Documentation Index
Fetch the complete documentation index at: https://docs.promptguard.co/llms.txt
Use this file to discover all available pages before exploring further.
Directory Sync (SCIM)
Directory Sync keeps your PromptGuard organization in lockstep with your identity provider. When you add, update, or deactivate a user in your directory (Okta, Microsoft Entra ID, Google Workspace, and more), PromptGuard reflects the change automatically — no manual invites, and no orphaned access when someone leaves.Directory Sync is an Enterprise feature and works best alongside SSO. Talk to us to enable it.
Why use it
- Automatic onboarding — a new hire in your directory becomes a PromptGuard member without an invite.
- Automatic offboarding — deactivating a user in your directory revokes their PromptGuard access immediately. This is the control most security teams require.
- One source of truth — your directory, not a separate PromptGuard member list.
Prerequisites
- An Enterprise PromptGuard organization.
- The Owner or Admin role.
- A directory that supports SCIM 2.0 (most major IdPs do).
- SSO configured (recommended, so synced users sign in seamlessly).
Set up Directory Sync
Open the SSO settings
In the dashboard, go to Settings → SSO and click Configure Directory Sync. PromptGuard opens the secure, hosted setup portal for your organization.
Connect your directory
In the portal, choose your IdP and follow its guided steps to connect your directory. The portal gives you the SCIM endpoint URL and bearer token to paste into your IdP’s provisioning settings.
Assign users or groups
In your IdP, assign the users (or groups) who should have PromptGuard access to the connected application. Your IdP pushes them to PromptGuard.
What gets synced
| Directory event | Effect in PromptGuard |
|---|---|
| User created / assigned | Account provisioned and added to your organization as a Member |
| User profile updated | Name / email kept in sync |
| User deactivated / unassigned | Removed from your organization — access revoked |
Synced users join as Members. Promote anyone who needs elevated access to Admin or Owner in Settings → Team, or grant project-specific roles in project access settings. Role changes you make in PromptGuard are preserved across syncs.
Security
- Deprovisioning is immediate — when your IdP sends a deactivate event, the member’s PromptGuard sessions and access end right away.
- Directory Sync covers organization membership. It does not delete the user’s historical audit-log entries, which are retained for compliance.
Troubleshooting
Assigned users aren't appearing
Assigned users aren't appearing
Confirm the users (or their group) are assigned to the application in your IdP, and that provisioning/push is enabled there. It can take a minute for the first sync to propagate.
A removed user still has access
A removed user still has access
Check that your IdP sent a deactivate/unassign event. If the user signs in via a non-SSO method (e.g. a personal password set before SSO), remove them manually in Settings → Team and enforce SSO-only login.
Next steps
Single Sign-On (SSO)
Let synced users sign in with your identity provider.
Organizations & Teams
Roles, members, and project-level access.