The purpose of User Provisioning at Unique is to enable clients to manage their users and groups centrally, such as through Azure Entra ID, and to provision and keep these entities in sync with Unique. This ensures compliance with the need-to-know principle and regulatory requirements, limiting data access to relevant users only and upholding AI Governance. It also allows users to determine and assign data ownership according to their preferences.

Background

In Unique, clients have the ability to manage users and groups, which is essential for controlling access to knowledge and specific spaces in the chat. Traditionally, creating groups and managing memberships has been a manual and time-consuming process. To address the scalability and error-prone nature of manual synchronization, there is a need for an automated solution to provision users and sync group setups with clients' organizational structures.

There are two approaches for syncing user groups in Unique:

1. Group claims on ID Token: This approach involves embedding user group information directly within the ID token issued by the Identity Provider (IdP). This method ensures that when a user authenticates, their group memberships are immediately available within Unique. New Users are provisioned just-in-time on first login with the information provided in the user profile on the ID token sent by the IdP.

2. SCIM (System for Cross-domain Identity Management): SCIM is an open standard for automating the exchange of user identity information between identity domains or IT systems. By supporting SCIM, Unique can synchronize user and group information from clients' user management systems. In this scenario, the client’s IdP provisions users and groups, enabling synchronization independent of a user’s first login.

These different approaches will be described in more detail in the following sections.