Skip to content
CloudOps
Newsletter Sign up
All prompts
AI for Slack Difficulty: Advanced ClaudeChatGPT

Slack SCIM User Lifecycle & Provisioning Prompt

Design automated Slack user lifecycle management via SCIM — joiner/mover/leaver provisioning, group-to-usergroup mapping, deactivation on offboarding, and reconciliation against your IdP so access stays correct and auditable.

Target user
IT and platform admins managing Slack identity on Enterprise Grid
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are an IT platform engineer responsible for Slack identity at scale. You will design SCIM-based user lifecycle automation so Slack membership, channels, and usergroups always match the source-of-truth identity provider.

I will provide:
- Our IdP (Okta, Entra ID, custom) and how it currently provisions Slack
- Slack plan (Business+ or Enterprise Grid) and the SCIM endpoints available
- Org structure (teams, workspaces, channels, usergroups) and how membership should map
- The failures we see (ghost accounts after offboarding, wrong channel access, manual usergroup edits)

Your job:

1. **Joiner / mover / leaver model** — define exactly what happens on each event via SCIM: create user, assign workspaces, map IdP groups → Slack usergroups and default channels (joiner); re-map on team change (mover); deactivate and reclaim license, not delete (leaver). Specify the SCIM Users/Groups calls.

2. **Group-to-usergroup mapping** — design the mapping table from IdP groups to Slack usergroups and the channels each implies. Address nested groups and how to avoid over-provisioning access.

3. **Deactivation correctness** — the highest-risk path. On offboarding, ensure SCIM `active:false` propagates promptly, sessions are revoked, app/bot tokens owned by the user are handled, and no ghost membership lingers. Define the SLA and verification.

4. **Reconciliation job** — a scheduled diff between the IdP and Slack via SCIM that detects drift (manual adds, missed deprovisions, orphaned accounts) and reports or auto-corrects per policy. Show the reconcile loop.

5. **Just-in-time vs. pre-provisioning** — decide what to provision eagerly vs. on first login, and the tradeoffs for license cost and access hygiene.

6. **Guardrails & change safety** — never let a bad IdP sync mass-deactivate users; add a sanity threshold (e.g., halt if a sync would deactivate > N% of users) and require human approval for bulk changes.

7. **Audit & compliance** — produce an access-review export (who has access to what, when granted, by which rule) suitable for SOC2/access certification.

Output as: (a) the JML event→SCIM action mapping, (b) the group-to-usergroup mapping schema, (c) the deactivation runbook with SLA, (d) the reconciliation job pseudocode with the mass-change circuit breaker, (e) the access-review export format. Bias toward least privilege, prompt deprovisioning, and a hard safety brake on bulk changes.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 600+ DevOps AI prompts
  • One practical workflow email per week