Adding & Syncing Users¶

End users are the people who interact with the GRC-ITSM self-service portal: submitting tickets, viewing request status, reviewing compliance reports, and responding to approval requests. There are two ways to add users to the platform.

Method 1: Manual Creation¶

Create a user record directly in the platform.

1. Navigate to Configuration > Users
2. Click New

3. Fill in the user's details:

   Field	Purpose
   Name	Display name shown in the portal and on tickets
   Email Address	Used for login (if not using SSO), notifications, and ticket correspondence
   Site	The organizational site or location the user belongs to
   User Role	The user role that determines their function (e.g., Access Approver, Standard User)

4. Save the user record

Approval Participation¶

If the user needs to participate in approval workflows (e.g., they hold an Access Approver, Change Approver, or Deviation Approver role), enable the approval permission on their profile:

1. Open the user's profile
2. Navigate to the Permissions tab
3. Enable This User can partake in approvals
4. Save

Without this permission, the user will not receive approval requests even if they hold an approval role.

Method 2: Microsoft Entra ID Synchronization¶

For organizations using Microsoft 365, users can be imported from Microsoft Entra ID and kept in sync automatically. This is the recommended approach for organizations with an existing identity provider, as it eliminates manual user management and ensures the platform's user directory reflects the current state of the identity provider.

Configuration¶

1. Navigate to Configuration > Integrations > Microsoft Entra ID
2. Select the target tenant
3. Configure Site/Agent Mappings:
   • Select the target site
   • Set Role for Users to the appropriate default role (e.g., Standard User)
   • Specify the Azure group that contains the users to import (e.g., a security group for portal users)
4. Open the Imports tab
5. Click Import Users to perform an initial manual import
6. Review the presented users and import

Automated Synchronization¶

To keep users in sync automatically, enable the Halo Integrator:

1. Within the same Imports tab, locate the Halo Integrator section
2. Enable the Halo Integrator for the Microsoft Entra ID integration
3. Select Users as the entity to import
4. Enable Deactivate Users when they are not found in Entra ID to automatically disable accounts for users removed from the directory
5. Save

Once configured, the Integrator runs on a recurring schedule, importing new users, updating changed records, and deactivating users who no longer appear in the mapped Entra ID groups.

What Entra ID Sync Handles¶

Compliance Benefit¶

Automated user synchronization supports several access control requirements:

• FedRAMP AC-2 (Account Management) - ensures the platform's user directory reflects the current state of the identity provider
• FedRAMP PS-4 (Personnel Termination) - automatic deactivation of users removed from Entra ID supports timely access revocation
• CMMC AC.L2-3.1.1 (Authorized Access Control) - only users present in the identity provider retain access to the platform

Managing Users¶

Deactivating Users¶

When a user departs the organization or no longer needs portal access:

• If using Entra ID sync - remove the user from the mapped Azure group. The Halo Integrator will automatically deactivate their account on the next sync cycle
• If managing manually - open the user's profile and deactivate their account

Deactivated users cannot log in to the portal but their historical ticket data is preserved for audit purposes.

Bulk Operations¶

For organizations not using Entra ID sync, users can be imported in bulk via CSV or other import methods available under Configuration > Users.