Automations
User sync
Automatic provisioning, deprovisioning and role updates from your identity provider — Entra ID, Google Workspace or Okta. Joiner-mover-leaver without manual IT tickets.
Updated May 18, 2026
Configuration · Automation · 9.3
The User sync keeps the user base in Gfacility automatically aligned with your identity provider — usually Entra ID, sometimes Google Workspace or Okta. New hires get the right role instantly; leavers are blocked immediately; role changes follow HR mutations without IT having to step in.
Why this matters to the business
"New hire, day-one, no access"
SCIM provisioning on creation in Entra → account ready for sign-in.
"Ex-colleague still active a month later"
Deprovisioning within 5 min of deactivation in the IdP — no leaver gap.
"Promotion without role update"
Group-membership mapping → IdP group "FM-managers" = Gfacility role "FM coordinator".
"Permissions creep"
Sync overrides manual tweaks → single source of truth, no invisible exceptions.
Which provisioning modes
SCIM (push)
IdP pushes changes directly to Gfacility. Real-time, cleanest option for Entra and Okta.
Just-in-time
Account created on first login. No pre-provisioning; role derived from SAML/OIDC claims.
Scheduled sync
Gfacility reads the IdP every X minutes/hours. Works without SCIM support; some lag.
What you configure
| Field | What it drives |
|---|---|
| Source system | Entra · Google Workspace · Okta · AFAS · Workday. One leading, optionally a second for specific fields. |
| Scope | Which OUs, which security groups, which licences? Limit to who really needs Gfacility. |
| Field mapping | UPN → email, displayName → name, department → department. One-to-one or via transformation. |
| Group-to-role mapping | Which IdP group becomes which Gfacility role? One-to-one or multiple groups → one role. |
| Leaver behaviour | Deactivate · anonymise · grey out for 30 days · delete after X days. |
| Conflict policy | What to do on manual change in Gfacility that sync would override? Mostly "IdP wins". |
| Frequency | Real-time (SCIM) or scheduled (15min / 1h / day). Fast = low lag, asks more quota. |
| Monitoring | Status dashboard, error log, alert on > X failed records. |
Which decisions will you make?
Which IdP leads?
Entra is standard. AFAS may be a better source for department and cost centre, with Entra for auth.
External users
Contractors via guest accounts or separate tenant? Just-in-time on first login is often practical.
Leaver strategy
Deactivate immediately (security) vs grey out for 30 days (reporting continuity). DPO-aligned.
Periodic review
Quarterly: do active Gfacility users match HR-active? Discrepancy = sync issue.