# HRIS and IdP Cakewalk imports Users and their attributes from your company's HRIS or IdP during admin setup. Those attributes feed the policy engine: a Policy can match by department, job title or location, so Agents inherit the right defaults without manual user-by-user configuration. ### 📖 Key Concepts * **HRIS**: Human Resources Information System (Personio, HiBob, BambooHR, Rippling, Workday and others). * **IdP**: Identity Provider (Okta, Entra ID, Google Workspace). * **User attributes**: Fields synced from HRIS/IdP (department, job title, location) that Policies evaluate at Agent runtime. :bulb: *Why this matters*: For every Agent tool call, Policies produce one of three outcomes: Auto-approve, Require approval or Deny. Those decisions depend on who the User is. HRIS/IdP sync makes "who" a structured fact, not a manual lookup. *** ### 👤 Import & Sync Users #### How it works * Cakewalk connects to your company's HRIS or IdP through a single integration layer that supports 200+ systems. * User records flow into Cakewalk with name, email, department, job title and location. * Lifecycle changes (joiners, movers, leavers) flow in on each sync, so User records stay current. * Properties on the User record feed into every Policy evaluation. #### Supported systems Cakewalk integrates with 200+ HRIS and IdP systems. Common examples: * **HRIS**: Personio, HiBob, BambooHR, Rippling, Gusto, CharlieHR, Workday. * **IdPs**: Okta, Entra ID, Google Workspace. #### How to set it up Sync runs during admin setup. See [Admin Setup](/docs/ai-agent-access/introduction/get-going-with-agent-access/admin-setup.md) for the step-by-step. 1. Choose HRIS/IdP sync or manual entry. 2. Authenticate with an admin account that can read user profiles, reporting lines and groups. 3. Approve scopes → Save → sync starts immediately. 4. Pick which users to invite. The rest stay imported but un-invited until you're ready. {% hint style="info" %} Sync is ongoing after setup. Joiners, role changes and departures flow into Cakewalk on the next sync, so Policies always evaluate current User properties. Offboarded Users lose Agent access automatically. {% endhint %} #### Why this matters * No manual user creation. * User properties are accurate when Policies evaluate them. * Lifecycle changes flow into governance without admin re-entry. *** ### 🛂 User Attributes Feed Policies Synced User attributes become inputs the policy engine can match on. #### What Policies can match on * **Department**: Engineering, Sales, Finance, etc. * **Job title**: for seniority- or role-based rules. * **Location**: for region-scoped Policies (data residency, working hours). #### What that looks like in practice A Policy might Auto-approve `read` actions for anyone in Engineering, Require approval for `write` actions and Deny `destructive` actions for Users outside the EU: all without naming individual users. When the HRIS adds a new engineer, the Policy applies to them on the next sync. For the policy model, see [Policies](/docs/ai-agent-access/concepts/policies.md). *** ### 🪪 HRIS/IdP Sync Is for Users Only The HRIS/IdP integration layer has a bounded role. It is the source for **Users and identity**: not for apps or Agents. #### What HRIS/IdP sync is used for * HRIS User import. * IdP User import. * User property sync. #### What HRIS/IdP sync is **not** used for * App import. * Agent import. * MCP server discovery. App and Agent imports use a different path: a direct OAuth connection to Google Workspace during admin setup. See [Admin Setup](/docs/ai-agent-access/introduction/get-going-with-agent-access/admin-setup.md) for the flow. *** ### 📚 Related * [Admin Setup](/docs/ai-agent-access/introduction/get-going-with-agent-access/admin-setup.md): the setup flow that runs HRIS/IdP sync * [Policies](/docs/ai-agent-access/concepts/policies.md): how user properties drive runtime decisions * [Roles and Permissions](/docs/ai-agent-access/concepts/roles-and-permissions.md): Admin vs employee roles * [Agent Connections](https://github.com/this-thing-about-cakes/agent-access-docs/blob/main/connections-and-integrations/agent-connections.md): the catalog of downstream MCPs (imported via a different path) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.cakewalk.security/docs/ai-agent-access/connections-and-integrations/hris-and-idp.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.