Control who can act, approve, and access.
Gvner governs identity changes, sessions, and access policies so execution authority is always traceable and auditable.
Identity topics
Google Workspace setup
OIDC provider registration + directory sync path.
SSO setup
Register providers and issue governed sessions.
SCIM sync
Provision users/groups and reconcile drift.
Role mapping
Map IdP roles to Gvner capabilities.
Session policy
TTL, revocation, and delegated access rules.
Sessions
Active sessions and revocation evidence.
Admin sessions
Dedicated admin-session ledger and review.
Identity ledger
Immutable identity change evidence.
Identity changes
Queue, preview, approvals, receipts.
What identity governance covers
SSO providers
Register and validate SSO providers with explicit policy boundaries.
SCIM directory
Sync users and groups deterministically with audit visibility.
Role mapping
Map identity roles to governance capabilities and approval rules.
Session policy
Define session TTL, revocation rules, and delegated access.
Integration steps
1. Register SSO provider
Bind your identity provider and confirm verified domain ownership.
2. Enable SCIM sync
Sync users and groups into Gvner for deterministic authorization.
3. Map roles to capabilities
Define which roles can approve changes, override, or export evidence.
4. Set session policy
Configure TTL, revocation, and delegated session requirements.
Deep dives
Identity change control
Change queue
All identity changes are staged, reviewed, and approved before activation.
Change receipts
Every approved change produces a receipt and evidence hash.
Operational workflow
Key API endpoints
POST /sso/providers — register SSO providerPOST /sso/session — issue governed SSO sessionPOST /scim/users — upsert userPOST /scim/groups — upsert groupGET /identity/ledger — identity ledger entriesPOST /identity/changes/request — submit identity changePOST /identity/changes/approve — approve/apply identity change