SCIM
Configuring SCIM integrations for Veza Lifecycle Management.
Overview
The Veza SCIM integration enables automated user lifecycle management for any application that supports the System for Cross-domain Identity Management (SCIM) protocol. SCIM provides a standardized approach for provisioning, updating, and de-provisioning users and groups across diverse applications including Atlassian products, Egnyte, Sigma Computing, and many others.
SYNC_IDENTITIES
Synchronizes identity attributes between systems, with options to create new identities and update existing ones
✅
MANAGE_RELATIONSHIPS
Controls entitlements such as group memberships and role assignments for identities
✅
DEPROVISION_IDENTITY
Safely removes or disables access for identities
✅
CREATE_ENTITLEMENT
Creates entitlements such as groups
✅
This document includes steps to enable SCIM integrations for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.
Enabling Lifecycle Management for SCIM
Prerequisites
You will need administrative access in Veza to configure the integration and appropriate permissions in the target SCIM application.
Ensure you have an existing SCIM integration in Veza or add a new one for use with Lifecycle Management.
Verify your SCIM integration has completed at least one successful extraction
The SCIM integration will need the required API permissions:
Read permissions:
scim:read
or equivalent for user and group discoveryWrite permissions:
scim:write
or equivalent for provisioning operationsSpecific endpoints: Access to
/Users
and/Groups
endpoints
Important: SCIM applications have varying permission models. Consult your specific application's documentation for the exact scopes or permissions required for SCIM operations.
Configuration Steps
To enable the integration:
In Veza, go to the Integrations overview
Search for or create a SCIM integration
Check the box to Enable usage for Lifecycle Management
Configure the extraction schedule to ensure your SCIM data remains current:
Go to Veza Administration > System Settings
In Pipeline > Extraction Interval, set your preferred interval
Optionally, set a custom override for your SCIM integration in the Active Overrides section
To verify the health of the Lifecycle Management data source:
Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled
Supported Actions
SCIM integrations can be targets for identity management actions, receiving provisioning commands from Veza based on changes in external sources of truth or as part of automated workflows.
The integration supports the following lifecycle management Actions:
Sync Identities
Primary action for user management (creating or updating users):
Username (
user_name
) is required and serves as the unique identifierEmail addresses are managed through the SCIM
emails
arrayUser activation/deactivation is controlled via the
active
attributeCustom attributes are mapped according to SCIM schema extensions
The following attributes can be synchronized:
Manage Relationships
Group membership management with full add/remove capabilities:
Add users to groups for role-based access control
Remove users from groups during role changes or de-provisioning
Support for nested group structures where the SCIM provider allows
Relationship changes are immediate and reflected in target application
Deprovision Identity
When a user is deprovisioned:
User account is deactivated (sets
active: false
)Group memberships are automatically removed
Account can be reactivated if needed
User data is preserved for audit purposes
Note: Some SCIM implementations support hard deletion while others only support deactivation. The SCIM integration uses deactivation by default for data preservation.
Create Entitlement
Entity Types: SCIM Groups
Assignee Types: SCIM Users
Supports Relationship Removal: Yes
Within SCIM applications, groups can be associated with:
Application-specific permissions and roles
Resource access controls
Team or organizational structures
Custom entitlements defined by the SCIM provider
Supported SCIM Applications
The following applications are validated to work with Veza's SCIM Lifecycle Management:
Enterprise Applications
Atlassian Products (Jira Cloud, Confluence Cloud, Bitbucket Cloud)
SCIM Endpoint:
https://{domain}.atlassian.net/scim/directory/{directory-id}
Full user and group provisioning support
Egnyte
SCIM Endpoint:
https://{domain}.egnyte.com/pubapi/scim/v2
User provisioning and group management
Sigma Computing
SCIM Endpoint:
https://aws-api.sigmacomputing.com/scim/v2
User lifecycle and team assignment
Development & Collaboration Tools
Fivetran
SCIM Endpoint:
https://api.fivetran.com/scim/v2
User and group provisioning
Harness
SCIM Endpoint:
https://app.harness.io/gateway/ng/api/scim/account/{accountid}
User management and role assignment
Zapier
SCIM Endpoint:
https://zapier.com/scim/v2
User provisioning and team management
Security & Infrastructure
Twingate
SCIM Endpoint:
https://{domain}.twingate.com/api/scim/v2
User provisioning and group assignment
ThousandEyes
SCIM Endpoint:
https://api.thousandeyes.com/scim
User management (groups via custom implementation)
Workflow Examples
New Employee Onboarding
When a new employee joins (triggered by HR system changes):
Identity Sync: Create user account in SCIM application with basic attributes
Email Setup: Configure primary email and secondary contacts
Group Assignment: Add user to department and role-based groups automatically
Access Verification: Confirm user can access application and assigned resources
Role Change Management
When an employee changes roles or departments:
Attribute Update: Sync new job title, department, and manager information
Group Reassignment: Remove old role groups, add new role groups
Access Review: Verify appropriate access levels for new position
Notification: Alert managers and IT of completed changes
Employee Offboarding
When an employee leaves the organization:
Account Deactivation: Set user status to inactive in SCIM application
Group Removal: Remove all group memberships and access rights
Data Preservation: Maintain account record for audit and compliance
Manager Notification: Alert appropriate stakeholders of access removal
Bulk User Management
For large-scale provisioning operations:
Batch Processing: Create multiple users efficiently through SCIM bulk operations
Group Pre-creation: Establish organizational groups before user assignment
Validation: Verify all users are created with correct attributes and memberships
Rollback Capability: Support for reversing bulk operations if needed
Last updated
Was this helpful?