> For the complete documentation index, see [llms.txt](https://docs.elimity.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.elimity.com/reference-manual/v3.44.2/advanced-topics/scim-provisioning.md).

# SCIM provisioning

[SCIM](https://scim.cloud) is an HTTP REST API and protocol used by identity providers to manage the users across a variety of software products, including Elimity Insights. This SCIM implementation targets version 2.0 of the protocol.

{% hint style="warning" %}
Be aware that the SCIM API allows creating and deleting users at will. Hence, thoroughly protect your API keys to prevent unauthorized people from making themselves admin and accessing your data. Similarly, thoroughly test your scripts before executing them to avoid deprovisioning all users in your tenant. Of course, our support team is available should you run into any trouble.
{% endhint %}

## Authentication

The SCIM API of Elimity Insights requires authentication using a bearer token (HTTP Bearer Authentication). As such, the client must send this token in the `Authorization` header when making requests to protected resources:

```
Authorization: Bearer {token}
```

Use the 'SCIM API' tab on the 'Advanced settings' page to generate this token:

<figure><img src="/files/hg9vPgaNP0Qg33KgXy2R" alt=""><figcaption></figcaption></figure>

## Roles and access profiles

Elimity Insights works with two authorization concepts:

1. Roles like `member`, `editor`, `connectorAdmin` and `admin` determine the functionality that user can access.
2. Access profiles determine which data sources a user is permitted to see.

A user in Elimity Insights is always assigned to exactly 1 role, to the default access profile and to 0 or more custom access profiles. SCIM on the other hand works with the concept of groups and Elimity Insights models roles and access profiles as groups in the following way:

* We model roles as groups with an `id` in the format `role:{roleId}`. This list of roles currently exists:
  * `role:member`
  * `role:editor`
  * `role:changeRequestManager`
  * `role:accessReviewManager`&#x20;
  * `role:connectorAdmin`
  * `role:admin`
* We model access profiles as groups with an `id` in the format of `profile:{profileId}`; `{profileId}` represents the access profile's numeric identifier. You can find this value in the URL of the access profile's details page.
* The default access profile is not available in the SCIM API and cannot be assigned or revoked explicitly.

## Supported endpoints

The table below lists the endpoints supported by the SCIM API of Elimity Insights. We intentionally don't support other related actions like deleting or creating access profiles via the SCIM API, for those you'll have to use the UI.

<table data-full-width="true"><thead><tr><th>Endpoint</th><th>Description</th></tr></thead><tbody><tr><td><code>GET /scim/v2/ServiceProviderConfig</code></td><td>Retrieve the configuration details for the Elimity Insights SCIM API</td></tr><tr><td><code>GET /scim/v2/ResourceTypes</code></td><td>Retrieve the available resource types (users and groups)</td></tr><tr><td><code>GET /scim/v2/Schemas</code></td><td>Retrieve the schemas for users and groups</td></tr><tr><td><code>GET /scim/v2/Users</code></td><td>Retrieve the list of all users in Elimity Insights</td></tr><tr><td><code>GET /scim/v2/Users/{id}</code></td><td>Retrieve the user with the given identifier (email address)</td></tr><tr><td><code>POST /scim/v2/Users</code></td><td>Create a new user</td></tr><tr><td><code>PUT /scim/v2/Users/{id}</code></td><td>Change the name or status of the user with the given identifier (email address)</td></tr><tr><td><code>GET /scim/v2/Groups</code></td><td>Retrieve the list of all groups (roles and access profiles) in Elimity Insights</td></tr><tr><td><code>GET /scim/v2/Groups/{id}</code></td><td>Retrieve the group with the given identifier</td></tr><tr><td><code>PUT /scim/v2/Groups/{id}</code></td><td>Update the members of the group with the given identifier</td></tr></tbody></table>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.elimity.com/reference-manual/v3.44.2/advanced-topics/scim-provisioning.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
