SCIM

Configuring SCIM integrations for Veza Lifecycle Management.

Overview

The Veza SCIM integration enables automated user lifecycle management for any application that supports the System for Cross-domain Identity Management (SCIM) protocol. SCIM provides a standardized approach for provisioning, updating, and de-provisioning users and groups across diverse applications including Atlassian products, Egnyte, Sigma Computing, and many others.

Action Type

Description

Supported

SYNC_IDENTITIES

Synchronizes identity attributes between systems, with options to create new identities and update existing ones

✅

MANAGE_RELATIONSHIPS

Controls entitlements such as group memberships and role assignments for identities

✅

DEPROVISION_IDENTITY

Safely removes or disables access for identities

✅

CREATE_ENTITLEMENT

Creates entitlements such as groups

✅

This document includes steps to enable SCIM integrations for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.

Enabling Lifecycle Management for SCIM

Prerequisites

You will need administrative access in Veza to configure the integration and appropriate permissions in the target SCIM application.
Ensure you have an existing SCIM integration in Veza or add a new one for use with Lifecycle Management.
Verify your SCIM integration has completed at least one successful extraction
The SCIM integration will need the required API permissions:
- Read permissions: scim:read or equivalent for user and group discovery
- Write permissions: scim:write or equivalent for provisioning operations
- Specific endpoints: Access to /Users and /Groups endpoints

Important: SCIM applications have varying permission models. Consult your specific application's documentation for the exact scopes or permissions required for SCIM operations.

Configuration Steps

To enable the integration:

In Veza, go to the Integrations overview
Search for or create a SCIM integration
Check the box to Enable usage for Lifecycle Management

Configure the extraction schedule to ensure your SCIM data remains current:

Go to Veza Administration > System Settings
In Pipeline > Extraction Interval, set your preferred interval
Optionally, set a custom override for your SCIM integration in the Active Overrides section

To verify the health of the Lifecycle Management data source:

Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

SCIM integrations can be targets for identity management actions, receiving provisioning commands from Veza based on changes in external sources of truth or as part of automated workflows.

The integration supports the following lifecycle management Actions:

Sync Identities

Primary action for user management (creating or updating users):

Username (user_name) is required and serves as the unique identifier
Email addresses are managed through the SCIM emails array
User activation/deactivation is controlled via the active attribute
Custom attributes are mapped according to SCIM schema extensions

The following attributes can be synchronized:

SCIM User Attributes

Property

Required

Type

Description

Notes

user_name

Yes

String

Primary login identifier

Unique identifier, often email

emails

String

User's primary email address

Comma-separated for multiple emails

display_name

String

User's display name

Full name for UI presentation

title

String

Job title

Professional title/role

nick_name

String

User's nickname

Informal name or alias

active

Boolean

User account status

Controls account activation

external_id

String

External system identifier

For cross-system identity mapping

String

SCIM system identifier

Auto-generated by SCIM provider

Manage Relationships

Group membership management with full add/remove capabilities:

Add users to groups for role-based access control
Remove users from groups during role changes or de-provisioning
Support for nested group structures where the SCIM provider allows
Relationship changes are immediate and reflected in target application

Deprovision Identity

When a user is deprovisioned:

User account is deactivated (sets active: false)
Group memberships are automatically removed
Account can be reactivated if needed
User data is preserved for audit purposes

Note: Some SCIM implementations support hard deletion while others only support deactivation. The SCIM integration uses deactivation by default for data preservation.

Create Entitlement

Entity Types: SCIM Groups
Assignee Types: SCIM Users
Supports Relationship Removal: Yes

Within SCIM applications, groups can be associated with:

Application-specific permissions and roles
Resource access controls
Team or organizational structures
Custom entitlements defined by the SCIM provider

SCIM Group Attributes

Property

Required

Type

Description

display_name

Yes

String

Group display name

String

SCIM system identifier

external_id

String

External system identifier

group_type

String

Group classification

description

String

Group purpose description

Supported SCIM Applications

The following applications are validated to work with Veza's SCIM Lifecycle Management:

Enterprise Applications

Atlassian Products (Jira Cloud, Confluence Cloud, Bitbucket Cloud)
- SCIM Endpoint: https://{domain}.atlassian.net/scim/directory/{directory-id}
- Full user and group provisioning support
Egnyte
- SCIM Endpoint: https://{domain}.egnyte.com/pubapi/scim/v2
- User provisioning and group management
Sigma Computing
- SCIM Endpoint: https://aws-api.sigmacomputing.com/scim/v2
- User lifecycle and team assignment

Development & Collaboration Tools

Fivetran
- SCIM Endpoint: https://api.fivetran.com/scim/v2
- User and group provisioning
Harness
- SCIM Endpoint: https://app.harness.io/gateway/ng/api/scim/account/{accountid}
- User management and role assignment
Zapier
- SCIM Endpoint: https://zapier.com/scim/v2
- User provisioning and team management

Security & Infrastructure

Twingate
- SCIM Endpoint: https://{domain}.twingate.com/api/scim/v2
- User provisioning and group assignment
ThousandEyes
- SCIM Endpoint: https://api.thousandeyes.com/scim
- User management (groups via custom implementation)

Workflow Examples

New Employee Onboarding

When a new employee joins (triggered by HR system changes):

Identity Sync: Create user account in SCIM application with basic attributes
Email Setup: Configure primary email and secondary contacts
Group Assignment: Add user to department and role-based groups automatically
Access Verification: Confirm user can access application and assigned resources

Role Change Management

When an employee changes roles or departments:

Attribute Update: Sync new job title, department, and manager information
Group Reassignment: Remove old role groups, add new role groups
Access Review: Verify appropriate access levels for new position
Notification: Alert managers and IT of completed changes

Employee Offboarding

When an employee leaves the organization:

Account Deactivation: Set user status to inactive in SCIM application
Group Removal: Remove all group memberships and access rights
Data Preservation: Maintain account record for audit and compliance
Manager Notification: Alert appropriate stakeholders of access removal

Bulk User Management

For large-scale provisioning operations:

Batch Processing: Create multiple users efficiently through SCIM bulk operations
Group Pre-creation: Establish organizational groups before user assignment
Validation: Verify all users are created with correct attributes and memberships
Rollback Capability: Support for reversing bulk operations if needed

PreviousSalesforce NextSnowflake

Last updated 3 days ago

Was this helpful?