People and Identity rosters answer the question: “Who is in what state right now?” They carry no privileges and grant no access. They’re membership lists that other groups and automation reference.
People rosters track humans by their organizational lifecycle state.
prv-{scope}-people-{audience}@{domain}
Each Organizational Unit (OU) branch gets a corresponding People roster:
Roster Who Belongs prv-org-people-execs-activeActive founders / executive leadership prv-org-people-execs-adminsExecs with admin roles prv-org-people-execs-offboardedSuspended former executives
Roster Who Belongs prv-org-people-w2-activeActive employees prv-org-people-w2-probationNew/rejoining employees (30-60 day tighter controls) prv-org-people-w2-offboardedSuspended former employees
Roster Who Belongs prv-org-people-contractors-eng-activeActive engineering contractors prv-org-people-contractors-biz-activeActive business contractors prv-org-people-contractors-fractional-activeActive fractional/part-time contractors prv-org-people-contractors-*-offboardedOffboarded variants for each type
Roster Who Belongs prv-org-people-interns-eng-activeActive engineering interns prv-org-people-interns-biz-activeActive business interns prv-org-people-interns-*-offboardedOffboarded variants
Roster Who Belongs prv-org-people-partners-activeProvisioned partner users prv-org-people-vendors-activeProvisioned vendor users prv-org-people-partners-offboardedOffboarded partner users prv-org-people-vendors-offboardedOffboarded vendor users
Rollup rosters combine multiple branch rosters for broad targeting (e.g., all-hands mail, org-wide policies):
Roster What It Rolls Up prv-org-people-all-activeAll active humans across all branches prv-org-people-all-internalW-2 + Execs (no contractors/interns/externals) prv-org-people-all-offboardedAll offboarded/suspended humans
Name: PRV – People – W-2 – Active
Desc: PRV – People – W-2 – Active: Dynamic roster for active employees
| Feeds Role eligibility | Non-security group (communication-only + no privileges)
Security label: OFF (rosters don’t grant access)Membership: Managed dynamically (CEL rules or SCIM sync)External members: OFFPosting: Members only (or disabled — rosters aren’t for mail)
Identity rosters track non-human accounts — service accounts, bots, and automation identities.
prv-{scope}-ident-{audience}@{domain}
Roster Who Belongs prv-org-ident-auto-activeActive automation accounts prv-org-ident-auto-disabledDisabled/retired automation accounts
Name: PRV – Identity – Automation – Active
Desc: PRV – Identity – Automation – Active: Active automation/service accounts
| Lifecycle tracking | Non-security group (roster-only + no privileges)
OUs describe who the account is and its lifecycle state . Groups control what it can access . Never put content ACLs on OUs.
/contractors-engineering-active
/contractors-engineering-offboarded
/contractors-business-active
/contractors-business-offboarded
/contractors-fractional-active
/contractors-fractional-offboarded
/interns-engineering-active
/interns-engineering-offboarded
/interns-business-offboarded
/automation-accounts-active
/automation-accounts-disabled
Never put people-* or ident-* groups directly on content ACLs (drive permissions, system roles).
People rosters feed Role eligibility — they don’t grant access themselves.
Offboarded rosters exist for audit trails and retention, not for access.
Every active roster should have a corresponding offboarded roster.
