Who can use this feature?
IT admins with a tenant in an identity provider
Business hub Owners
Only supported using the Cerby web app
As an IT admin collaborating with a business hub Owner, you can deprovision users from your external seat-based and paid social apps via your identity provider (IdP), such as Okta or Entra ID, and a business hub.
For this identity lifecycle management functionality to work, Cerby leverages user and group deprovisioning from the IdP to update Cerby teams. These teams must have shared access to a business hub integration with specific roles or permissions both in Cerby and the external app, including assets if supported, as shown in Figure 1.
Figure 1. User deprovisioning in external apps from IdP events
With this approach, any user removed from a group or deactivated or deleted while being assigned to a group is automatically deprovisioned from the corresponding Cerby team. Given that the team already has access to the business hub, Cerby detects the IdP event and takes action as follows:
Cerby triggers automated tasks to remove these users from the external app.
For users removed from an IdP group, Cerby identifies if they have shared access to the business hub integration whether individually or through another team, and determines their role. Based on all their existing access grants, users get the highest role, so if needed, Cerby triggers an automated task to update their role in the external app.
Requirements
The following are the requirements to deprovision users from your external apps via your IdP and business hub:
A user account in your IdP with privileges to manage an app integration
A Cerby workspace integrated with your IdP for single sign-on (SSO) and automatic user provisioning using the SCIM protocol. Refer to the Creating and setting up your workspace collection for instructions according to your IdP
Groups created and configured in your IdP to be used for user deprovisioning. For instructions, read the articles according to your IdP:
A business hub connected to Cerby to which you have the Owner role
The IdP-based teams must have shared access to the business hub integration. For instructions on how to do it, read the article Add users and teams to your app via a business hub; you must follow the process to add a team
Deprovision users from your apps via your IdP and business hub
To deprovision users from your external apps via your IdP and business hub, you must complete the following steps:
Log in to the IdP admin console or center of your organization.
Perform any of the following actions. For instructions, read the official documentation of your IdP:
Remove the users from a group
Entra ID: Remove members or owners of a group
Deactivate or delete the users
Entra ID: Delete a user
Given that IdP users and groups are automatically deprovisioned from your Cerby workspace, any the following actions happens depending on whether users have shared access to the business hub integration individually or through another team with the same or lower role:
Cerby triggers the automated tasks to remove the users from the external app.
Cerby keeps access for the users with the same role.
Cerby triggers the automated tasks to update the user roles in the external app, including assets if supported.
TIP: You can view the progress of the automated tasks in the Automation page.
Now you are done.