From f0d95e206d315970ce1f471352c69884eb69efbd Mon Sep 17 00:00:00 2001 From: Loren Yeung Date: Mon, 9 Mar 2026 21:37:17 -0700 Subject: [PATCH 1/3] Update SCIM provisioning requirements in documentation Clarified requirements for API key and permissions needed for SCIM provisioning in Harness. --- .../provision-users-and-groups-using-azure-ad-scim.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/platform/role-based-access-control/provision-users-and-groups-using-azure-ad-scim.md b/docs/platform/role-based-access-control/provision-users-and-groups-using-azure-ad-scim.md index e1d82889040..56f4b951c1f 100644 --- a/docs/platform/role-based-access-control/provision-users-and-groups-using-azure-ad-scim.md +++ b/docs/platform/role-based-access-control/provision-users-and-groups-using-azure-ad-scim.md @@ -24,9 +24,9 @@ You need an understanding of: * [Harness' key concepts](/docs/platform/get-started/key-concepts.md). * [RBAC in Harness](/docs/platform/role-based-access-control/rbac-in-harness). -You must be an Administrator in your Microsoft Entra ID account, and you must be an **Account Admin** in Harness. +You must be an Administrator in your Microsoft Entra ID account, and you must have atleast the permissions to 'manage' and 'create/edit' account level service accounts and 'create/edit' account roles in Harness in order to perform all the steps necessary to provide an API key to Entra for provisioning. Generally, the steps below are handled by a Harness Admin. -You need a Harness [API key and unexpired token](/docs/platform/automation/api/add-and-manage-api-keys) that has all **Users** and **User Groups** [permissions](/docs/platform/automation/api/api-permissions-reference). API keys inherit permissions from the user they are associated with. If you use an API key for a [service account](./add-and-manage-service-account.md), make sure the service account has all **Users** and **User Groups** permissions. +You need to create a Harness [API key and unexpired token](/docs/platform/automation/api/add-and-manage-api-keys) that has all (view+manage+invite) **Users** and **User Groups** [permissions](/docs/platform/automation/api/api-permissions-reference). API keys inherit permissions from the user they are associated with. It is recommended that a separate service account is created for SCIM. Similar to a user API key, if you create an API key for a [service account](./add-and-manage-service-account.md), make sure the service account is binded with a role containg all (view+manage+invite) **Users** and **User Groups** permissions. ## Add Harness in Microsoft Entra ID From 7973e857073decda89217a7a178be5238c7d7462 Mon Sep 17 00:00:00 2001 From: Loren Yeung Date: Mon, 9 Mar 2026 21:39:49 -0700 Subject: [PATCH 2/3] Update SCIM provisioning instructions for clarity Clarified requirements for OneLogin and Harness permissions, and recommended creating a separate service account for SCIM. --- .../provision-users-and-groups-with-one-login-scim.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/platform/role-based-access-control/provision-users-and-groups-with-one-login-scim.md b/docs/platform/role-based-access-control/provision-users-and-groups-with-one-login-scim.md index b55bcf799cb..300e5d0921b 100644 --- a/docs/platform/role-based-access-control/provision-users-and-groups-with-one-login-scim.md +++ b/docs/platform/role-based-access-control/provision-users-and-groups-with-one-login-scim.md @@ -30,9 +30,9 @@ You need an understanding of: * [Harness' key concepts](/docs/platform/get-started/key-concepts.md). * [RBAC in Harness](/docs/platform/role-based-access-control/rbac-in-harness). -You must be an Administrator in your OneLogin account, and you must be an **Account Admin** in Harness. +You must be an Administrator in your OneLogin account, and you must have atleast the permissions to 'manage' and 'create/edit' account level service accounts and 'create/edit' account roles in Harness in order to perform all the steps necessary to provide an API key to Entra for provisioning. Generally, the steps below are handled by a Harness Admin. -You need a Harness [API key and unexpired token](/docs/platform/automation/api/add-and-manage-api-keys) that has all **Users** and **User Groups** [permissions](/docs/platform/automation/api/api-permissions-reference). API keys inherit permissions from the user they are associated with. If you use an API key for a [service account](./add-and-manage-service-account.md), make sure the service account has all **Users** and **User Groups** permissions. +You need to create a Harness [API key and unexpired token](/docs/platform/automation/api/add-and-manage-api-keys) that has all (view+manage+invite) **Users** and **User Groups** [permissions](/docs/platform/automation/api/api-permissions-reference). API keys inherit permissions from the user they are associated with. It is recommended that a separate service account is created for SCIM. Similar to a user API key, if you create an API key for a [service account](./add-and-manage-service-account.md), make sure the service account is binded with a role containg all (view+manage+invite) **Users** and **User Groups** permissions. ## Add the Harness app to OneLogin From d8cc720647ddddeed66bb9b4f686633ab9abf732 Mon Sep 17 00:00:00 2001 From: Loren Yeung Date: Mon, 9 Mar 2026 21:40:06 -0700 Subject: [PATCH 3/3] Update provision-users-with-okta-scim.md --- .../provision-users-with-okta-scim.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/platform/role-based-access-control/provision-users-with-okta-scim.md b/docs/platform/role-based-access-control/provision-users-with-okta-scim.md index 1ed41fa5e8b..1688f526cf1 100644 --- a/docs/platform/role-based-access-control/provision-users-with-okta-scim.md +++ b/docs/platform/role-based-access-control/provision-users-with-okta-scim.md @@ -24,9 +24,9 @@ You need an understanding of: * [Harness' key concepts](/docs/platform/get-started/key-concepts.md). * [RBAC in Harness](/docs/platform/role-based-access-control/rbac-in-harness). -You must be an Administrator in your Okta account, and you must be an **Account Admin** in Harness. +You must be an Administrator in your Okta account, and you must have atleast the permissions to 'manage' and 'create/edit' account level service accounts and 'create/edit' account roles in Harness in order to perform all the steps necessary to provide an API key to Entra for provisioning. Generally, the steps below are handled by a Harness Admin. -You need a Harness [API key and unexpired token](/docs/platform/automation/api/add-and-manage-api-keys) that has all **Users** and **User Groups** [permissions](/docs/platform/automation/api/api-permissions-reference). API keys inherit permissions from the user they are associated with. If you use an API key for a [service account](./add-and-manage-service-account.md), make sure the service account has all **Users** and **User Groups** permissions. +You need to create a Harness [API key and unexpired token](/docs/platform/automation/api/add-and-manage-api-keys) that has all (view+manage+invite) **Users** and **User Groups** [permissions](/docs/platform/automation/api/api-permissions-reference). API keys inherit permissions from the user they are associated with. It is recommended that a separate service account is created for SCIM. Similar to a user API key, if you create an API key for a [service account](./add-and-manage-service-account.md), make sure the service account is binded with a role containg all (view+manage+invite) **Users** and **User Groups** permissions. ## Create an Okta app integration