Reqflo Docs
Permissions

Groups and SCIM

Manage Reqflo access at scale with groups and identity-provider provisioning.

Groups and SCIM

Groups are the recommended way to manage access at scale.

Instead of assigning many individual user exceptions, map operational responsibilities to groups. Then give those groups the roles and grants they need.

Group types

Reqflo supports two group sources:

  • Local groups created in Reqflo.
  • SCIM-managed groups provisioned by an identity provider.

What groups can receive

Groups can be mapped to:

  • Organization roles
  • Service teams
  • Service-level roles
  • Resource grants
  • Integration administration access
  • Security administration access

Group-based access is preferred over individual user exceptions because it is easier to audit and maintain.

SCIM model

SCIM connects Reqflo to an identity provider.

The identity provider can:

  • Provision users.
  • Provision groups.
  • Manage group membership.

Reqflo uses those users and groups to calculate application permissions.

SCIM does not decide what a user can do inside Reqflo by itself. Reqflo maps SCIM users and groups to roles, service teams, and grants.

Support group example

An identity-provider group called support-tier-2 maps to a Reqflo group called Support Tier 2.

That group can receive:

  • Run access to diagnostic journeys.
  • Use access to read-only production auth configs.
  • View access to relevant services.

This lets support users run approved troubleshooting workflows without giving them service ownership or broad production administration.

Security group example

An identity-provider group called security-admins maps to the Reqflo Security Admin role.

That group can receive:

  • SSO management.
  • SCIM management.
  • OAuth scope management.
  • Secret and config administration.

This keeps security-sensitive privileges tied to the identity provider group that already represents the security team.

Service group example

An identity-provider group called checkout-team maps to the Checkout service team.

That group can receive:

  • Service maintainer access.
  • Edit access to Checkout resources.
  • Run access to Checkout journeys.

When the identity provider changes membership in checkout-team, Reqflo access updates through SCIM.

  • Prefer groups over individual user grants.
  • Use SCIM-managed groups for stable teams and operational functions.
  • Keep group names aligned with real responsibilities.
  • Use groups for cross-functional access, such as support, QA, security, or release management.
  • Use service teams for service ownership.
  • Review high-risk group grants regularly.

Roles

Understand organization, service, and resource-level roles in Reqflo.

Service teams

Use service teams to model service ownership and service-scoped access.

On this page

Groups and SCIMGroup typesWhat groups can receiveSCIM modelSupport group exampleSecurity group exampleService group exampleRecommended practices