SCIM

Configuring SCIM integrations for Veza Lifecycle Management.

Overview

The Veza SCIM integration enables automated user lifecycle management for any application that supports the System for Cross-domain Identity Management (SCIM) protocol. SCIM provides a standardized approach for provisioning, updating, and de-provisioning users and groups across diverse applications including Atlassian products, Egnyte, Sigma Computing, and many others.

Action Type
Description
Supported

SYNC_IDENTITIES

Synchronizes identity attributes between systems, with options to create new identities and update existing ones

MANAGE_RELATIONSHIPS

Controls entitlements such as group memberships and role assignments for identities

DEPROVISION_IDENTITY

Safely removes or disables access for identities

CREATE_ENTITLEMENT

Creates entitlements such as groups

This document includes steps to enable SCIM integrations for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.

Enabling Lifecycle Management for SCIM

Prerequisites

  1. You will need administrative access in Veza to configure the integration and appropriate permissions in the target SCIM application.

  2. Ensure you have an existing SCIM integration in Veza or add a new one for use with Lifecycle Management.

  3. Verify your SCIM integration has completed at least one successful extraction

  4. The SCIM integration will need the required API permissions:

    • Read permissions: scim:read or equivalent for user and group discovery

    • Write permissions: scim:write or equivalent for provisioning operations

    • Specific endpoints: Access to /Users and /Groups endpoints

Important: SCIM applications have varying permission models. Consult your specific application's documentation for the exact scopes or permissions required for SCIM operations.

Configuration Steps

To enable the integration:

  1. In Veza, go to the Integrations overview

  2. Search for or create a SCIM integration

  3. Check the box to Enable usage for Lifecycle Management

Configure the extraction schedule to ensure your SCIM data remains current:

  1. Go to Veza Administration > System Settings

  2. In Pipeline > Extraction Interval, set your preferred interval

  3. Optionally, set a custom override for your SCIM integration in the Active Overrides section

To verify the health of the Lifecycle Management data source:

  1. Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview

  2. Search for the integration and click the name to view details

  3. In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

SCIM integrations can be targets for identity management actions, receiving provisioning commands from Veza based on changes in external sources of truth or as part of automated workflows.

The integration supports the following lifecycle management Actions:

Sync Identities

Primary action for user management (creating or updating users):

  • Username (user_name) is required and serves as the unique identifier

  • Email addresses are managed through the SCIM emails array

  • User activation/deactivation is controlled via the active attribute

  • Custom attributes are mapped according to SCIM schema extensions

The following attributes can be synchronized:

SCIM User Attributes
Property
Required
Type
Description
Notes

user_name

Yes

String

Primary login identifier

Unique identifier, often email

emails

No

String

User's primary email address

Comma-separated for multiple emails

display_name

No

String

User's display name

Full name for UI presentation

title

No

String

Job title

Professional title/role

nick_name

No

String

User's nickname

Informal name or alias

active

No

Boolean

User account status

Controls account activation

external_id

No

String

External system identifier

For cross-system identity mapping

id

No

String

SCIM system identifier

Auto-generated by SCIM provider

Manage Relationships

Group membership management with full add/remove capabilities:

  • Add users to groups for role-based access control

  • Remove users from groups during role changes or de-provisioning

  • Support for nested group structures where the SCIM provider allows

  • Relationship changes are immediate and reflected in target application

Deprovision Identity

When a user is deprovisioned:

  • User account is deactivated (sets active: false)

  • Group memberships are automatically removed

  • Account can be reactivated if needed

  • User data is preserved for audit purposes

Note: Some SCIM implementations support hard deletion while others only support deactivation. The SCIM integration uses deactivation by default for data preservation.

Create Entitlement

  • Entity Types: SCIM Groups

  • Assignee Types: SCIM Users

  • Supports Relationship Removal: Yes

Within SCIM applications, groups can be associated with:

  • Application-specific permissions and roles

  • Resource access controls

  • Team or organizational structures

  • Custom entitlements defined by the SCIM provider

SCIM Group Attributes
Property
Required
Type
Description

display_name

Yes

String

Group display name

id

No

String

SCIM system identifier

external_id

No

String

External system identifier

group_type

No

String

Group classification

description

No

String

Group purpose description

Supported SCIM Applications

The following applications are validated to work with Veza's SCIM Lifecycle Management:

Enterprise Applications

  • Atlassian Products (Jira Cloud, Confluence Cloud, Bitbucket Cloud)

    • SCIM Endpoint: https://{domain}.atlassian.net/scim/directory/{directory-id}

    • Full user and group provisioning support

  • Egnyte

    • SCIM Endpoint: https://{domain}.egnyte.com/pubapi/scim/v2

    • User provisioning and group management

  • Sigma Computing

    • SCIM Endpoint: https://aws-api.sigmacomputing.com/scim/v2

    • User lifecycle and team assignment

Development & Collaboration Tools

  • Fivetran

    • SCIM Endpoint: https://api.fivetran.com/scim/v2

    • User and group provisioning

  • Harness

    • SCIM Endpoint: https://app.harness.io/gateway/ng/api/scim/account/{accountid}

    • User management and role assignment

  • Zapier

    • SCIM Endpoint: https://zapier.com/scim/v2

    • User provisioning and team management

Security & Infrastructure

  • Twingate

    • SCIM Endpoint: https://{domain}.twingate.com/api/scim/v2

    • User provisioning and group assignment

  • ThousandEyes

    • SCIM Endpoint: https://api.thousandeyes.com/scim

    • User management (groups via custom implementation)

Workflow Examples

New Employee Onboarding

When a new employee joins (triggered by HR system changes):

  1. Identity Sync: Create user account in SCIM application with basic attributes

  2. Email Setup: Configure primary email and secondary contacts

  3. Group Assignment: Add user to department and role-based groups automatically

  4. Access Verification: Confirm user can access application and assigned resources

Role Change Management

When an employee changes roles or departments:

  1. Attribute Update: Sync new job title, department, and manager information

  2. Group Reassignment: Remove old role groups, add new role groups

  3. Access Review: Verify appropriate access levels for new position

  4. Notification: Alert managers and IT of completed changes

Employee Offboarding

When an employee leaves the organization:

  1. Account Deactivation: Set user status to inactive in SCIM application

  2. Group Removal: Remove all group memberships and access rights

  3. Data Preservation: Maintain account record for audit and compliance

  4. Manager Notification: Alert appropriate stakeholders of access removal

Bulk User Management

For large-scale provisioning operations:

  1. Batch Processing: Create multiple users efficiently through SCIM bulk operations

  2. Group Pre-creation: Establish organizational groups before user assignment

  3. Validation: Verify all users are created with correct attributes and memberships

  4. Rollback Capability: Support for reversing bulk operations if needed

Last updated

Was this helpful?