Question
Design the user-lifecycle (SCIM) provisioning and DEPROVISIONING pipeline for a B2B SaaS that syncs identities from thousands of customer IdPs/HR systems. The critical requirement is the offboarding SLA: when a customer fires an employee, that account must be disabled across your product (sessions killed, API keys disabled, access removed) within a contractual window — even if the customer's SCIM push is flaky, batched nightly, or arrives out of order. Discuss the provisioning data model, how you reconcile push vs pull, how out-of-order or missed deprovision events are caught, and how 'disable' propagates fast enough to meet the SLA.
Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.