Skip to main content
All CollectionsUser GuidesKey Concepts
Identity and Access Management in Axiom

Identity and Access Management in Axiom

Axiom IAM: Users, Groups, Scopes, SSO, and Identity Provider (IdP)

Updated over 3 months ago

Single Sign On (SSO)

Before your users can start using Axiom, you must configure single sign on. Learn how

Users

Your first user is created for you by Axiom during your onboarding. This user is an Axiom Admin and can do anything in Axiom.

Other users are created in Axiom ("enrolled"), as a results of signing in using SSO, or by being included in a group configured for sync, using the IdP sync feature.

All users start as regular users, and can be promoted/ demoted to/ from the Axiom Admin role in the Users page.

Once a user is enrolled, s/he continues to exist in Axiom, until explicitly removed. Currently you cannot remove users yourself. If you need to remove users, open a support ticket. Removing users, does not remove their history from Axiom, so all requests previously made by them, requests approved by them, etc. continues to remain in Axiom for future inspection.


IMPORTANT NOTES ABOUT USER REMOVAL:

  • Removing users does not invalidate (revoke) and access granted to them via Axiom. You should first use the Requests and filter the list by the username, and make sure to Revoke their access (for all requests with status Approved). You can also use the Access Explorer to identify access they have that is not managed by Axiom.

  • If the removed user is active in your IdP and they sign into Axiom again using SSO, or are synced to Axiom via IdP Sync, they will be re-created. This may create unexpected results. You should only request user removal if this user is permanently removed from your organization.

  • The only side-effect of leaving a user enrolled in Axiom is that they appear as Principals (available assignees) in the request form (so theoretically a Request could be made for them, even if not by them, and could be approved). But since presumably you disabled/ removed them from your IdP, and they can no longer SSO into Axiom, there is no way they could use this request even if made and approved.

Groups

Axiom does not manage groups - you do this in your IdP. Axiom can keep IdP groups synced to Axiom, allowing you to manage Scopes by groups, and providing automatic enrollment. Learn more about IdP sync

Scopes

Scopes control what the users can request access for, and who can approve these requests. Learn more about Scopes

IdP sync

The IdP sync feature allows you to define your authoritative identity provider, select which groups to keep synced to Axiom, and then use these groups for Scopes. Users who are added/ removed/ disabled from groups on the IdP side, are then automatically assigned/ unassigned from these scopes. Users in these groups are also automatically enrolled in Axiom. Learn more about IdP sync

Related Articles
Users
Axiom Scopes
Syncing your IdP groups to Axiom
Getting Started with Axiom - Account Owners and Admins
Understanding permissions in Axiom
Did this answer your question?