Help Center
News
Help Center
News
Sign in
Document
Documents & PoliciesQuestionnairesControls & Technical and Organizational Measures (TOMs)Report ExplorerAsset RegisterFrameworksRecord of Processing Activities (ROPA)Exporting your ROPAVendorsImpact Assessments (IA)Legitimate Interest DocumentationsMeetings & ActivitiesRetentions & Deletions PeriodsData Collection Point (DCP)Add documents to vendors
DPIA
Assessments
ROPA
Assets
International Standards & Frameworks
TOMs & Controls
Categories & Attributes
Data Collection Points
Legal Basis
Legitimate Interest
Documents & Policies
Retention & Deletion
Data Flow
Vendors
Questionnaires
Manage
Process Risk OverviewData Flow Map
Dashboards
AI Assistance & Automation
Projects
Tasks
Meetings & Activities
Workflows & Automations
Reporting
React & Resolve
TasksProjectsIncidents & BreachesData Subject Requests
Risk Scenarios & Treatments
Incidents & Breaches
Release Notes
Q2 2026
Q1 2026
Q4 2025
Q3 2025
Q2 2025
Q1 2025
Q4 2024
Q3 2024
Q2 2024
Q1 2024
Q4 2023
Q3 2023
Q2 2023
Q1 2023
Q4 2022
Q3 2022
Getting Started
Quickstart GuideQuestionnairesTasksProcess Risk OverviewIT SettingsFrameworksThe Information Security / Asset Risk ModelData Subject RequestsDownloading an elementLegitimate Interest DocumentationsAssigning Audiences to ElementsDocuments & PoliciesControls & Technical and Organizational Measures (TOMs)General SettingsCreating attributes that fit your industryDocument list for onboardingThe Data Protection Risk ModelIncidents & BreachesProjectsManaging audiencesAdd documents to vendorsHow to answer an assessment/questionnaireSetting up the first organization or companyData Collection Point (DCP)Use AI to create elementsSetting Risk models in General SettingsSharing ElementsHow can a user change the language?Data Flow MapRecord of Processing Activities (ROPA)Time MachineCreate and evaluate assessments Company Widget FeatureAsset RegisterVendorsImpact Assessments (IA)Creating organizational unitsExporting your ROPAMeetings & ActivitiesTerms for legitimate processingRetentions & Deletions PeriodsHow to create a new user and how to change the password for loginReport ExplorerMaturity modelAdding risk scenarios to assets or asset groupsRelevant Risk SzenariosPriverion GRC Platform overviewDocument list for onboardingHow can a user change the language?Setting up the first organization or companyCreating attributes that fit your industry
User account
Sharing & Group functions
Features
How-To Guides & Tips
Get Help
Legal
Settings
General Settings
Compliance settings
Identity and access management
SCIM overviewSCIM configurationAPI tokensIdentity & Access Management overviewLocal authenticationSAML and OAuth settingsIAM logsIAM notification settingsRoles mappingRoles mapping groups
IT Settings
Risk Settings

Identity & Access Management overview

Find all identity, authentication and provisioning settings.

Identity & Access Management Overview

The Identity & Access Management (IAM) section is the single place where IT administrators and Data Protection Officers control who can log in to DPMS, how user accounts are created and removed, and which external systems are allowed to talk to the DPMS API. Every other module in DPMS — from Records of Processing Activities to Data Subject Request workflows — depends on IAM being correctly configured. If SSO is broken, staff cannot log in. If SCIM is not running, new employees do not appear. If API tokens are missing or expired, integrations go silent. Getting IAM right is a prerequisite for everything else.

How to open it

Navigate to the left-hand sidebar and click IT Settings, then click Identity & Access Management. The menu expands automatically to show seven child items: Local, SAML / OAuth, SCIM2, Roles Mapping, Tokens, Logs, Active Directory, and Notifications.

You need the IT Settings – IAM read permission to see this section at all. Without it, the menu item is hidden. To make any changes you also need the IT Settings – IAM edit permission; without it you can read every sub-screen but all edit buttons are disabled and show a tooltip explaining why.

What you see

The IAM section uses the same two-level sidebar layout that runs throughout DPMS. The outer bar is the main application navigation; the inner bar is the IT Settings sub-navigation, with the IAM group expanded to show each topic as a clickable child item. The currently active item is highlighted.

Across the top of every sub-screen you will find a breadcrumb trail: IT SettingsIdentity & Access Management → the name of the current topic. To the right of the topic name there are two small chevron arrows that let you jump to the previous or next IAM sub-screen without going back to the sidebar — handy when you are working through the settings in sequence.

Each sub-screen shows a blue bold section heading, a horizontal divider, and then a data card with a two-column layout: labels on the left in semibold blue, values on the right. A small green dot appears next to any value that represents something active or connected. Action buttons (like Sync, Activate, Deactivate, and Delete All Users) appear in the top-right corner of the card, alongside the Edit button.

Working with this screen

Setting up Single Sign-On for the first time

Your company wants staff to log in with their Microsoft, Google, or other corporate accounts instead of a separate DPMS password. Navigate to SAML / OAuth in the left sidebar.

If no SSO has been configured, the card is empty. Click Edit in the top-right corner. On the edit form, choose the protocol using the toggle at the top: SAML2 for a certificate-based federation, or OAuth2 for a client-credentials flow (the default for Microsoft and Google). Then pick a Configuration TemplateMicrosoft, Google, or Custom. Choosing a template pre-fills the attribute mapping fields with sensible defaults so you do not have to look up every field name yourself.

For Microsoft OAuth2: enter your Azure Tenant ID, then copy the Redirect URL shown in the SP fields and paste it into your Microsoft Entra application registration. Return to DPMS and fill in the Client ID and Client Secret from Entra. Set an Expiration Date (a year from today is common). In the Allowed Domains field enter the email domains that should be allowed to use SSO, separated by commas (e.g. yourcompany.com).

For SAML2: DPMS auto-generates four SP URLs (Entity ID, Login URL, Logout URL, and ACS URL). Each one has a small clipboard icon next to it — click it to copy the URL to your clipboard, then paste it into your IdP's application settings. To import IdP metadata automatically, paste your IdP's metadata URL into the IdP Metadata URL field and click the link icon beside it; DPMS fetches and fills in the Entity ID, Login URL, Logout URL, and x.509 certificate for you.

Once everything is filled in, click Save. DPMS stores the configuration and returns you to the SAML/OAuth read view, which now shows the status as active (green dot). Users who log in with an email address matching one of the allowed domains will now be redirected to your IdP.

Heads up: If you switch the SSO type from SAML2 to OAuth2 (or the other way around) on an already-saved configuration, the form will ask you to confirm before saving. Changing the type can affect active sessions and existing SCIM tokens.

Synchronising users from Microsoft Entra ID on demand

Your company uses Entra ID as its authoritative source for users and groups, and you want DPMS to reflect a new batch of employees without waiting for the next scheduled sync.

First confirm that Entra ID has been enabled: go to SAML / OAuth, open the edit form, and check that the Enable Entra ID toggle is on (note that enabling it automatically disables SCIM2, since the two are mutually exclusive). Save if you have made changes.

Now go to Active Directory in the sidebar. The screen shows the current AD Status (Connected or Disconnected), the number of groups and members already synced, and the timestamps of the last sync attempt and last successful sync. Click the Sync Active Directory button. A confirmation toast appears, the button's icon becomes a spinning loader, and the button is disabled so you cannot trigger a duplicate. Behind the scenes, DPMS polls the job-status endpoint every five seconds. When the sync completes, the Groups Synced, Members Synced, Last Sync Attempt, and Last Sync fields all update automatically — no page reload needed.

If the connection is showing as Disconnected, use the Activate button (blue) to reconnect it. When it is Connected and you need to temporarily pause the integration without deleting the configuration, use the Deactivate button (red).

Tip: You do not need to stay on the Active Directory screen while a sync runs. The polling happens in the background, and the screen checks the current status every time you arrive.

Configuring the password policy for local accounts

Your security policy has been updated and you need to enforce stronger passwords for users who log in with a DPMS username and password (as opposed to SSO).

Go to Local in the sidebar. The read view shows the current state of all password rules at a glance. Click Edit. On the edit form:

  • Make sure the Local Users toggle is on — if it is off, username/password login is disabled entirely.
  • Turn on Enforce Two-FA if every local user must complete a second factor on login. Note: this toggle is only editable on the root/parent company account. Sub-accounts inherit the setting and cannot change it.
  • Under Password Requirements, enable whichever complexity rules apply: Uppercase, Lowercase, One Digit, and Special Characters. When you enable Special Characters, an extra text field appears — type in every character you want to allow (e.g. !@#$%).
  • Set Min Length and Max Length (both must be between 4 and 50).
  • Set the Reset Timer — the number of minutes before a password-reset link expires (between 5 and 60 minutes).

Click Save. A success toast confirms the update. The new rules apply immediately to all local user accounts across the entire company, including the password-change and registration flows.

Creating an API token for an external integration

A third-party system needs to connect to DPMS — for example, an HR platform that provisions accounts via SCIM, or the DPMS AI assistant (MCP) that needs to authenticate against the AI backend.

Go to Tokens in the sidebar. The table shows all existing tokens, with filter tabs for Active and Expired. Click Create Token in the top-right corner.

On the creation form:

  • Enter a descriptive Name so you can identify this token later (e.g. HR System SCIM Token).
  • Select a Type: SCIM for a SCIM provisioning connection, MCP for the AI assistant, or another available type. The type cannot be changed after the token is saved.
  • Choose a Validity period: 182, 365, 548, or 731 days, or select Custom and enter the exact number of days (maximum 3,652 days / 10 years). The Expiration Date field updates automatically.
  • Optionally add a Comment to remind yourself what this token is for.
  • If the type is MCP, a read-only URL field appears showing the MCP endpoint — copy it for use in your integration.

Click Save. A confirmation toast appears for 15 seconds. Click the confirm button inside it. DPMS generates the token and immediately navigates you to the Token Generation screen, which shows the full token value — this is the only time the complete token is visible. Copy it now and store it securely in a password manager or your integration's secret configuration.

Heads up: Once you leave the Token Generation screen there is no way to retrieve the full token value again. If you lose it you must delete the token and create a new one.

Mapping external directory groups to DPMS roles

When users log in via SSO or are provisioned via SCIM, DPMS needs to know what permissions they should have. Roles Mapping is what connects membership in an Entra ID or SCIM group to a specific DPMS role.

Go to Roles Mapping in the sidebar. The read view shows one row per DPMS role (except Superadmin, which cannot be mapped externally), and for each role it lists the external groups currently mapped to it, including the group name and number of members.

Click Edit. The edit form opens with two tabs:

  • General: For each DPMS role, an async dropdown lets you search for and select external groups. Start typing a group name to search. You can also type a brand-new group name and press Enter to create it on the fly — DPMS saves the new group immediately. Select as many groups as needed for each role.
  • Groups: A table of all external groups in DPMS, with options to create new groups using the Create button or delete existing ones via the three-dot menu on each row.

Click Save on the General tab. After saving, DPMS redirects you to the Roles Mapping read view with the Groups tab active so you can review the full group list.

Tip: Roles Mapping applies regardless of whether users come in via SAML, OAuth2, or SCIM2. If a user's external group is not mapped to any DPMS role, they may receive no permissions at all. Always review the mapping after restructuring your directory groups.

Setting up token expiration notifications

DPMS can warn you by email before an API or SCIM token expires, giving you time to rotate it before integrations break.

Go to Notifications in the sidebar. Click Edit. Enter the Token Notification Email address that should receive the warnings. In the Token Notification Days field, enter a comma-separated list of positive integers representing how many days before expiry each reminder should be sent — for example, 30, 14, 7, 1 sends four warnings.

Check the Maximum value (days) label shown below the field: any number you enter that exceeds your company's maximum token lifetime will be rejected. Click Save. DPMS returns you to the Notifications read view.

Reviewing SCIM synchronisation logs

If you suspect a SCIM sync is failing or behaving unexpectedly, go to Logs in the sidebar. This screen is read-only. It shows a chronological list of every SCIM2 synchronisation and authentication event, including the date and time (to millisecond precision), the event type, protocol, operation performed, HTTP status code, and the raw log message. Scroll down to load older entries automatically. There are no edit or delete options — the log is an audit trail.

Field reference

Local sub-screen – edit form

  • Local Users — Toggle. Enables or disables username/password login for the company. Required.
  • Enforce Two-FA — Toggle. Forces all local users to complete a second factor. Only editable on the root company account.
  • Uppercase / Lowercase / One Digit / Special Characters — Toggles. Password complexity rules. When Special Characters is on, the Allowed Characters text field appears; enter every permitted character (1–255 characters, duplicates removed automatically).
  • Min Length — Number, 4–50. Minimum password length. Default: 5.
  • Max Length — Number, 5–50. Maximum password length. Default: 60.
  • Reset Timer — Number, 5–60. Minutes before a password-reset link expires. Default: 60.

SAML/OAuth edit form – key fields

  • SSO Type — Toggle between SAML2 and OAuth2. Switching swaps the field set; previously entered values are preserved for each type independently.
  • Configuration Template — Dropdown: Microsoft, Google, or Custom. Pre-fills attribute mapping.
  • Allowed Domains — Comma-separated email domains permitted to use this SSO. Each entry is validated against a domain-name format.
  • IdP Metadata URL (SAML only) — Optional. Paste the IdP's metadata URL and click the link icon; DPMS fetches and fills in the IdP fields automatically.
  • Identity Provider x.509 Certificate (SAML only) — Paste the base64 certificate, paste a certificate URL, or upload a .cer, .crt, .der, .pem, or .cert file. PEM headers are stripped automatically.
  • Name ID Format (SAML only) — Dropdown. Options include persistent, emailAddress, transient, and others. Default: persistent.
  • Enable SCIM2 — Toggle. Activates SCIM2 provisioning. Mutually exclusive with Enable Entra ID.
  • Enable Entra ID (OAuth2/Microsoft only) — Toggle. Activates Entra ID sync. Disables SCIM2 automatically.
  • Attribute Mapping — Five text inputs: Source ID (the unique, immutable user identifier from the IdP), Name, Email, Groups, Telephone. The first four are required; Telephone is optional. Pre-filled by the chosen template.
  • Expiration Date — Date picker. When the configuration is considered expired. Default: one year from today.
  • Client ID / Client Secret (OAuth2 only) — Credentials from your IdP app registration. Clicking the Client Secret field when a secret is already saved clears it and puts it into edit mode.

Token creation form

  • Name — Text. A descriptive label. Required.
  • Type — Dropdown (SCIM, MCP, and others). Cannot be changed after creation.
  • Validity — Dropdown: 182, 365, 548, or 731 days, or Custom. Selecting a preset automatically sets the Expiration Date.
  • Custom Validity — Number (shown only when Custom is selected). Days until expiry. Maximum: 3,652 days.
  • Expiration Date — Read-only. Calculated from today plus the chosen validity. Cannot be edited directly.
  • Comment — Optional free-text note.

Notifications edit form

  • Token Notification Email — Email address for expiry warnings. Validated as a proper email format. Optional.
  • Token Notification Days — Comma-separated positive integers (e.g. 30, 14, 7). Each value must not exceed the company's Maximum value (days) shown below the field.

How this connects to the rest of DPMS

The IAM section is the foundation layer for every other part of the platform:

  • User Management: The SCIM2 and Entra ID configurations here directly determine which users appear in the User Management screen and what source type they carry. Deleting all SCIM or Entra ID users from IAM removes them from User Management immediately.
  • AI assistant (MCP): The MCP token type on the Tokens sub-screen generates the bearer credential used by the DPMS AI helper. Without a valid, non-expired MCP token, the AI assistant button that appears on data-entry forms across DPMS will not be able to authenticate, and AI features will stop working.
  • All DPMS modules: Roles Mapping determines what permissions a user receives when they log in via SSO or are provisioned via SCIM. Incorrect mappings can give users too much or too little access across every module — from ROPA to vendor management to incident tracking.
  • Company-wide login: The Enforce Two-FA toggle and password policy settings on the Local sub-screen apply to every local user in the company and immediately affect the registration and password-change flows throughout DPMS.

After finishing the initial IAM configuration, the recommended sequence is: configure Local or SSO → set up SCIM2 or Entra ID → configure Roles Mapping → create tokens → set notification email → verify everything in the Logs screen.

Tips & common pitfalls

Heads up: SCIM2 and Entra ID are mutually exclusive. Turning on Enable Entra ID in the SAML/OAuth edit form automatically turns off SCIM2, and vice versa. If Entra ID is active, the SCIM2 Overview screen shows a warning and the SCIM endpoints are not accessible. Decide which provisioning method you want before configuring either.
Heads up: The generated token is shown only once. After you create a token and confirm the creation, the full token string is displayed one time on the Token Generation screen. Once you navigate away, it is gone. Copy it immediately to a secure location — a password manager or your IdP's secret configuration field.
  • The "Enforce Two-FA" toggle is only editable on the root company account. Sub-accounts in a multi-company DPMS instance inherit the setting and cannot override it.
  • Changing the SSO type triggers a confirmation step. If you switch from SAML2 to OAuth2 (or back) on an existing configuration, the form will prompt you to confirm. This is because the change can invalidate existing active SCIM tokens. The confirmation dialog gives you the option to deactivate those tokens at the same time.
  • Sync status updates automatically. When a sync is running on the Active Directory screen, you do not need to refresh the page. The screen polls the job-status endpoint every five seconds and updates the group counts, member counts, and timestamps when the sync finishes. If you navigate away and come back, the current status is checked on arrival.
  • Notification Days must not exceed your company's maximum token lifetime. The Token Notification Days field rejects any value larger than the company's configured maximum — check the Maximum value (days) label shown directly below the input before entering values.
  • Roles Mapping applies to all provisioning methods. Whether users arrive via SAML2, OAuth2, or SCIM2, it is the Roles Mapping configuration that assigns their DPMS permissions. A user whose external group is not mapped to any role may end up with no permissions at all. Review the mapping whenever you restructure your directory group hierarchy.


Was this article helpful?

English
Powered by Product Fruits