# Provisioning for SCIM
### Overview
The Veza SCIM integration enables user provisioning and deprovisioning for any application that supports the System for Cross-domain Identity Management (SCIM) protocol. SCIM provides a standardized approach for provisioning, updating, and deprovisioning users and groups across diverse applications including Atlassian products, Egnyte, Sigma Computing, and many others.
{% hint style="info" %}
**Direct SCIM vs. OAA SCIM Integration**
This guide covers **direct SCIM integrations** where Veza connects directly to an application's SCIM endpoints. For **custom applications built with the Open Authorization API (OAA)** that expose SCIM endpoints, see [Custom Application with SCIM (OAA)](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/lifecycle-management/integrations/oaa-scim).
Use direct SCIM when connecting to standard SaaS applications with native SCIM support, and you only need user and group provisioning without complex entity modeling.
You can use OAA SCIM for integrating custom or home-grown applications via OAA, and need comprehensive visibility beyond users and groups (permissions, resources, etc.)
{% endhint %}
| Action Type | Description | Supported |
| --------------------- | ---------------------------------------------------------------------------------------------------------------- | --------- |
| SYNC\_IDENTITIES | Synchronizes identity attributes between systems, with options to create new identities and update existing ones | ✅ |
| MANAGE\_RELATIONSHIPS | Controls entitlements such as group memberships and role assignments for identities | ✅ |
| DEPROVISION\_IDENTITY | Safely removes or disables access for identities | ✅ |
| DELETE\_IDENTITY | Permanently removes the user account from the SCIM application | ✅ |
| CREATE\_ENTITLEMENT | Creates entitlements such as groups | ✅ |
This document includes steps to enable SCIM integrations for provisioning, along with supported actions and notes. See [Supported Actions](#supported-actions) for more details.
### Enabling provisioning
#### Prerequisites
1. You will need administrative access in Veza to configure the integration and appropriate permissions in the target SCIM application.
2. Ensure you have an existing [SCIM integration](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/scim) in Veza or add a new one for use with provisioning.
3. Verify your SCIM integration has completed at least one successful extraction
4. The SCIM integration will need the required API permissions:
* **Read permissions**: `scim:read` or equivalent for user and group discovery
* **Write permissions**: `scim:write` or equivalent for provisioning operations
* **Specific endpoints**: Access to `/Users` and `/Groups` endpoints
* **Schema endpoint** (optional): Access to `/Schemas` for extension attribute discovery
5. **For Enterprise Extension attributes**: Enable [SCIM Extension Schemas](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/scim/..#scim-extension-schemas) in your SCIM integration configuration to extract and synchronize attributes like `department`, `division`, `employeeNumber`, and `manager`.
**Important**: SCIM applications have varying permission models. Consult your specific application's documentation for the exact scopes or permissions required for SCIM operations.
#### Configuration Steps
To enable the integration:
1. In Veza, go to the **Integrations** overview
2. Search for or create a SCIM integration
3. Check the box to **Enable usage for Provisioning**
Configure the extraction schedule to ensure your SCIM data remains current:
1. Go to Veza **Administration** > **System Settings**
2. In **Pipeline** > **Extraction Interval**, set your preferred interval
3. Optionally, set a custom override for your SCIM integration in the *Active Overrides* section
To verify the health of the provisioning data source:
1. Open **Lifecycle Management** > **Integrations** (in the Products section of the navigation sidebar), or the main **Integrations** page (in the Featured section)
2. Search for the integration and click the name to view details
3. In the **Properties** panel, click the magnifying glass icon under **Lifecycle Management Enabled**
### Supported Actions
SCIM integrations can be *targets* for identity management actions, receiving provisioning commands from Veza based on changes in external sources of truth or as part of automated workflows.
The integration supports the following [Actions](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/lifecycle-management/policies-workflows/actions):
#### Sync Identities
Primary action for user management (creating or updating users):
* Username (`user_name`) is required and serves as the unique identifier
* Email addresses are managed through the SCIM `emails` array
* User activation/deactivation is controlled via the `active` attribute
* Custom attributes are mapped according to SCIM schema extensions
Veza supports comprehensive SCIM 2.0 user attributes for both read-only data extraction (Access Graph) and bidirectional synchronization (provisioning). The tables below indicate which attributes support provisioning synchronization (✅) versus read-only extraction (📖).
Core User Attributes
Veza supports all standard SCIM 2.0 core user attributes, organized by functional category:
**Identity & Authentication**
| Attribute | Required for provisioning | Type | Provisioning Sync | Description |
| ------------ | ------------------------- | ------- | ----------------- | ----------------------------------------------------------------- |
| `userName` | **Yes** | String | ✅ | Primary login identifier, unique across the system |
| `id` | No | String | ✅ | SCIM system identifier (auto-generated, read-only after creation) |
| `externalId` | No | String | ✅ | External system identifier for cross-system identity mapping |
| `active` | No | Boolean | ✅ | User account status (controls activation/deactivation) |
**Contact Information**
| Attribute | Required for provisioning | Type | Provisioning Sync | Description |
| -------------- | ------------------------- | ----- | ----------------- | ----------------------------------------------------------- |
| `emails` | No | Array | ✅ | Email addresses (can include multiple with type indicators) |
| `phoneNumbers` | No | Array | ✅ | Phone numbers (supports multiple with type indicators) |
| `addresses` | No | Array | ✅ | Physical addresses (supports multiple with type indicators) |
| `ims` | No | Array | ✅ | Instant messaging addresses |
| `photos` | No | Array | ✅ | Photo URLs |
**Personal Information**
| Attribute | Required for provisioning | Type | Provisioning Sync | Description |
| ----------------- | ------------------------- | ------ | ----------------- | --------------------------------------------------- |
| `displayName` | No | String | ✅ | User's display name (full name for UI presentation) |
| `name.givenName` | No | String | ✅ | First name |
| `name.familyName` | No | String | ✅ | Last name |
| `name.middleName` | No | String | ✅ | Middle name |
| `name.formatted` | No | String | ✅ | Formatted full name |
| `nickName` | No | String | ✅ | User's nickname or informal name |
**Professional Information**
| Attribute | Required for provisioning | Type | Provisioning Sync | Description |
| ------------------- | ------------------------- | ------ | ----------------- | ------------------------------------------------ |
| `title` | No | String | ✅ | Job title or professional role |
| `userType` | No | String | ✅ | User classification (e.g., Employee, Contractor) |
| `locale` | No | String | ✅ | User's locale preference (e.g., en-US) |
| `timezone` | No | String | ✅ | User's timezone (e.g., America/New\_York) |
| `preferredLanguage` | No | String | ✅ | Preferred language code (e.g., en, es) |
| `profileUrl` | No | String | ✅ | URL to user's profile |
**System Metadata**
| Attribute | Required for provisioning | Type | Provisioning Sync | Description |
| ------------------- | ------------------------- | -------- | ----------------- | --------------------------------------- |
| `meta.created` | No | DateTime | 📖 | Account creation timestamp (read-only) |
| `meta.lastModified` | No | DateTime | 📖 | Last modification timestamp (read-only) |
{% hint style="info" %}
**Multi-valued Attributes**: Attributes like `emails`, `phoneNumbers`, and `addresses` support multiple values with type indicators (e.g., work, home, other). Veza supports full create, update, and delete operations for these multi-valued fields.
{% endhint %}
Enterprise Extension Attributes
Veza supports the SCIM Enterprise User Extension schema (`urn:ietf:params:scim:schemas:extension:enterprise:2.0:User`) for both extraction and provisioning synchronization:
| Attribute | Type | Provisioning Sync | Description |
| ---------------- | ------- | ----------------- | ----------------------------------------------------- |
| `employeeNumber` | String | ✅ | Organization's employee identifier |
| `costCenter` | String | ✅ | Cost center assignment |
| `organization` | String | ✅ | Organization name |
| `division` | String | ✅ | Division within the organization |
| `department` | String | ✅ | Department assignment |
| `manager` | Complex | ✅ | Manager reference (contains value, $ref, displayName) |
{% hint style="warning" %}
To extract and synchronize Enterprise Extension attributes, you must enable **SCIM Extension Schemas** in your [SCIM integration configuration](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/scim/..#extension-schema-discovery). This option enables Veza to call the `/Schemas` endpoint and discover extension attributes.
{% endhint %}
Custom Extension Attributes
Veza automatically discovers and extracts all custom vendor-specific SCIM extension attributes for read-only purposes:
**Extraction Capabilities:**
* Veza calls the SCIM `/Schemas` endpoint to discover all available schemas (requires **SCIM Extension Schemas** enabled in integration configuration)
* Custom extension schemas are automatically identified and extracted
* Extension attributes appear in the Veza Access Graph for search and analysis
* All data types are supported (string, boolean, number, dateTime, complex)
**Provisioning Synchronization:**
* Custom vendor extensions can be synchronized through provisioning workflows when SCIM Extension Schemas is enabled by referencing the normalized attribute name (visible as a custom property in Access Graph).
* Veza automatically maps the normalized name back to the proper SCIM extension structure using the reverse index
* For example, targeting `scim_extension_vendor_customfield` in an attribute transformer will transmit the corresponding SCIM extension via the API.
**Example Custom Extensions:**
* Vendor-specific user attributes (e.g., Atlassian organization roles)
* Custom application properties
* Industry-specific fields (e.g., healthcare credentials, financial certifications)
{% hint style="info" %}
Custom extension synchronization requires SCIM Extension Schemas to be enabled. This builds an index that maps normalized attribute names to their original SCIM schema structure.
{% endhint %}
#### Using Extension Attributes in Workflows
Extension attributes must be referenced by their **normalized names** in attribute transformers.
**Core SCIM attributes** use simplified names:
* `user_name`, `display_name`, `email`, `title`, `department`, `division`, etc.
**Extension attributes** require full normalized names:
**Example: Enterprise Extension Attributes**
```json
{
"attribute_name": "urn_ietf_params_scim_schemas_extension_enterprise_2_0_user_department",
"source": "identity_attribute",
"value": "department"
}
```
**Example: Custom Vendor Extensions**
```json
{
"attribute_name": "urn_scim_schemas_extension_myvendor_1_0_customfield",
"source": "static_value",
"value": "Engineering"
}
```
#### Manage Relationships
Group membership management with full add/remove capabilities:
* Add users to groups for role-based access control
* Remove users from groups during role changes or de-provisioning
* Support for nested group structures where the SCIM provider allows
* Relationship changes are immediate and reflected in target application
#### Deprovision Identity
When a user is deprovisioned:
* User account is deactivated (sets `active: false`)
* Group memberships are automatically removed
* Account can be reactivated if needed
* User data is preserved for audit purposes
**Note**: Some SCIM implementations support hard deletion while others only support deactivation. The SCIM integration uses deactivation by default for data preservation.
#### Delete Identity
Permanently removes a user from the SCIM application:
* **Entity Type:** SCIM User
* **Action:** Hard deletion via SCIM `DELETE /Users/{id}`
**Note:** Not all SCIM applications support hard deletion. Verify your application supports `DELETE` on the `/Users` endpoint before using this action. When supported, this operation is irreversible — use `DEPROVISION_IDENTITY` for reversible offboarding.
#### Create Entitlement
* **Entity Types:** SCIM Groups
* **Assignee Types:** SCIM Users
* **Supports Relationship Removal:** Yes
Within SCIM applications, groups can be associated with:
* Application-specific permissions and roles
* Resource access controls
* Team or organizational structures
* Custom entitlements defined by the SCIM provider
SCIM Group Attributes
Veza supports all standard SCIM 2.0 group attributes for both extraction and provisioning operations:
| Attribute | Required for provisioning | Type | Provisioning Sync | Description |
| ------------- | ------------------------- | ------ | ----------------- | -------------------------------------------------------------------------- |
| `displayName` | **Yes** | String | ✅ | Group display name (unique identifier) |
| `id` | No | String | ✅ | SCIM system identifier (auto-generated, read-only after creation) |
| `externalId` | No | String | ✅ | External system identifier for cross-system group mapping |
| `groupType` | No | String | ✅ | Group classification or category |
| `description` | No | String | ✅ | Group purpose or description |
| `members` | No | Array | ✅ | Group members (contains user references with value and display properties) |
{% hint style="info" %}
**Group Membership Management**: Veza supports both adding and removing members from groups through the Manage Relationships action. The `members` attribute contains an array of user references, each with a `value` (user ID) and optional `display` (user's display name) property.
{% endhint %}
### Supported SCIM Applications
The following applications are validated to work with Veza's SCIM provisioning:
#### Enterprise Applications
* **Atlassian Products** (Jira Cloud, Confluence Cloud, Bitbucket Cloud)
* SCIM Endpoint: `https://{domain}.atlassian.net/scim/directory/{directory-id}`
* Full user and group provisioning support
* **Egnyte**
* SCIM Endpoint: `https://{domain}.egnyte.com/pubapi/scim/v2`
* User provisioning and group management
* **Sigma Computing**
* SCIM Endpoint: `https://aws-api.sigmacomputing.com/scim/v2`
* User lifecycle and team assignment
#### Development & Collaboration Tools
* **Fivetran**
* SCIM Endpoint: `https://api.fivetran.com/scim/v2`
* User and group provisioning
* **Harness**
* SCIM Endpoint: `https://app.harness.io/gateway/ng/api/scim/account/{accountid}`
* User management and role assignment
* **Zapier**
* SCIM Endpoint: `https://zapier.com/scim/v2`
* User provisioning and team management
#### Security & Infrastructure
* **Twingate**
* SCIM Endpoint: `https://{domain}.twingate.com/api/scim/v2`
* User provisioning and group assignment
* **ThousandEyes**
* SCIM Endpoint: `https://api.thousandeyes.com/scim`
* User management (groups via custom implementation)
### Workflow Examples
#### New Employee Onboarding
When a new employee joins (triggered by HR system changes):
1. **Identity Sync**: Create user account in SCIM application with basic attributes
2. **Email Setup**: Configure primary email and secondary contacts
3. **Group Assignment**: Add user to department and role-based groups automatically
4. **Access Verification**: Confirm user can access application and assigned resources
#### Role Change Management
When an employee changes roles or departments:
1. **Attribute Update**: Sync new job title, department, and manager information
2. **Group Reassignment**: Remove old role groups, add new role groups
3. **Access Review**: Verify appropriate access levels for new position
4. **Notification**: Alert managers and IT of completed changes
#### Employee Offboarding
When an employee leaves the organization:
1. **Account Deactivation**: Set user status to inactive in SCIM application
2. **Group Removal**: Remove all group memberships and access rights
3. **Data Preservation**: Maintain account record for audit and compliance
4. **Manager Notification**: Alert appropriate stakeholders of access removal
#### Bulk User Management
For large-scale provisioning operations:
1. **Batch Processing**: Create multiple users efficiently through SCIM bulk operations
2. **Group Pre-creation**: Establish organizational groups before user assignment
3. **Validation**: Verify all users are created with correct attributes and memberships
4. **Rollback Capability**: Support for reversing bulk operations if needed
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/scim/provisioning.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.