Dashboard SCIM

When using Entra to manage group assignments and then syncing with Cloudflare over SCIM, it would be nice to prevent a user who was granted access through a SCIM synced account access from assigning another account to themselves or another.

The standard workflow would be to assign a user to a group in Entra, that provisions to Cloudflare and once done, the user is removed from the group. Via automatic provisioning, the user then has the role in Cloudflare removed.

This works great until a user requires permissions which also allows them to assign roles in Cloudflare. There is nothing stopping them from adding extra roles to a user, or themselves which Entra isnt managing. It means there are 2 sources of truth as to which access the user should haveā€¦ the roles in Cloudflare, or the group assignments in Entra.

The ability to assign roles to Entra synced users in CF also circumnavigates the advantage of managing users and their role assignment through Entra.