Implementing Multi-Division User Provisioning for BPO Multitenancy with SCIM 2.0
What This Guide Covers
- Architecting a scalable user provisioning pipeline for Business Process Outsourcing (BPO) environments that automatically assigns agents to specific Genesys Cloud Divisions based on their external Identity Provider (IdP) attributes.
- Using the SCIM 2.0 protocol to manage thousands of users across multiple “tenants” (Divisions) within a single Genesys Cloud organization, ensuring data isolation and administrative segregation.
- The end result is a zero-touch provisioning workflow where adding a user to an “Account-A” group in Azure AD or Okta automatically creates them in Genesys Cloud, assigns the correct “Account-A” Division, and grants the appropriate roles.
Prerequisites, Roles & Licensing
- Licensing: Genesys Cloud CX 1, 2, or 3.
- Identity Provider: Microsoft Entra ID (Azure AD), Okta, or any SCIM 2.0 compliant IdP.
- Permissions:
General > Division > View,General > Organization > Edit,Integrations > SCIM > Edit. - Infrastructure: Divisions must be pre-configured in Genesys Cloud to match your BPO tenants.
The Implementation Deep-Dive
1. The Multi-Tenant Division Strategy
In a BPO environment, you must prevent agents from “Tenant A” from seeing interactions or resources from “Tenant B.” Divisions are the only way to achieve this at scale.
Architectural Reasoning:
Do not use a single “BPO-Agents” division. Create a unique division for every customer account: Tenant_A_Retail, Tenant_B_Healthcare, etc. This allows you to scope roles so that a supervisor only sees the reports and recordings for their specific team.
2. Configuring SCIM Attribute Mapping for Divisions
The standard SCIM protocol manages users, but Genesys Cloud’s Division assignment requires a specific extension attribute.
Implementation Steps:
- The Extension Attribute: Genesys Cloud supports the
urn:ietf:params:scim:schemas:extension:genesys:purecloud:2.0:User:divisionIdattribute. - IdP Mapping: In your IdP (e.g., Azure AD), map a source attribute (like
extensionAttribute1ordepartment) to the Genesys ClouddivisionId. - The ID Lookup: You cannot pass the name of the division (e.g., “Tenant A”). You must pass the Division GUID. You can find these IDs in the Genesys Cloud Admin UI or via the
GET /api/v2/authorization/divisionsAPI.
The Trap:
Hard-coding the Division ID for all users in the SCIM integration settings. This defeats the purpose of multi-tenancy. You must use an Expression or Mapping logic in your IdP to dynamically select the Division ID based on the user’s group membership.
3. Automating Role Assignment via SCIM Groups
Provisioning a user into a division is only half the battle; they also need the correct permissions.
Architectural Reasoning:
Use Group-Based Role Mapping within Genesys Cloud.
- Create a Genesys Cloud Group (e.g.,
Tenant_A_Agents). - Assign the necessary Roles to this group, scoped to the
Tenant_A_Retaildivision. - Configure your IdP to push group memberships via SCIM. When the agent is added to the “Tenant A” group in the IdP, they are added to the corresponding group in Genesys Cloud, inheriting the division-scoped roles automatically.
The Trap:
Using “All Divisions” (the asterisk scope) for BPO agents. This is a critical security risk. If an agent is granted a role with the “All Divisions” scope, they will be able to see across tenant boundaries, violating your BPO contracts.
Validation, Edge Cases & Troubleshooting
Edge Case 1: The “Division Change” Conflict
- The Failure Condition: An agent moves from “Tenant A” to “Tenant B.” Their division is updated in the IdP, but they still have access to “Tenant A” resources in Genesys Cloud.
- The Root Cause: SCIM successfully updated the
divisionId, but the agent’s group membership was not updated, or the group-based roles were not removed. - The Solution: Ensure your IdP logic removes the user from the “Tenant A” group when they are moved to “Tenant B.” Genesys Cloud will automatically revoke the “Tenant A” division-scoped roles.
Edge Case 2: SCIM Sync Latency
- The Failure Condition: A new hire starts, but they cannot log in for several hours.
- The Root Cause: IdPs often have a “Sync Interval” (e.g., 40 minutes for Azure AD).
- The Solution: For urgent additions, use the “Provision on Demand” feature (in Azure AD) or “Push Now” (in Okta) to force an immediate synchronization of the specific user object.