-
-
Notifications
You must be signed in to change notification settings - Fork 0
Users and Access Backup
Separate from config, Users & Access backup (a paid feature) captures who: users (profiles, status), group memberships, and app assignments, with provenance preserved (group-inherited vs directly-assigned access). It has its own schedule, retention, and storage per tenant. Supported for all three providers; the exact shape follows each provider's model - for Auth0 that means users plus role assignments and organization memberships (Auth0 has no user-to-app assignment concept, so that bucket doesn't apply).
Users & Access exports can be API-heavy on large orgs. IdPVault paces itself with an adaptive rate limiter (learns your Okta org's limits, keeps configurable headroom) and shows a measured duration estimate with a cadence recommendation before you commit to a schedule.
Restore is create-only and additive: it recreates missing users (deactivated state, matched by login/username), re-adds group memberships, and re-links app assignments. It never modifies or deletes existing users. Everything is resolved by natural key, so recreated objects with new internal ids don't break the links. A dry-run preview shows exactly who and what would be recreated, with per-user checkboxes.
-
Recreated users arrive deactivated without passwords/MFA; they re-enroll on activation. IdPs never export credential material.
-
Authentik app access is governed by policy bindings, which live in config restore; run both for full recovery.
-
Auth0: recreated users come back blocked with a random password - send a password reset, then unblock. Only database-connection users can be recreated via the API (social/enterprise users sign in again through their IdP). Tenants over 1,000 users need the bulk export job, which is on the roadmap - the backup fails loudly rather than being silently partial.