jira, Zendesk)
Provisioning Rules	Define what data changes trigger what actions
Provisioning Actions	Individual operations queued for execution

Supported External Systems

System	Category	Supported Actions
Microsoft Entra ID	Identity Management	Create account, modify account, disable/enable account, add/remove group membership
Jira	Ticketing	Create ticket, update ticket, transition ticket, add comment
Zendesk	Ticketing	Create ticket, update ticket, add comment
Salesforce	Identity Management	Create account, modify account, disable account

---

Configuring External Systems

External systems define connections to target platforms where provisioning actions are executed.

Prerequisites

Before configuring an external system:

1. Identity Management systems (Entra ID, Salesforce):

   • Register an application with appropriate API permissions
   • Obtain client credentials (client ID and secret)
   • Configure SCIM endpoint access if applicable

2. Ticketing systems (Jira, Zendesk):

   • Create an API token or service account
   • Identify project keys or ticket categories

Adding an External System

1. Navigate to Settings > Provisioning.

2. Click + Add External System.

3. Select the System Type (Entra, Jira, Zendesk, or Salesforce).

4. Select the Category:

   • Identity Management: For account lifecycle operations
   • Ticketing: For creating and managing tickets

5. Enter the required configuration:

   Field	Description
   Name	Descriptive name for this connection
   Description	Optional notes about the system's purpose
   Base URL	API endpoint URL for the external system
   Credentials	Reference to stored credentials in the secure vault

6. Configure Connector Settings specific to the system type.

7. Click Test Connection to verify the configuration.

8. Click Save to create the external system.

Entra ID Configuration

For Microsoft Entra ID connections:

Setting	Description
Tenant ID	Your Azure AD tenant identifier
SCIM Endpoint	Optional custom SCIM endpoint (defaults to Microsoft Graph)

Required Azure AD API permissions:

User.ReadWrite.All          Create and modify users
Group.ReadWrite.All         Modify group memberships
Directory.ReadWrite.All     Full directory access

Jira Configuration

For Jira connections:

Setting	Description
Project Key	Default Jira project for new tickets
Issue Type	Default issue type (Task, Story, Bug, etc.)
Custom Fields	Map Hydden data to Jira custom fields

Zendesk Configuration

For Zendesk connections:

Setting	Description
Subdomain	Your Zendesk subdomain
Group ID	Default ticket group assignment
Priority	Default ticket priority

---

Provisioning Rules

Provisioning rules define automated responses to data changes. When a trigger event occurs and matches the rule's filter, the specified action is queued for execution.

Trigger Events

Rules can respond to these data change events:

Category	Event	Description
Account Lifecycle	account_created	New account discovered in sync
	account_updated	Account attributes changed
	account_deleted	Account removed from source
Group Membership	group_member_added	User added to a group
	group_member_removed	User removed from a group
Role Assignment	role_assigned	Role granted to an account
	role_revoked	Role removed from an account
Ticket Lifecycle	ticket_resolved	Linked ticket marked resolved
	ticket_approved	Linked ticket approved
	ticket_rejected	Linked ticket rejected

Creating a Provisioning Rule

1. Navigate to Settings > Provisioning > Rules.

2. Click + Add Rule.

3. Enter rule details:

   Field	Description
   Name	Descriptive rule name
   Description	Explain the rule's purpose
   External System	Target system for actions
   Trigger Event	Data change that activates this rule
   Active	Enable or disable the rule

4. Configure Trigger Filter (optional) to limit which entities match:

   {
     "account_type": "human",
     "department": "Engineering"
   }

5. Select the Action Type to execute when triggered.

6. Configure Action Parameters specific to the action type.

7. For account creation actions, configure Credential Delivery:

   Method	Description
   Email	Send temporary password via email
   In-App	Display in Hydden.Control notification
   Both	Send via email and in-app
   SSPR	Self-Service Password Reset link

8. Set Credential TTL (time-to-live) for temporary passwords.

9. Click Save to create the rule.

Rule Examples

Auto-create Entra account when role assigned:

Trigger Event: role_assigned
Filter: { "role_name": "employee" }
Action: create_account
System: Entra ID Production
Credential Delivery: Email
Credential TTL: 24 hours

Create Jira ticket for access review rejection:

Trigger Event: ticket_rejected
Filter: { "campaign_type": "application_review" }
Action: create_ticket
System: Jira IT Service Desk
Action Params: {
  "project": "ITSD",
  "issue_type": "Task",
  "summary": "Access removal required: {{account.display_name}}",
  "description": "Access rejected in campaign {{campaign.name}}"
}

---

Provisioning Actions

Provisioning actions are individual operations created by rules or triggered manually. Each action progresses through a defined status workflow.

Action Status Workflow

Diagram description: A left-to-right flow diagram showing the provisioning action status workflow. An action starts as Pending, transitions to Running, and from Running can reach Completed, Failed, or return to Pending for retry. Both Pending and Running states can transition to Cancelled.

Status	Description
Pending	Queued for execution
Running	Currently being processed
Completed	Successfully executed
Failed	Execution failed (may retry)
Cancelled	Manually cancelled

Monitoring Actions

1. Navigate to Settings > Provisioning > Actions.

2. Use filters to find specific actions:

   • Status: Pending, Running, Completed, Failed, Cancelled
   • External System: Filter by target system
   • Action Type: Filter by operation type
   • Target Entity: Search by account or entity ID

3. Click an action to view details:

   • Target entity information
   • Action parameters
   • Execution attempts and timestamps
   • Error messages (for failed actions)
   • Result data (for completed actions)

Retrying Failed Actions

Failed actions can be retried:

1. Select the failed action.
2. Review the error message.
3. Click Retry to re-queue the action.
4. The action returns to Pending status with incremented attempt count.

---

Temporary Credentials

When provisioning creates new accounts with temporary passwords, credentials are securely stored and delivered according to the rule configuration.

Credential Delivery Methods

Method	How It Works
Email	Encrypted email sent to the account owner or designated recipient
In-App	Notification appears in Hydden.Control with secure reveal
Both	Email and in-app notification
SSPR	Self-service password reset link (no temporary password)

Credential Lifecycle

1. Created: Credential generated during account provisioning
2. Delivered: Sent via configured delivery method
3. Retrieved: User accesses the credential (in-app only)
4. Expired: TTL elapsed, credential no longer accessible

Viewing Temporary Credentials

For in-app delivery:

1. Navigate to Notifications (bell icon).
2. Find the credential notification.
3. Click Reveal Credential to view.
4. Credential is marked as retrieved.

WARNING

Temporary credentials are encrypted at rest and only decrypted during delivery or retrieval. After TTL expiration, credentials cannot be recovered.

---

Security Considerations

Credential Storage

• External system credentials are stored in Azure Key Vault or configured secret store
• Credentials are never logged or exposed in API responses
• Access to provisioning settings requires Administrator role

Audit Trail

All provisioning operations are logged:

• Rule creation, modification, and deletion
• Action execution attempts and results
• Credential generation and retrieval events

View provisioning audit events in Settings > Audit Log with filter category:provisioning.

Rate Limiting

Connectors implement rate limiting to respect external system quotas:

• HTTP 429 responses trigger automatic backoff
• Retry intervals are configurable per external system
• Bulk operations are batched to prevent throttling

---

Troubleshooting

Common Issues

Issue	Cause	Resolution
Actions stuck in Pending	Worker not processing	Check job history for worker status
Authentication failures	Expired or invalid credentials	Update credentials in external system config
SCIM errors	Permission or schema mismatch	Verify API permissions and attribute mappings
Missing trigger events	Rule filter too restrictive	Review filter conditions

Testing Rules

Before enabling rules in production:

1. Create the rule with Active set to false.
2. Use Test Rule to preview which entities would match.
3. Review the action that would be generated.
4. Enable the rule when satisfied with the preview.

---

Related Topics

• Data Sync - Synchronize data that triggers provisioning events
• Campaign Rules - Create rules for access review automation
• Job History - Monitor provisioning job execution
• Audit Log - View provisioning audit trail