Reference: Provisioning States
This reference covers all provisioning-related statuses and transitions in AccessHive. Use it to understand what each status means and how the system determines overall identity health.
For a conceptual overview of provisioning, see Provisioning.
Identity-level status
The overall identity status is determined by combining the statuses of all its providers (for example, Google Workspace and the identity provider):
| Status | Rule |
|---|---|
| Pending | At least one provider is still Pending. |
| Provisioned | All providers have completed successfully (or were skipped). |
| Error | Any provider is in an Error state. |
Provider-level status
Each provider (Google Workspace, identity provider) tracks its own status independently:
| Status | Meaning |
|---|---|
| Pending | A job has been sent to the worker and is awaiting completion. |
| Provisioned | The provider completed successfully. |
| Skipped | This provider is not required for the identity type and platform combination. |
| Error | The provider job failed. Check the job details for the error message. |
Provider status details
Each provider entry includes the following information:
| Field | Description |
|---|---|
| Status | Pending, Provisioned, Skipped, or Error. |
| Last updated | When the status was last changed. |
| External ID | The ID assigned by the provider (for example, the Google Workspace user ID). May be empty if not yet created. |
| Job ID | The background job that processed this provider. See Background Jobs. |
| Error message | The error details, if the status is Error. |
| Skip reason | An explanation of why the provider was skipped, if applicable. |
Skip reasons
The system skips providers that are not needed for a given identity type:
| Reason | When it applies |
|---|---|
| Platform uses credentials only – no provisioning required | External Shared Credential, or any credentials-only platform |
| Shared Credential does not require identity provider | Shared Credential on any platform |
| Service Account carries its own credentials | Service Account on any platform |
| API Key carries its own credentials | API Key on any platform |
| OAuth Client carries its own credentials | OAuth Client on any platform |
For details on which identity types trigger which jobs, see Background Jobs.
Identity health states
After initial provisioning, AccessHive monitors ongoing identity health. The system groups identities into these categories:
| Health state | Label in the UI | Color | Meaning |
|---|---|---|---|
| In Sync | Healthy | Green | All providers are up to date. |
| Out of Sync | Needs provisioning | Yellow | A mismatch was detected between the directory and AccessHive. |
| Error | Error | Red | A provisioning or sync failure occurred. |
| Orphan | Orphaned | Gray | A directory entry exists with no matching identity in AccessHive. |
| Not Managed | Not managed | Gray | No directory provider is configured (credentials-only identity). |
Google Workspace drift states
When AccessHive syncs with Google Workspace (GWS), it detects drift between the two systems. Each drift state maps to a health category:
| Drift state | Health category | Description |
|---|---|---|
| Linked OK | In Sync | The identity matches the GWS directory. |
| Linked Suspended | Out of Sync | The user is suspended in Google Workspace. |
| Missing in Google | Out of Sync | The identity exists in AccessHive but has not been created in GWS yet. |
| Wrong organizational unit | Out of Sync | The user is in the wrong organizational unit in GWS. |
| Orphan in Google | Orphan | A GWS user exists with no matching identity in AccessHive. |
| Provision error | Error | An error occurred during GWS provisioning. |
| Web login required | Error | The GWS user requires a manual web login to complete setup. |
For setup and troubleshooting of your GWS connection, see Google Workspace Guide.
Platform connection status
Each connected platform reports its own connection status:
| Status | Meaning |
|---|---|
| Connected | The connection is active and operations work normally. |
| Not connected | No connection has been established for this platform. |
| Needs reauthorization | The authentication token has expired. Reconnect the platform to restore access. |
| Error | Connection verification failed. |
| Not required | This platform uses credentials only and does not need a connection. |
Platform readiness
Platform readiness determines whether you can create identities on a given platform:
| State | Label in the UI | Meaning |
|---|---|---|
| Operational | Operational | The platform is ready for identity creation. |
| Not connected | Not Connected | The platform needs an OAuth connection before identities can be created. |
| Action required | Action Required | The platform needs reauthorization. |
| Disabled | Disabled | The platform has been manually disabled. |
For connecting and configuring platforms, see Platform Connections.
Related pages
- Provisioning – conceptual overview of the provisioning lifecycle
- Background Jobs – job types and monitoring
- Identity Field Requirements – required fields per identity type
- Google Workspace Guide – GWS setup and sync
- Troubleshooting – common issues and fixes