> For the complete documentation index, see [llms.txt](https://oten.gitbook.io/identity-support/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oten.gitbook.io/identity-support/user-guide/organization-admin-app/scim-automated-user-and-workspace-provisioning/user-lifecycle-management.md).

# User Lifecycle management

### I am new. Where should I start? <a href="#i-am-new.-where-should-i-start" id="i-am-new.-where-should-i-start"></a>

#### Purpose <a href="#purpose" id="purpose"></a>

This section explains how user accounts are created, managed, and removed throughout their lifecycle within the platform.

User Lifecycle Management ensures that:

* Users have the right access at the right time
* Access is removed promptly when no longer needed
* Identity data remains accurate and secure

***

#### Scope <a href="#scope" id="scope"></a>

This guide applies to:

* Personal accounts
* Business and enterprise accounts
* Users managed manually or via automated provisioning (SCIM)

It covers:

* User onboarding
* Account updates
* Access changes
* User offboarding

***

#### Prerequisites <a href="#prerequisites" id="prerequisites"></a>

Before managing user lifecycles, ensure that:

* You have administrative permissions (for business accounts)
* Your organization’s identity model is defined
* Security policies are configured (roles, MFA, access rules)

***

#### Overview <a href="#overview" id="overview"></a>

User Lifecycle Management spans the entire journey of a user account, from creation to deactivation.

The platform supports:

* Manual user management
* Automated lifecycle management through SCIM
* Centralized enforcement of security policies

***

#### Lifecycle stages <a href="#lifecycle-stages" id="lifecycle-stages"></a>

1. User creation
2. Profile and role updates
3. Ongoing access management
4. User deactivation or removal

***

### I already understand. How do I proceed step by step? <a href="#i-already-understand.-how-do-i-proceed-step-by-step" id="i-already-understand.-how-do-i-proceed-step-by-step"></a>

#### Step 1: User creation (Onboarding) <a href="#step-1-user-creation-onboarding" id="step-1-user-creation-onboarding"></a>

Users can be created through:

* Email-based sign-up
* Google sign-up (with password creation)
* Administrative invitation
* SCIM-based automated provisioning

During creation:

* Email verification is required
* Default roles and policies are applied
* Security settings inherit organization rules

***

#### Step 2: Profile and attribute management <a href="#step-2-profile-and-attribute-management" id="step-2-profile-and-attribute-management"></a>

Administrators can manage:

* User profile information
* Role assignments
* Group membership
* Organization-level access

When SCIM is enabled:

* The Identity Provider acts as the source of truth
* Attribute changes are synced automatically

***

#### Step 3: Access and Permission Updates <a href="#step-3-access-and-permission-updates" id="step-3-access-and-permission-updates"></a>

Access can be adjusted by:

* Updating roles
* Modifying group membership
* Applying security policies

Changes take effect immediately and are logged for audit purposes.

***

#### Step 4: Security enforcement <a href="#step-4-security-enforcement" id="step-4-security-enforcement"></a>

Throughout the user lifecycle:

* MFA policies are enforced
* Risk-based authentication may be applied
* Device, IP, or geo-based rules can restrict access

Security controls remain consistent across platforms.

***

#### Step 5: User deactivation or offboarding <a href="#step-5-user-deactivation-or-offboarding" id="step-5-user-deactivation-or-offboarding"></a>

When access is no longer required:

* Users can be deactivated manually
* SCIM can automatically disable users from the IdP
* Active sessions are revoked

Deactivated users:

* Cannot sign in
* Retain historical audit data

***

#### Additional notes <a href="#additional-notes" id="additional-notes"></a>

* Deleted users cannot be recovered
* Deactivation preserves audit history
* Manual changes may be overridden when SCIM is enabled
* All lifecycle events are recorded for compliance

***

#### Summary <a href="#summary" id="summary"></a>

* User Lifecycle Management controls access from onboarding to offboarding
* Automation reduces errors and administrative overhead
* Security policies are enforced consistently
* SCIM enables scalable enterprise user management
