# App Provisioning

App Provisioning lets you control which users have access to each registered application and automatically provision or deprovision their accounts as needed.

## How It Works

When you assign a user or group to an application, AccessIQ can:

1. Grant the user access to sign in to that application.
2. Automatically provision a user account in the target application (if the app supports SCIM or a provisioning API).
3. Deprovision the account when access is removed.

## Assigning Users to Applications

### Manual Assignment

1. Go to **Applications** and select an app.
2. Open the **Users** tab.
3. Click **Assign Users** and search for individual users.
4. Select the users and click **Assign**.

### Group-Based Assignment

1. On the app's **Users** tab, click **Assign Group**.
2. Select one or more groups or organizations.
3. All members of those groups are granted access. New members added to the group automatically gain access.

## Provisioning Settings

If the target application supports automated provisioning, configure it under the app's **Provisioning** tab:

| Setting            | Description                                                       |
| ------------------ | ----------------------------------------------------------------- |
| Provisioning mode  | Manual (access only) or Automatic (create/update/delete accounts) |
| SCIM endpoint      | The target app's SCIM base URL                                    |
| Auth method        | Bearer token or OAuth for the target app's SCIM API               |
| Attribute mapping  | Map AccessIQ user fields to the target app's user schema          |
| Deprovision action | Deactivate or delete the account when access is removed           |

## Provisioning Status

Each user's provisioning status is shown on the app's Users tab:

| Status        | Meaning                                                      |
| ------------- | ------------------------------------------------------------ |
| Provisioned   | Account created in the target app                            |
| Pending       | Provisioning in progress or queued                           |
| Failed        | Provisioning encountered an error -- check the error details |
| Deprovisioned | Account removed from the target app                          |

## Troubleshooting

* **Provisioning failed**: Check the error message on the user's row. Common causes include invalid SCIM credentials or a required field that is not mapped.
* **User can sign in but has no account in the target app**: Provisioning mode may be set to Manual. Switch to Automatic and re-sync.
* **Deprovisioned user still has access**: The target app may cache sessions. The user's access will end when their session expires.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://accessiq.gitbook.io/accessiq-docs/applications-and-api/app-provisioning.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.