navan-entity-management
Manage Navan users, departments, cost centers, and approval chains via API and SCIM provisioning. Use when onboarding departments, integrating identity providers, or auditing user access. Trigger with "navan entity management", "navan user management", "navan SCIM setup".
Best use case
navan-entity-management is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Manage Navan users, departments, cost centers, and approval chains via API and SCIM provisioning. Use when onboarding departments, integrating identity providers, or auditing user access. Trigger with "navan entity management", "navan user management", "navan SCIM setup".
Teams using navan-entity-management should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/navan-entity-management/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How navan-entity-management Compares
| Feature / Agent | navan-entity-management | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Manage Navan users, departments, cost centers, and approval chains via API and SCIM provisioning. Use when onboarding departments, integrating identity providers, or auditing user access. Trigger with "navan entity management", "navan user management", "navan SCIM setup".
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
SKILL.md Source
# Navan — Entity Management
## Overview
This skill covers organizational entity management in Navan: users, departments, cost centers, and approval chains. Navan supports two approaches for user lifecycle management — the REST API with GET /get_users for querying and auditing, and SCIM 2.0 provisioning for automated sync with identity providers like Okta, Entra ID (Azure AD), and OneLogin. Travel policies are assigned at the department level, and approval chains support multi-level routing based on expense thresholds and trip types. This skill is essential for organizations managing 100+ travelers.
## Prerequisites
- Navan account with admin-level API credentials (see `navan-install-auth`)
- OAuth 2.0 token with admin scope
- For SCIM: Okta, Entra ID, or OneLogin with SCIM 2.0 support
- For SSO: SAML 2.0 or Google Workspace configured in Navan Admin
- Environment variables: `NAVAN_CLIENT_ID`, `NAVAN_CLIENT_SECRET`, `NAVAN_BASE_URL`
## Instructions
### Step 1: Authenticate and Retrieve Booking Data
```typescript
const tokenRes = await fetch(`${process.env.NAVAN_BASE_URL}/ta-auth/oauth/token`, {
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: new URLSearchParams({
grant_type: 'client_credentials',
client_id: process.env.NAVAN_CLIENT_ID!,
client_secret: process.env.NAVAN_CLIENT_SECRET!,
}),
});
const { access_token } = await tokenRes.json();
const headers = { Authorization: `Bearer ${access_token}` };
// GET /v1/bookings — retrieve bookings (records in .data array)
const bookingsRes = await fetch(
`${process.env.NAVAN_BASE_URL}/v1/bookings?page=0&size=50`,
{ headers }
);
const { data: bookings } = await bookingsRes.json();
// Extract unique users from booking data
const users = [...new Map(bookings.map((b: any) => [b.traveler_email, b])).values()];
users.forEach((user: any) => {
console.log(`${user.email} | Role: ${user.role} | Dept: ${user.department}`);
console.log(` Cost Center: ${user.cost_center} | Manager: ${user.manager_email}`);
console.log(` Travel Policy: ${user.travel_policy_name}`);
});
```
### Step 2: Audit User Access and Roles
```typescript
// Build an access audit report
interface UserAudit {
email: string;
role: string;
department: string;
hasManagerAssigned: boolean;
hasCostCenter: boolean;
hasTravelPolicy: boolean;
}
const audit: UserAudit[] = users.map((u: any) => ({
email: u.email,
role: u.role,
department: u.department ?? 'UNASSIGNED',
hasManagerAssigned: Boolean(u.manager_email),
hasCostCenter: Boolean(u.cost_center),
hasTravelPolicy: Boolean(u.travel_policy_name),
}));
// Flag users missing required configuration
const incomplete = audit.filter(
u => !u.hasManagerAssigned || !u.hasCostCenter || !u.hasTravelPolicy
);
console.log(`\nUsers with incomplete setup: ${incomplete.length}/${audit.length}`);
incomplete.forEach(u => {
const missing = [];
if (!u.hasManagerAssigned) missing.push('manager');
if (!u.hasCostCenter) missing.push('cost_center');
if (!u.hasTravelPolicy) missing.push('travel_policy');
console.log(` ${u.email}: missing ${missing.join(', ')}`);
});
```
### Step 3: Configure SCIM Provisioning (Okta)
SCIM 2.0 enables automated user lifecycle management. Configure in the Navan admin console:
1. Navigate to Admin > Travel admin > Settings > Identity Provider
2. Select "SCIM 2.0" as the provisioning method
3. Copy the SCIM endpoint URL and bearer token
In Okta:
1. Add the Navan application from the OIN catalog
2. Configure provisioning with the SCIM endpoint URL
3. Enable: Create Users, Update User Attributes, Deactivate Users
4. Map attributes: `userName`, `email`, `department`, `costCenter`, `manager`
```bash
# Test SCIM endpoint connectivity (replace with your SCIM URL and token)
curl -s -o /dev/null -w "%{http_code}" \
-H "Authorization: Bearer ${NAVAN_SCIM_TOKEN}" \
"${NAVAN_SCIM_URL}/Users?count=1"
# Expected: 200
```
### Step 4: Configure SCIM Provisioning (Entra ID)
For Microsoft Entra ID (formerly Azure AD):
1. In Entra ID portal, add Navan as an Enterprise Application
2. Under Provisioning, set mode to "Automatic"
3. Enter the Navan SCIM tenant URL and secret token
4. Map attributes: `userPrincipalName` -> `userName`, `department`, `companyName`
5. Enable provisioning and set scope to "Sync only assigned users"
### Step 5: Department and Cost Center Structure
```typescript
// Organize users by department for policy assignment analysis
const byDepartment: Record<string, any[]> = {};
users.forEach((u: any) => {
const dept = u.department ?? 'Unassigned';
if (!byDepartment[dept]) byDepartment[dept] = [];
byDepartment[dept].push(u);
});
console.log('\nDepartment Summary:');
Object.entries(byDepartment)
.sort((a, b) => b[1].length - a[1].length)
.forEach(([dept, members]) => {
const costCenters = [...new Set(members.map((m: any) => m.cost_center))];
console.log(` ${dept}: ${members.length} users, cost centers: ${costCenters.join(', ')}`);
});
```
### Step 6: Approval Chain Configuration
```typescript
// Define multi-level approval routing
// Configure in Navan Admin > Policies > Approval Chains
interface ApprovalChain {
department: string;
levels: {
threshold: number;
approverRole: string;
approverEmail: string;
}[];
}
const approvalChains: ApprovalChain[] = [
{
department: 'Engineering',
levels: [
{ threshold: 500, approverRole: 'manager', approverEmail: 'eng-mgr@company.com' },
{ threshold: 2000, approverRole: 'director', approverEmail: 'eng-dir@company.com' },
{ threshold: Infinity, approverRole: 'vp', approverEmail: 'vp-eng@company.com' },
],
},
{
department: 'Sales',
levels: [
{ threshold: 1000, approverRole: 'manager', approverEmail: 'sales-mgr@company.com' },
{ threshold: 5000, approverRole: 'director', approverEmail: 'sales-dir@company.com' },
{ threshold: Infinity, approverRole: 'cro', approverEmail: 'cro@company.com' },
],
},
];
// Determine required approver for a given expense
function routeForApproval(dept: string, amount: number): string {
const chain = approvalChains.find(c => c.department === dept);
if (!chain) return 'finance@company.com'; // fallback
const level = chain.levels.find(l => amount <= l.threshold);
return level?.approverEmail ?? 'cfo@company.com';
}
```
## Output
Successful execution produces:
- Complete user roster with roles, departments, cost centers, and policy assignments
- Access audit report identifying users with incomplete configuration
- SCIM provisioning configuration for Okta or Entra ID
- Department hierarchy with cost center mappings
- Approval chain definitions with threshold-based routing
## Error Handling
| Error | HTTP Code | Cause | Solution |
|-------|-----------|-------|----------|
| Unauthorized | 401 | Expired or invalid bearer token | Re-authenticate via POST /ta-auth/oauth/token |
| Forbidden | 403 | Non-admin credentials used | Verify admin-level API credentials |
| Rate Limited | 429 | Too many requests | Implement exponential backoff (start at 1s) |
| SCIM Auth Failed | 401 | Invalid SCIM bearer token | Regenerate token in Navan Admin > Identity Provider |
| SCIM Mapping Error | 400 | Missing required attribute | Verify userName and email mappings in IdP |
| Server Error | 500 | Navan platform issue | Retry with backoff; check Navan status page |
## Examples
**Python — User audit with CSV export:**
```python
import requests
import csv
import os
base_url = os.environ.get('NAVAN_BASE_URL', 'https://api.navan.com')
auth = requests.post(f'{base_url}/ta-auth/oauth/token', data={
'grant_type': 'client_credentials',
'client_id': os.environ['NAVAN_CLIENT_ID'],
'client_secret': os.environ['NAVAN_CLIENT_SECRET'],
})
headers = {'Authorization': f'Bearer {auth.json()["access_token"]}'}
# Retrieve bookings and extract user data
resp = requests.get(f'{base_url}/v1/bookings', params={'page': 0, 'size': 50}, headers=headers).json()
bookings = resp['data']
# Deduplicate users from booking records
users = list({b.get('traveler_email'): b for b in bookings}.values())
with open('navan-user-audit.csv', 'w', newline='') as f:
writer = csv.DictWriter(f, fieldnames=[
'email', 'role', 'department', 'cost_center', 'manager', 'policy'
])
writer.writeheader()
for u in users:
writer.writerow({
'email': u.get('email'),
'role': u.get('role'),
'department': u.get('department', ''),
'cost_center': u.get('cost_center', ''),
'manager': u.get('manager_email', ''),
'policy': u.get('travel_policy_name', ''),
})
print(f'Exported {len(users)} users to navan-user-audit.csv')
```
## Resources
- [Navan Help Center](https://app.navan.com/app/helpcenter) — Official documentation and support
- [Navan Integrations](https://navan.com/integrations) — Okta, Entra ID, BambooHR, Workday, ADP connectors
- [Booking Data Integration](https://app.navan.com/app/helpcenter/articles/travel/admin/other-integrations/booking-data-integration) — Data export and user management
## Next Steps
After configuring entities, proceed to `navan-core-workflow-a` for travel booking workflows or `navan-enterprise-rbac` for role-based access control.Related Skills
windsurf-license-management
Manage Windsurf licenses and seat allocation. Activate when users mention "license management", "seat allocation", "billing optimization", "user licenses", or "subscription management". Handles license administration. Use when working with windsurf license management functionality. Trigger with phrases like "windsurf license management", "windsurf management", "windsurf".
windsurf-dependency-management
Analyze and update dependencies with vulnerability scanning. Activate when users mention "update dependencies", "security audit", "npm audit", "vulnerability scan", or "dependency updates". Handles dependency analysis and updates. Use when working with windsurf dependency management functionality. Trigger with phrases like "windsurf dependency management", "windsurf management", "windsurf".
sentry-release-management
Manage Sentry releases with versioning, commit association, and source map uploads. Use when creating releases, linking commits to errors, uploading release artifacts, monitoring release health, or cleaning up old releases. Trigger with phrases like "sentry release", "create sentry version", "sentry source maps", "sentry suspect commits", "release health".
notion-content-management
Create, update, archive, and compose Notion pages and block content. Use when building pages programmatically, appending rich content blocks, updating page properties, or managing page lifecycle (archive/restore). Trigger with phrases like "notion create page", "notion add blocks", "notion update page", "notion archive page", "notion content", "notion block types", "notion rich text".
navan-webhooks-events
Set up webhook listeners for real-time Navan event notifications. Use when you need to receive booking, expense, or travel disruption events from Navan. Trigger with "navan webhooks", "navan events", "navan webhook setup".
navan-upgrade-migration
Use when handling Navan API changes in production — defensive coding patterns, schema validation, deprecation monitoring, and gradual rollout strategies for unversioned APIs. Trigger with "navan upgrade migration" or "navan api change handling".
navan-security-basics
Secure Navan API credentials with OAuth 2.0 best practices, SSO/SAML, and SCIM provisioning. Use when hardening a Navan integration, rotating credentials, or configuring identity provider SSO. Trigger with "navan security", "navan sso", "navan credentials", "navan scim".
navan-sdk-patterns
Build a typed API wrapper around Navan REST endpoints since no official SDK exists. Use when you need production-grade API access with auto token refresh, retry logic, and typed responses. Trigger with "navan sdk patterns", "navan api wrapper", "navan client class", "navan typed client".
navan-reference-architecture
Use when designing a production Navan API integration architecture — API gateway, token management, data sync pipelines, ERP connectors, and monitoring stack. Trigger with "navan reference architecture" or "navan integration architecture".
navan-rate-limits
Implement adaptive rate-limiting for the Navan REST API with exponential backoff and request queuing. Use when building bulk data operations or encountering 429 errors from Navan. Trigger with "navan rate limits", "navan throttling", "navan 429".
navan-prod-checklist
Use when validating production readiness for a Navan API integration — credential rotation, alerting, rate limits, SSO, SCIM, and compliance audit trails. Trigger with "navan prod checklist" or "navan production readiness".
navan-performance-tuning
Use when optimizing Navan API call patterns for high-volume integrations — caching, batching, connection pooling, and pagination strategies. Trigger with "navan performance tuning" or "navan api optimization" or "navan caching".