Automated user provisioning for supply planning using Azure AD integration reduced onboarding time by 60% for new planners

I wanted to share our successful implementation of automated user provisioning for Manhattan Associates logistics management module through HRIS integration using SCIM (System for Cross-domain Identity Management). This project reduced our onboarding time from 3-4 days to under 2 hours.

Background: Our logistics operation has high employee turnover in warehouse coordinator and dispatcher roles. We were manually creating user accounts in Manhattan after receiving new hire paperwork from HR, which created delays and inconsistencies in access provisioning. We also had issues with terminated employees retaining access because deprovisioning wasn’t automated.

Solution: We implemented SCIM 2.0 integration between our HRIS (Workday) and Manhattan Associates, enabling automatic user account creation, updates, and deactivation based on HR events. The integration provisions users into appropriate roles based on job titles and department codes from HRIS.

Key Benefits:

• Onboarding time reduced from 3-4 days to under 2 hours
• Zero manual user creation errors
• Automatic deprovisioning on termination (same day)
• Consistent role assignments based on job function
• Full audit trail of provisioning events

Happy to share technical details if others are considering similar automation.

Great implementation! One question about attribute mapping - how do you handle complex scenarios like temporary role assignments or contractors who need different access levels than full-time employees? SCIM is great for standard provisioning but sometimes the nuances of business requirements don’t map cleanly to HRIS attributes.

Manhattan doesn’t have native SCIM support out of the box, so we built a SCIM gateway service that sits between Workday and Manhattan’s API. The gateway translates SCIM requests into Manhattan API calls. For role mapping, we created a configuration table that maps HR job codes to Manhattan role profiles. For example, job code ‘WH-COORD-01’ maps to the ‘Warehouse Coordinator’ role in Manhattan, which has specific permissions for logistics management functions.

Excellent use case! I’m curious about your SCIM gateway architecture. Are you using an off-the-shelf identity broker or did you build custom middleware? Also, how are you handling SCIM filtering and pagination for large user populations? Manhattan’s API might have rate limits that could impact bulk synchronization operations.

Let me provide a comprehensive overview of our SCIM-based automated provisioning implementation for Manhattan Associates logistics management.

Architecture Overview

We built a custom SCIM 2.0 gateway service rather than using an off-the-shelf broker because we needed tight control over the attribute mapping logic and Manhattan API integration. The architecture has three main components:

1. SCIM Gateway Service: Node.js application that implements SCIM 2.0 server endpoints
2. Attribute Mapping Engine: Configuration-driven mapper between HRIS attributes and Manhattan user profiles
3. Manhattan API Client: Handles authentication and API calls to Manhattan’s user management endpoints

SCIM Endpoint Configuration

Our SCIM gateway implements these core endpoints:

User Operations:

• POST /scim/v2/Users - Create new user in Manhattan
• GET /scim/v2/Users/{id} - Retrieve user details
• PUT /scim/v2/Users/{id} - Update user attributes
• PATCH /scim/v2/Users/{id} - Partial user updates
• DELETE /scim/v2/Users/{id} - Deactivate user (soft delete)

Query Operations:

• GET /scim/v2/Users?filter=… - Search users
• GET /scim/v2/Users?startIndex=1&count=100 - Paginated retrieval

Workday Configuration: In Workday, we configured Manhattan as a provisioning target with these settings:

• SCIM endpoint URL: https://scim-gateway.company.com/scim/v2
• Authentication: OAuth2 client credentials
• Provisioning events: Hire, Termination, Job Change, Department Transfer
• Sync schedule: Real-time for critical events, hourly batch for updates

HRIS Attribute Mapping

We map Workday attributes to Manhattan user fields through a configuration table:

Identity Attributes:

• Workday Employee ID → Manhattan User ID
• Email Address → Manhattan Email (used for notifications)
• First Name + Last Name → Manhattan Display Name
• Department Code → Manhattan Facility Assignment
• Job Title → Manhattan Role Profile (via mapping table)

Role Mapping Logic:

We created a role mapping configuration that translates job codes to Manhattan roles:

Logistics Management Roles:

• Job Code ‘LOG-COORD’ → Role: Logistics Coordinator
  • Permissions: View shipments, update tracking, assign carriers
• Job Code ‘LOG-MGR’ → Role: Logistics Manager
  • Permissions: All coordinator permissions + approve shipments, manage routes
• Job Code ‘DISPATCH’ → Role: Dispatcher
  • Permissions: Assign loads, update driver status, manage schedules

Warehouse Roles (for cross-functional users):

• Job Code ‘WH-SUPER’ → Role: Warehouse Supervisor
  • Permissions: View inventory, manage picks, approve adjustments

Multi-Role Assignment: Users with department code ‘LOG-WH-CROSS’ get both logistics and warehouse roles automatically.

Automated Provisioning Workflow

New Hire Scenario:

1. HR Event: New employee created in Workday
2. SCIM Request: Workday sends POST /scim/v2/Users with employee attributes
3. Gateway Processing:
   • Validates SCIM payload
   • Looks up role mapping based on job code
   • Determines facility assignment from department code
   • Generates unique Manhattan username (firstname.lastname format)
4. Manhattan API Calls:
   • Create user account with mapped attributes
   • Assign role profiles based on job code
   • Set facility access permissions
   • Enable account (active status)
5. Response: SCIM gateway returns user ID and provisioning status
6. Notification: Automated email sent to new hire with login credentials

Typical processing time: 45-90 seconds from Workday event to active Manhattan account

Termination Scenario:

1. HR Event: Employee terminated in Workday
2. SCIM Request: DELETE /scim/v2/Users/{id}
3. Gateway Processing:
   • Validates termination is authorized
   • Checks for active sessions in Manhattan
   • Logs termination event for audit
4. Manhattan API Calls:
   • Disable user account (soft delete, preserves audit history)
   • Revoke active sessions
   • Remove from active user groups
   • Maintain historical data for compliance
5. Response: Confirmation of deactivation
6. Notification: Alert sent to IT security team

Processing time: Under 5 minutes (typically 2-3 minutes)

Job Change/Transfer Scenario:

1. HR Event: Employee job title or department changes in Workday
2. SCIM Request: PATCH /scim/v2/Users/{id} with updated attributes
3. Gateway Processing:
   • Compares new job code to existing role assignments
   • Determines if role change is needed
   • Identifies new facility access requirements
4. Manhattan API Calls:
   • Update user profile attributes
   • Add new role profiles (if job code changed)
   • Remove old role profiles (if no longer applicable)
   • Update facility assignments
5. Response: Confirmation of updates
6. Notification: Email to user and manager about access changes

Exception Handling and Edge Cases

Contractors and Temporary Workers:

• Workday employment type ‘Contractor’ → Manhattan role suffix ‘-Contractor’
• Limited permissions profile (read-only for most operations)
• Automatic expiration date set based on contract end date
• Email reminders sent 30 days before expiration

Manual Access Overrides:

• Self-service portal for managers to request exceptions
• Approval workflow (manager → IT security → auto-approval for standard requests)
• Exceptions stored in separate database table
• SCIM updates check exception table and preserve manual grants
• Quarterly review process for all active exceptions

Cross-Functional Roles:

• Department code determines base role profile
• Additional roles granted based on ‘Secondary Department’ attribute in Workday
• Maximum of 3 role profiles per user (prevents permission creep)
• Annual access certification for multi-role users

Handling SCIM Filtering and Pagination

Pagination Strategy: Manhattan API has rate limit of 100 requests/minute, so we implemented:

• Page size: 50 users per request
• Throttling: 500ms delay between requests
• Batch processing during off-peak hours (2-4 AM)
• Incremental sync: Only users modified since last sync

Filtering Implementation: Support for common SCIM filters:

• filter=userName eq "john.doe" - Exact match lookups
• filter=department eq "Logistics" - Department-based queries
• filter=active eq true - Active user lists
• filter=meta.lastModified gt "2025-06-01T00:00:00Z" - Incremental sync

Technical Implementation Details

SCIM Gateway Stack:

• Runtime: Node.js 18 with Express framework
• SCIM Library: Custom implementation (SCIM 2.0 spec compliant)
• Database: PostgreSQL for mapping tables and audit logs
• Cache: Redis for session management and rate limiting
• Monitoring: Prometheus metrics + Grafana dashboards

Security Measures:

• OAuth2 client credentials for Workday authentication
• Mutual TLS for Manhattan API communication
• Encrypted attribute storage (PII data)
• Audit logging of all provisioning events
• Anomaly detection for unusual provisioning patterns

Key Performance Metrics (After 6 Months)

Efficiency Gains:

• Onboarding time: 3-4 days → 2 hours (95% reduction)
• Manual provisioning errors: 12-15/month → 0
• Deprovisioning lag: 2-5 days → Same day (100% automated)
• IT admin time saved: 40 hours/month

Security Improvements:

• Orphaned accounts eliminated (previously 15-20 per quarter)
• Access certification accuracy: 98% (up from 75%)
• Audit compliance score: 100% (SOC 2 requirement)
• Average time to revoke access on termination: 2.5 minutes

User Satisfaction:

• New hire access readiness: 98% (access ready on day 1)
• Role assignment accuracy: 96% (minimal manual corrections)
• Manager satisfaction with provisioning speed: 9.2/10

Lessons Learned and Recommendations

What Worked Well:

• Configuration-driven role mapping (easy to update without code changes)
• Separate exception handling for edge cases
• Real-time provisioning for critical events (hire/termination)
• Comprehensive audit logging for compliance

Challenges Overcome:

• Manhattan API rate limits required throttling and batch processing
• Complex role mapping logic needed extensive testing
• Exception handling added significant complexity
• Initial data migration from manual accounts took 3 weeks

Future Enhancements:

• Implement SCIM group provisioning for team-based access
• Add self-service access request portal for end users
• Integrate with identity governance platform for periodic access reviews
• Expand to other Manhattan modules (warehouse, transportation)

Implementation Timeline

For organizations considering similar automation:

• Weeks 1-2: Requirements gathering and role mapping design
• Weeks 3-6: SCIM gateway development and testing
• Weeks 7-8: Manhattan API integration and error handling
• Weeks 9-10: Workday configuration and testing
• Weeks 11-12: User acceptance testing and exception handling
• Week 13: Production rollout (pilot group)
• Week 14: Full production deployment

Total project duration: 14 weeks with 2 developers and 1 architect.

This implementation has been transformational for our logistics operations, eliminating manual provisioning bottlenecks and significantly improving our security posture through automated deprovisioning. The investment in building a robust SCIM gateway has paid off through time savings, error reduction, and compliance improvements.

This sounds like exactly what we need! We’re still doing manual provisioning and it’s a nightmare. Can you share more about the SCIM endpoint configuration? Did Manhattan Associates have native SCIM support or did you need to build a custom adapter? Also curious about how you handle role mapping from HR job titles to Manhattan roles.