Skip to main content
Provision and deprovision the reviewers who complete your access review campaigns automatically from your identity provider (IdP), instead of adding them by hand. Oleria exposes a dedicated governance SCIM 2.0 endpoint, separate from the workspace SCIM endpoint, so your IdP can create and remove reviewers as your directory changes. Reviewers are the people who receive and act on access review assignments in the reviewer portal. They are a separate population from the administrators, operators, and analysts who operate your Oleria workspace.

How governance SCIM differs from workspace SCIM

Oleria has two independent SCIM endpoints. Use the one that matches who you are provisioning: The authentication flow, request and response formats, and endpoint paths are otherwise identical to the workspace endpoint. This page documents only what is specific to reviewer provisioning. See SCIM user provisioning for the full request and response reference.

Prerequisites

  • Administrator access to your Oleria workspace.
  • Access reviews enabled for your workspace. The Governance App SCIM credentials are available only when governance is deployed for your tenant.
  • The governance SCIM client credentials, found on the Governance App tab in Settings → SCIM Configuration.
  • A SCIM 2.0 client, such as your IdP’s outbound provisioning feature, that can send a bearer token on every request.

Authenticate to the governance SCIM API

Authenticate exactly as described in Authenticate to the SCIM API, with two differences:
  • Use the Client ID, Client Secret, and OAuth Token URL from the Governance App tab in Settings → SCIM Configuration, not the Main Workspace tab.
  • Send SCIM requests to the governance SCIM Base URL, which ends in /governance/scim/v2 (for example, https://devx.YOUR_TENANT.oleria.io/governance/scim/v2).
The Main Workspace and Governance App tabs issue separate credentials. A token minted with workspace credentials is not valid against the governance endpoint, and vice versa.

The reviewer role

Every user you provision through the governance endpoint is assigned the single reviewer role automatically. There is no role selection: unlike the workspace endpoint, you do not assign roles through groups, and you do not need to send a roles attribute. Any roles value you include in a create, replace, or patch request is ignored.

Provision a reviewer

Send a POST to /governance/scim/v2/Users with the reviewer’s userName, name, and emails:
Returns 201 Created. The reviewer role is applied automatically:

Manage reviewers

The remaining endpoints behave the same as the workspace endpoints, under the /governance/scim/v2 base path. See the linked sections for request and response details:

SCIM specification reference

Contact us

For questions about SCIM provisioning, contact us at support@oleria.com.