# HRIS & IdP ### πŸ‘€ Import & Sync Users **Goal**\ Keep your User Directory in Cakewalk automatically in sync with your source of truth. **How it works** * Imports user data (name, email, manager). * Syncs automatically every 2 hours. * Lifecycle events (joiners, movers, leavers) trigger workflows in real time. * **Manager Sync**: Automatically syncs manager relationships to streamline approval workflows and reporting. * Set specific default assignees for onboarding and offboarding tasks based on your company's requirements. **Supported systems** * Cakewalk integrates with 100+ HRIS and IdP. Popular examples include: * **HRIS**: Personio, HiBob, BambooHR, Rippling, Gusto, CharlieHR, Workday (and many more). * **IdPs**: Okta, Entra ID, Google Workspace. **How to set it up** * Go to Settings β†’ Data Sources β†’ *Users*. * Select your HRIS or IdP. * Authenticate with an **admin account** (must have rights to read user profiles, reporting lines and groups). No sensitive information such as payroll, health data or details about sexual and religious orientation is needed. * Approve requested scopes/permissions β†’ Save β†’ sync starts immediately. **Why it matters** * Eliminates manual user creation. * Ensures accuracy for access decisions. * Powers reliable JML automation. πŸ“˜ Learn more: [user-management](https://docs.getcakewalk.io/how-to-guides/users-and-groups/user-management "mention") and [joiner-mover-leaver-jml](https://docs.getcakewalk.io/how-to-guides/users-and-groups/joiner-mover-leaver-jml "mention") *** ### πŸš€ No-Touch Onboarding **Goal**\ Onboard synced users automatically without a manual review step. **How it works** * By default, every user synced from your HRIS/IdP triggers a *Review onboarding* task that must be confirmed before onboarding starts. * With No-Touch Onboarding enabled, users who belong to the designated IdP group skip the review task entirely. All default apps from their assigned groups are provisioned immediately. **Requirements** * Manager Sync must be enabled on your Users integration. * The designated group must be a synced IdP group (not a Cakewalk-managed group). * One group can be designated per Users integration. **How to set it up** 1. Go to Settings β†’ Data Sources β†’ *Users*. 2. Open *Manage integration settings* for your Users integration. 3. Enable **Sync managers** (required). 4. Toggle on **No-Touch Onboarding**. 5. Select the IdP group you want to auto-onboard (e.g., "Engineering"). 6. Click **Confirm**. New users synced into that group will now be onboarded automatically. All default apps assigned to the user's groups at the time of onboarding are provisioned without any manual confirmation. **Why it matters** * Removes the onboarding bottleneck for high-growth teams doing many hires per month. * Reduces time-to-productivity: new employees get access from their first day without waiting for manual approval. * Works alongside auto-provisioning (Agent Cake or IdP-based) for fully hands-off onboarding. πŸ“˜ Learn more: [joiner-mover-leaver-jml](https://docs.getcakewalk.io/how-to-guides/users-and-groups/joiner-mover-leaver-jml "mention") and [introduction-to-auto-provisioning](https://docs.getcakewalk.io/how-to-guides/auto-provisioning/introduction/introduction-to-auto-provisioning "mention") *** ### πŸ‘₯ Import & Sync User Groups **Goal**\ Leverage your IdP groups to drive Role-Based Access Control (RBAC) in Cakewalk. **How it works** * Sync groups directly from IdPs like Okta, Entra or Google Workspace. * **Assigned Groups**: static memberships synced into Cakewalk. * **Dynamic Groups**: rule-based memberships remain read-only in Cakewalk. * Groups can assign default apps, hidden apps or policies. * Membership changes in IdP flow into Cakewalk automatically. * Optional **bidirectional sync** for assigned groups. **Supported systems** * IdPs: Okta, Entra ID, Google Workspace. **How to set it up** * Go to Settings β†’ Data Sources β†’ *User groups*. * Select your IdP. * Authenticate with an **admin account** (requires rights to read groups and memberships; bidirectional sync requires write permissions for group memberships in the IdP). * Approve requested scopes β†’ Save β†’ sync starts. **Why it matters** * Mirrors your real org structure. * Automates access assignment & reviews. * Keeps RBAC aligned with organizational changes. πŸ“˜ Learn more: [groups-and-role-based-access-control-rbac](https://docs.getcakewalk.io/how-to-guides/users-and-groups/groups-and-role-based-access-control-rbac "mention") *** ### πŸ“¦ Import Apps **Goal**\ Automatically pull the apps your users connect to via IdP into Cakewalk’s app governance. **How it works** * **Google Workspace**: Cakewalk reads OAuth tokens employees have granted to third-party apps. * **Microsoft Entra ID**: Cakewalk pulls enterprise app assignments and sign-in logs. * Imported apps appear in *App Governance β†’ Discovered Apps*. * Admins can change app status (Managed, Tracked, Restricted, Ignored). **Supported systems** * Google Workspace * Microsoft Entra ID **How to set it up** * Import your apps into Cakewalk right after the initial user import is completed. * Select Google Workspace or Entra ID. * Authenticate with an **admin account** (requires rights to read enterprise apps, OAuth grants and sign-in logs). **Why it matters** * Surfaces Shadow IT apps discovered through SSO/OAuth. * Expands your catalog instantly without manual entry. * Ensures visibility for audits and security reviews. πŸ“˜ Learn more: [app-discovery](https://docs.getcakewalk.io/how-to-guides/apps/app-discovery "mention") and [app-governance](https://docs.getcakewalk.io/how-to-guides/apps/app-governance "mention")