SCIM
Configuring SCIM integrations for Veza Lifecycle Management.
Overview
The Veza SCIM integration enables automated user lifecycle management for any application that supports the System for Cross-domain Identity Management (SCIM) protocol. SCIM provides a standardized approach for provisioning, updating, and deprovisioning users and groups across diverse applications including Atlassian products, Egnyte, Sigma Computing, and many others.
Direct SCIM vs. OAA SCIM Integration
This guide covers direct SCIM integrations where Veza connects directly to an application's SCIM endpoints. For custom applications built with the Open Authorization API (OAA) that expose SCIM endpoints, see Custom Application with SCIM (OAA).
Use direct SCIM when connecting to standard SaaS applications with native SCIM support, and you only need user and group provisioning without complex entity modeling.
You can use OAA SCIM for integrating custom or home-grown applications via OAA, and need comprehensive visibility beyond users and groups (permissions, resources, etc.)
SYNC_IDENTITIES
Synchronizes identity attributes between systems, with options to create new identities and update existing ones
✅
MANAGE_RELATIONSHIPS
Controls entitlements such as group memberships and role assignments for identities
✅
DEPROVISION_IDENTITY
Safely removes or disables access for identities
✅
CREATE_ENTITLEMENT
Creates entitlements such as groups
✅
This document includes steps to enable SCIM integrations for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.
Enabling Lifecycle Management for SCIM
Prerequisites
You will need administrative access in Veza to configure the integration and appropriate permissions in the target SCIM application.
Ensure you have an existing SCIM integration in Veza or add a new one for use with Lifecycle Management.
Verify your SCIM integration has completed at least one successful extraction
The SCIM integration will need the required API permissions:
Read permissions:
scim:reador equivalent for user and group discoveryWrite permissions:
scim:writeor equivalent for provisioning operationsSpecific endpoints: Access to
/Usersand/GroupsendpointsSchema endpoint (optional): Access to
/Schemasfor extension attribute discovery
For Enterprise Extension attributes: Enable SCIM Extension Schemas in your SCIM integration configuration to extract and synchronize attributes like
department,division,employeeNumber, andmanager.
Important: SCIM applications have varying permission models. Consult your specific application's documentation for the exact scopes or permissions required for SCIM operations.
Configuration Steps
To enable the integration:
In Veza, go to the Integrations overview
Search for or create a SCIM integration
Check the box to Enable usage for Lifecycle Management
Configure the extraction schedule to ensure your SCIM data remains current:
Go to Veza Administration > System Settings
In Pipeline > Extraction Interval, set your preferred interval
Optionally, set a custom override for your SCIM integration in the Active Overrides section
To verify the health of the Lifecycle Management data source:
Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled
Supported Actions
SCIM integrations can be targets for identity management actions, receiving provisioning commands from Veza based on changes in external sources of truth or as part of automated workflows.
The integration supports the following lifecycle management Actions:
Sync Identities
Primary action for user management (creating or updating users):
Username (
user_name) is required and serves as the unique identifierEmail addresses are managed through the SCIM
emailsarrayUser activation/deactivation is controlled via the
activeattributeCustom attributes are mapped according to SCIM schema extensions
Veza supports comprehensive SCIM 2.0 user attributes for both read-only data extraction (Access Graph) and bidirectional synchronization (Lifecycle Management). The tables below indicate which attributes support LCM synchronization (✅) versus read-only extraction (📖).
Core User Attributes
Veza supports all standard SCIM 2.0 core user attributes, organized by functional category:
Identity & Authentication
userName
Yes
String
✅
Primary login identifier, unique across the system
id
No
String
✅
SCIM system identifier (auto-generated, read-only after creation)
externalId
No
String
✅
External system identifier for cross-system identity mapping
active
No
Boolean
✅
User account status (controls activation/deactivation)
Contact Information
emails
No
Array
✅
Email addresses (can include multiple with type indicators)
phoneNumbers
No
Array
✅
Phone numbers (supports multiple with type indicators)
addresses
No
Array
✅
Physical addresses (supports multiple with type indicators)
ims
No
Array
✅
Instant messaging addresses
photos
No
Array
✅
Photo URLs
Personal Information
displayName
No
String
✅
User's display name (full name for UI presentation)
name.givenName
No
String
✅
First name
name.familyName
No
String
✅
Last name
name.middleName
No
String
✅
Middle name
name.formatted
No
String
✅
Formatted full name
nickName
No
String
✅
User's nickname or informal name
Professional Information
title
No
String
✅
Job title or professional role
userType
No
String
✅
User classification (e.g., Employee, Contractor)
locale
No
String
✅
User's locale preference (e.g., en-US)
timezone
No
String
✅
User's timezone (e.g., America/New_York)
preferredLanguage
No
String
✅
Preferred language code (e.g., en, es)
profileUrl
No
String
✅
URL to user's profile
System Metadata
meta.created
No
DateTime
📖
Account creation timestamp (read-only)
meta.lastModified
No
DateTime
📖
Last modification timestamp (read-only)
Multi-valued Attributes: Attributes like emails, phoneNumbers, and addresses support multiple values with type indicators (e.g., work, home, other). Veza supports full create, update, and delete operations for these multi-valued fields.
Enterprise Extension Attributes
Veza supports the SCIM Enterprise User Extension schema (urn:ietf:params:scim:schemas:extension:enterprise:2.0:User) for both extraction and LCM synchronization:
employeeNumber
String
✅
Organization's employee identifier
costCenter
String
✅
Cost center assignment
organization
String
✅
Organization name
division
String
✅
Division within the organization
department
String
✅
Department assignment
manager
Complex
✅
Manager reference (contains value, $ref, displayName)
To extract and synchronize Enterprise Extension attributes, you must enable SCIM Extension Schemas in your SCIM integration configuration. This option enables Veza to call the /Schemas endpoint and discover extension attributes.
Custom Extension Attributes
Veza automatically discovers and extracts all custom vendor-specific SCIM extension attributes for read-only purposes:
Extraction Capabilities:
Veza calls the SCIM
/Schemasendpoint to discover all available schemas (requires SCIM Extension Schemas enabled in integration configuration)Custom extension schemas are automatically identified and extracted
Extension attributes appear in the Veza Access Graph for search and analysis
All data types are supported (string, boolean, number, dateTime, complex)
LCM Synchronization:
Custom vendor extensions can be synchronized through LCM workflows when SCIM Extension Schemas is enabled by referencing the normalized attribute name (visible as a custom property in Access Graph).
Veza automatically maps the normalized name back to the proper SCIM extension structure using the reverse index
For example, targeting
scim_extension_vendor_customfieldin an attribute transformer will transmit the corresponding SCIM extension via the API.
Example Custom Extensions:
Vendor-specific user attributes (e.g., Atlassian organization roles)
Custom application properties
Industry-specific fields (e.g., healthcare credentials, financial certifications)
Custom extension synchronization requires SCIM Extension Schemas to be enabled. This builds an index that maps normalized attribute names to their original SCIM schema structure.
Using Extension Attributes in LCM Workflows
Extension attributes must be referenced by their normalized names in LCM attribute transformers.
Core SCIM attributes use simplified names:
user_name,display_name,email,title,department,division, etc.
Extension attributes require full normalized names:
Example: Enterprise Extension Attributes
Example: Custom Vendor Extensions
Manage Relationships
Group membership management with full add/remove capabilities:
Add users to groups for role-based access control
Remove users from groups during role changes or de-provisioning
Support for nested group structures where the SCIM provider allows
Relationship changes are immediate and reflected in target application
Deprovision Identity
When a user is deprovisioned:
User account is deactivated (sets
active: false)Group memberships are automatically removed
Account can be reactivated if needed
User data is preserved for audit purposes
Note: Some SCIM implementations support hard deletion while others only support deactivation. The SCIM integration uses deactivation by default for data preservation.
Create Entitlement
Entity Types: SCIM Groups
Assignee Types: SCIM Users
Supports Relationship Removal: Yes
Within SCIM applications, groups can be associated with:
Application-specific permissions and roles
Resource access controls
Team or organizational structures
Custom entitlements defined by the SCIM provider
SCIM Group Attributes
Veza supports all standard SCIM 2.0 group attributes for both extraction and LCM operations:
displayName
Yes
String
✅
Group display name (unique identifier)
id
No
String
✅
SCIM system identifier (auto-generated, read-only after creation)
externalId
No
String
✅
External system identifier for cross-system group mapping
groupType
No
String
✅
Group classification or category
description
No
String
✅
Group purpose or description
members
No
Array
✅
Group members (contains user references with value and display properties)
Group Membership Management: Veza supports both adding and removing members from groups through the Manage Relationships action. The members attribute contains an array of user references, each with a value (user ID) and optional display (user's display name) property.
Supported SCIM Applications
The following applications are validated to work with Veza's SCIM Lifecycle Management:
Enterprise Applications
Atlassian Products (Jira Cloud, Confluence Cloud, Bitbucket Cloud)
SCIM Endpoint:
https://{domain}.atlassian.net/scim/directory/{directory-id}Full user and group provisioning support
Egnyte
SCIM Endpoint:
https://{domain}.egnyte.com/pubapi/scim/v2User provisioning and group management
Sigma Computing
SCIM Endpoint:
https://aws-api.sigmacomputing.com/scim/v2User lifecycle and team assignment
Development & Collaboration Tools
Fivetran
SCIM Endpoint:
https://api.fivetran.com/scim/v2User and group provisioning
Harness
SCIM Endpoint:
https://app.harness.io/gateway/ng/api/scim/account/{accountid}User management and role assignment
Zapier
SCIM Endpoint:
https://zapier.com/scim/v2User provisioning and team management
Security & Infrastructure
Twingate
SCIM Endpoint:
https://{domain}.twingate.com/api/scim/v2User provisioning and group assignment
ThousandEyes
SCIM Endpoint:
https://api.thousandeyes.com/scimUser management (groups via custom implementation)
Workflow Examples
New Employee Onboarding
When a new employee joins (triggered by HR system changes):
Identity Sync: Create user account in SCIM application with basic attributes
Email Setup: Configure primary email and secondary contacts
Group Assignment: Add user to department and role-based groups automatically
Access Verification: Confirm user can access application and assigned resources
Role Change Management
When an employee changes roles or departments:
Attribute Update: Sync new job title, department, and manager information
Group Reassignment: Remove old role groups, add new role groups
Access Review: Verify appropriate access levels for new position
Notification: Alert managers and IT of completed changes
Employee Offboarding
When an employee leaves the organization:
Account Deactivation: Set user status to inactive in SCIM application
Group Removal: Remove all group memberships and access rights
Data Preservation: Maintain account record for audit and compliance
Manager Notification: Alert appropriate stakeholders of access removal
Bulk User Management
For large-scale provisioning operations:
Batch Processing: Create multiple users efficiently through SCIM bulk operations
Group Pre-creation: Establish organizational groups before user assignment
Validation: Verify all users are created with correct attributes and memberships
Rollback Capability: Support for reversing bulk operations if needed
Last updated
Was this helpful?