This topic describes System for Cross-domain Identity Management (SCIM) 2.0 operations that are supported by Employee Identity and Access Management (EIAM). This topic also describes the scope and limits of SCIM 2.0 operations. The operations described in this topic are required only if you want to synchronize data from your self-managed application to EIAM by using SCIM.
Usage notes
SCIM 2.0 operations are implemented based on RFC 7642, RFC 7643, and RFC 7644. For more information about the supported schemas, see the /Schemas section of this topic.
List of SCIM 2.0 operations
You can use one of the following methods to obtain the bearer token:
Static bearer token: You can specify a static bearer token on the Synchronize Application to IDaaS tab of the Account Synchronization tab of the application management page in the Identity as a Service (IDaaS) console.
Access token generated by using Client_Credentials: You can dynamically obtain an access token by using the OAuth 2.0 Client Credentials authorization method provided by EIAM. In this case, you can use your client ID and client secret to request an access token. For more information, see GenerateToken.
The following table describes the SCIM 2.0 operations.
When you call an SCIM 2.0 operation, replace {BaseUrl} with the value of SCIM Base URL in the application of an EIAM instance and replace <BearerToken> with a valid SCIM bearer token.
Category | SCIM 2.0 operation | Supported | Description |
Discovery Endpoint | Yes | Obtains the features that are supported by EIAM. | |
Yes | Obtains the resource types that are supported by EIAM. The details of users and user groups are returned. | ||
Yes | Obtains the schemas that are supported by EIAM. The schemas of users, enterprise users, and user groups are returned. | ||
/Users | Yes | Synchronizes users. | |
Yes | Queries a user. | ||
Yes | Queries the information about specific users or queries all users. If you do not specify the filter parameter, all users are queried. A maximum of 100 entries can be returned. Pagination is supported. | ||
Yes | Replaces the information about a user. | ||
Yes | Updates the information about a specified user. | ||
Yes | Deletes a user. | ||
/Groups | Yes | Synchronizes a user group. | |
Yes | Queries a user group and the user information about the user group. | ||
Yes | Queries the information about specific user groups or queries all user groups. If you do not specify the filter parameter, all user groups are queried. The user information about the user groups is not returned. A maximum of 100 entries can be returned. Pagination is supported. | ||
Yes | Replaces the information about a user group. | ||
Yes | Updates the information about a user group. | ||
Yes | Deletes a user group. | ||
/Me | N/A | No | N/A |
/Bulk | N/A | No | N/A |
/.Search | N/A | No | N/A |
Operations and examples
Discovery Endpoint
/ServiceProviderConfig
Description
Obtains the features that are supported by EIAM.
Limits
No authentication is required.
Sample request
curl {baseUrl}/ServiceProviderConfig --header "Content-type:application/scim+json"Sample response
{
"documentationUri": "",
"patch": {
"supported": true
},
"bulk": {
"supported": false,
"maxOperations": 0,
"maxPayloadSize": 0
},
"filter": {
"supported": true,
"maxResults": 100
},
"changePassword": {
"supported": true
},
"sort": {
"supported": false
},
"etag": {
"supported": false
},
"authenticationSchemes": [
{
"name": "OAuth Bearer Token",
"description": "Authentication scheme using the OAuth Bearer Token Standard",
"specUri": "https://www.rfc-editor.org/info/rfc6750",
"type": "oauthbearertoken",
"primary": true
}
],
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"
]
}/ResourceTypes
Description
Obtains the resource types that are supported by EIAM. The details of users and user groups are returned.
Limits
No authentication is required.
Sample request
curl {baseUrl}/ResourceTypes --header "content-type:application/scim+json"Sample response
{
"startIndex": 1,
"totalResults": 2,
"itemsPerPage": 2,
"Resources": [
{
"name": "Group",
"description": "Group",
"endpoint": "/Groups",
"schema": "urn:ietf:params:scim:schemas:core:2.0:Group",
"id": "Group",
"meta": {
"resourceType": "Group",
"location": "{BaseUrl}/ResourceTypes/Group"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
]
},
{
"name": "User",
"description": "User Account",
"endpoint": "/Users",
"schema": "urn:ietf:params:scim:schemas:core:2.0:User",
"schemaExtensions": [
{
"schema": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
"required": false
}
],
"id": "User",
"meta": {
"resourceType": "User",
"location": "{BaseUrl}/ResourceTypes/User"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
]
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
]
}/Schemas
Description
Obtains the schemas that are supported by EIAM. The schemas of users and user groups are returned.
Limits
Query by resource type is supported.
Only the fields described in the following sample response are supported.
No authentication is required.
Sample request
# The schema to request users.
curl {baseUrl}/Schemas --header "content-type:application/scim+json"
# The schema to request users.
curl {baseUrl}/Schemas/urn:ietf:params:scim:schemas:core:2.0:User --header "content-type:application/scim+json"
# The schema to request users.
curl {baseUrl}/Schemas/urn:ietf:params:scim:schemas:core:2.0:Group --header "content-type:application/scim+json"
# The schema to request users.
curl {baseUrl}/Schemas/urn:ietf:params:scim:schemas:extension:enterprise:2.0:User --header "content-type:application/scim+json"Sample response
Schema to request users
{
"startIndex": 1,
"totalResults": 3,
"itemsPerPage": 3,
"Resources": [
{
"name": "User",
"description": "User Account",
"attributes": [
{
"name": "userName",
"type": "string",
"multiValued": false,
"description": "Unique identifier for the User typically used by the user to directly authenticate to the service provider.",
"required": true,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "server"
},
{
"name": "displayName",
"type": "string",
"multiValued": false,
"description": "The name of the User, suitable for display to end-users. The name SHOULD be the full name of the User being described if known.",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "password",
"type": "string",
"multiValued": false,
"description": "The User's clear text password. This attribute is intended to be used as a means to specify an initial password when creating a new User or to reset an existing User's password.",
"required": false,
"caseExact": false,
"mutability": "writeOnly",
"returned": "never",
"uniqueness": "none"
},
{
"name": "emails",
"type": "complex",
"subAttributes": [
{
"name": "value",
"type": "string",
"multiValued": false,
"description": "E-mail addresses for the user. The value\nSHOULD be canonicalized by the Service Provider, e.g.\nbjensen@example.com instead of bjensen@EXAMPLE.COM. Canonical Type\nvalues of work, home, and other.",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "display",
"type": "string",
"multiValued": false,
"description": "A human readable name, primarily used for display purposes.",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "type",
"type": "string",
"multiValued": false,
"description": "A label indicating the attribute's function; e.g., 'work' or 'home'.",
"required": false,
"canonicalValues": [
"work",
"home",
"other"
],
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "primary",
"type": "boolean",
"multiValued": false,
"description": "A Boolean value indicating the 'primary' or preferred attribute value for this attribute, e.g., the preferred mailing address or primary e-mail address. The primary attribute value 'true' MUST appear no more than once.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
}
],
"multiValued": true,
"description": "E-mail addresses for the user. The value SHOULD be canonicalized by the Service Provider, e.g., bjensen@example.com instead of bjensen@EXAMPLE.COM. Canonical Type values of work, home, and other.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "server"
},
{
"name": "phoneNumbers",
"type": "complex",
"subAttributes": [
{
"name": "value",
"type": "string",
"multiValued": false,
"description": "Phone number of the User",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "display",
"type": "string",
"multiValued": false,
"description": "A human readable name, primarily used for display purposes.",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "type",
"type": "string",
"multiValued": false,
"description": "A label indicating the attribute's function; e.g., 'work' or 'home' or 'mobile' etc.",
"required": false,
"canonicalValues": [
"work",
"home",
"mobile",
"fax",
"pager",
"other"
],
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "primary",
"type": "boolean",
"multiValued": false,
"description": "A Boolean value indicating the 'primary' or preferred attribute value for this attribute, e.g., the preferred phone number or primary phone number. The primary attribute value 'true' MUST appear no more than once.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
}
],
"multiValued": true,
"description": "Phone numbers for the User. The value SHOULD be canonicalized by the Service Provider according to format in RFC3966 e.g., 'tel:555xxxx5555'. Canonical Type values of work, home, mobile, fax, pager and other.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "server"
},
{
"name": "phoneRegion",
"type": "string",
"multiValued": false,
"description": "PhoneRegion for the User. eg.86.If not filled, the default value is 86",
"required": false,
"caseExact": false,
"mutability": "writeOnly",
"returned": "never",
"uniqueness": "none"
},
{
"name": "id",
"type": "string",
"multiValued": false,
"description": "A unique identifier for a SCIM resource as defined by the service provider.",
"required": true,
"caseExact": false,
"mutability": "readOnly",
"returned": "always",
"uniqueness": "server"
},
{
"name": "externalId",
"type": "string",
"multiValued": false,
"description": "A String that is an identifier for the resource as defined by the provisioning client.",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "meta",
"type": "complex",
"subAttributes": [
{
"name": "resourceType",
"type": "string",
"multiValued": false,
"description": "The resource Type",
"required": false,
"caseExact": true,
"mutability": "readOnly",
"returned": "always",
"uniqueness": "none"
},
{
"name": "location",
"type": "reference",
"multiValued": false,
"description": "The location (URI) of the resource",
"required": false,
"caseExact": true,
"mutability": "readOnly",
"returned": "always",
"uniqueness": "none"
}
],
"multiValued": false,
"description": ".",
"required": false,
"caseExact": false,
"mutability": "readOnly",
"returned": "default",
"uniqueness": "none"
},
{
"name": "schemas",
"type": "string",
"multiValued": true,
"description": ".",
"required": true,
"caseExact": true,
"mutability": "readOnly",
"returned": "always",
"uniqueness": "none"
}
],
"id": "urn:ietf:params:scim:schemas:core:2.0:User",
"meta": {
"resourceType": "Schema",
"location": "{BaseUrl}/Schemas/urn:ietf:params:scim:schemas:core:2.0:User"
}
},
{
"name": "Group",
"description": "Group",
"attributes": [
{
"name": "displayName",
"type": "string",
"multiValued": false,
"description": "A human-readable name for the Group.",
"required": true,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "members",
"type": "complex",
"subAttributes": [
{
"name": "value",
"type": "string",
"multiValued": false,
"description": "The identifier of a group member.",
"required": true,
"caseExact": false,
"mutability": "immutable",
"returned": "default",
"uniqueness": "none"
},
{
"name": "ref",
"type": "reference",
"multiValued": false,
"description": "The URI of the member resource.",
"required": true,
"caseExact": true,
"mutability": "immutable",
"returned": "default",
"uniqueness": "none",
"referenceTypes": [
"User"
]
},
{
"name": "display",
"type": "string",
"multiValued": false,
"description": "A human readable name, primarily used for display purposes.",
"required": false,
"caseExact": false,
"mutability": "immutable",
"returned": "default",
"uniqueness": "none"
}
],
"multiValued": true,
"description": "A list of members of the Group.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "id",
"type": "string",
"multiValued": false,
"description": "A unique identifier for a SCIM resource as defined by the service provider.",
"required": true,
"caseExact": false,
"mutability": "readOnly",
"returned": "always",
"uniqueness": "server"
},
{
"name": "externalId",
"type": "string",
"multiValued": false,
"description": "A String that is an identifier for the resource as defined by the provisioning client.",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "meta",
"type": "complex",
"subAttributes": [
{
"name": "resourceType",
"type": "string",
"multiValued": false,
"description": "The resource Type",
"required": false,
"caseExact": true,
"mutability": "readOnly",
"returned": "always",
"uniqueness": "none"
},
{
"name": "location",
"type": "reference",
"multiValued": false,
"description": "The location (URI) of the resource",
"required": false,
"caseExact": true,
"mutability": "readOnly",
"returned": "always",
"uniqueness": "none"
}
],
"multiValued": false,
"description": ".",
"required": false,
"caseExact": false,
"mutability": "readOnly",
"returned": "default",
"uniqueness": "none"
},
{
"name": "schemas",
"type": "string",
"multiValued": true,
"description": ".",
"required": true,
"caseExact": true,
"mutability": "readOnly",
"returned": "always",
"uniqueness": "none"
}
],
"id": "urn:ietf:params:scim:schemas:core:2.0:Group",
"meta": {
"resourceType": "Schema",
"location": "{BaseUrl}/Schemas/urn:ietf:params:scim:schemas:core:2.0:Group"
}
},
{
"name": "EnterpriseUser",
"description": "Enterprise User",
"attributes": [
{
"name": "organization",
"type": "string",
"multiValued": false,
"description": "Identifies the name of an organization.",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
}
],
"id": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
"meta": {
"resourceType": "Schema",
"location": "{BaseUrl}/Schemas/urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
}
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
]
}Users
POST /Users
Description
Synchronizes users.
Limits
You can use only the fields that are defined in the "/Schemas" section of this topic.
If you specify the organization to which the account belongs, the account is automatically assigned to the organization that you specify. If you do not specify the organization to which the account belongs, the account is assigned to the organization that you use it as the synchronization target. For more information, see Sample request.
Sample request
curl {baseUrl}/Users --header 'Authorization: Bearer <BearerToken>' --header "content-type:application/scim+json" -X POST -d '<data>'The following sample code provides an example of the data field:
Example 1: Do not specify the organizational unit to which the account belongs
{
"userName": "<user username>",
"externalId": "<external Id>",
"displayName": "<user display name>",
"active": true,
"emails": [
{
"primary": true,
"type": "work",
"value": "<user email>"
}
],
"phoneRegion":"86"
"phoneNumbers": [
{
"primary": true,
"type": "work",
"value": "<user phoneNumber>"
}
],
"active":true,
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
]
}
Example 2: Specify the organizational unit to which the account belongs
{
"userName": "<user username>",
"externalId": "<external Id>",
"displayName": "<user display name>",
"emails": [
{
"primary": true,
"type": "work",
"value": "<user email>"
}
],
"phoneRegion":"86"
"phoneNumbers": [
{
"primary": true,
"type": "work",
"value": "<user phoneNumber>"
}
],
"active":true,
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"organization": "<user organizationalUnitId>"
}
}Sample response
HTTP/1.1 201
{
"id": "<userId>",
"userName": "<user username>",
"displayName": "<user display name>",
"active": true,
"emails": [
{
"value": "<user email>",
"type": "work",
"primary": true
}
],
"phoneNumbers": [
{
"value": "<user phoneNumber>",
"type": "work",
"primary": true
}
],
"externalId": "<external Id>",
"active":true,
"meta": {
"resourceType": "User",
"created": "2025-02-25T09:56:48.622Z",
"lastModified": "2025-02-25T09:56:48.622Z",
"location": "{BaseUrl}/Users/<userId>"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"organization": "<user organizationalUnitId>"
}
}GET /Users/{id}
Description
Queries a user.
Limits
If you specify the id parameter in the request, the user with the specified ID is returned. If the value of the id parameter is not the ID of an existing user, the request is rejected.
You can query only users who are synchronized to EIAM by using SCIM.
Sample request
curl {BaseUrl}/Users/<userId> --header 'Authorization: Bearer <BearerToken>' --header "content-type:application/scim+json" -X GETSample response
HTTP/1.1 200
{
"id": "<userId>",
"userName": "<user username>",
"displayName": "<user display name>",
"active": true,
"emails": [
{
"value": "<user email>",
"type": "work",
"primary": true
}
],
"phoneNumbers": [
{
"value": "<user phoneNumber>",
"type": "work",
"primary": true
}
],
"externalId": "<external Id>",
"active":true,
"meta": {
"resourceType": "User",
"created": "2025-02-25T09:56:48.622Z",
"lastModified": "2025-02-25T09:56:48.622Z",
"location": "{BaseUrl}/Users/<userId>"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"organization": "<user organizationalUnitId>"
}
}GET /Users
Description
Queries the information about specific users or queries all users.
Limits
If you specify the filter parameter, the user that meets the conditions in the filter parameter is returned. The filter parameter supports only the EQ and AND operators. The filter parameter must be URL-encoded.
If you do not specify the filter parameter, you can query only users who are synchronized to EIAM by using SCIM.
If you specify the filter parameter, you can query all users within the synchronization scope.
Sample request
curl {BaseUrl}/Users<?parameters> --header 'Authorization: Bearer <BearerToken>' --header "content-type:application/scim+json" -X GETThe following table describes the supported parameters.
Parameter | Value description | Example |
filter | The eq expressions of externalId, id, userName, emails[type eq "work"].value, and phoneNumbers[type eq "work"].value are supported.
phoneNumbers[type eq "work"].value
The filter parameter must be URL-encoded. |
|
startIndex | The page number. This parameter is optional. Default value: 1. | startIndex=1 |
count | The number of users per page. This parameter is optional. Default value: 20. A maximum of 100 entries can be returned per page. If the number of entries exceeds 100, only 100 entries are returned. | count=20 |
Sample response
HTTP/1.1 200
{
"startIndex": 1,
"totalResults": 2,
"itemsPerPage": 20,
"Resources": [
{
"userName": "username1",
"displayName": "displayName1",
"active": true,
"emails": [
{
"value": "test1@example.com",
"type": "work",
"primary": true
}
],
"phoneNumbers": [
{
"value": "333*****333",
"type": "work",
"primary": true
}
],
"id": "user_addxxxxxxxxxxxxxxx1",
"externalId": "externalId1",
"meta": {
"resourceType": "User",
"created": "2025-03-06T03:16:40.201Z",
"lastModified": "2025-03-06T03:16:40.201Z",
"location": "{BaseUrl}/Users/user_addxxxxxxxxxxxxxxx1"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
]
},
{
"userName": "username2",
"displayName": "displayName2",
"active": true,
"emails": [
{
"value": "test2@example.com",
"type": "work",
"primary": true
}
],
"phoneNumbers": [
{
"value": "333*****334",
"type": "work",
"primary": true
}
],
"id": "user_g3od4xxxxxxxxxxxxxxx2",
"externalId": "externalId2",
"meta": {
"resourceType": "User",
"created": "2025-03-06T06:58:35.997Z",
"lastModified": "2025-03-06T06:58:35.997Z",
"location": "{BaseUrl}/Users/user_g3od4xxxxxxxxxxxxxxx2"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
]
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
]
}
PUT /Users/{id}
Description
Replaces the information about a user.
Limits
The id parameter is required. You can modify only the fields that are defined in the "/Schemas" section of this topic.
A PUT request is used to overwrite the original attributes. If you do not specify the id parameter, the original settings are retained.
You can modify only users who are synchronized to EIAM by using SCIM and self-managed users. After you modify information about a self-managed user, the system automatically changes the user to one who is synchronized to EIAM by using SCIM.
Sample request
curl {BaseUrl}/Users/<userId> --header 'Authorization: Bearer <BearerToken>' --header "content-type:application/scim+json" -X PUT -d '<data>'The following sample code provides an example of the data field:
{
"id":"<userId>"
"userName": "<user username>",
"externalId": "<external Id>",
"displayName": "<user display name>",
"emails": [
{
"primary": true,
"type": "work",
"value": "<user email>"
}
],
"phoneRegion":"86"
"phoneNumbers": [
{
"primary": true,
"type": "work",
"value": "<user phoneNumber>"
}
],
"active":true,
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"organization": "<user organizationalUnitId>"
}
}Sample response
HTTP/1.1 200
{
"id": "<userId>",
"userName": "<user username>",
"displayName": "<user display name>",
"active": true,
"emails": [
{
"value": "<user email>",
"type": "work",
"primary": true
}
],
"phoneNumbers": [
{
"value": "<user phoneNumber>",
"type": "work",
"primary": true
}
],
"externalId": "<external Id>",
"active":true,
"meta": {
"resourceType": "User",
"created": "2025-02-25T09:56:48.622Z",
"lastModified": "2025-02-25T09:56:48.622Z",
"location": "{BaseUrl}/Users/<userId>"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"organization": "<user organizationalUnitId>"
}
}PATCH /Users/{id}
Description
Updates the information about a user.
Limits
The id parameter is required. You can modify only the fields that are defined in the "/Schemas" section of this topic.
You can use a PATCH request for the Add and Replace operations but not for the Remove operation. If you specify the Remove operation, it is ignored.
The path parameter is optional. For more information, see the data field in Sample request.
You can modify only users who are synchronized to EIAM by using SCIM and self-managed users. After you modify information about a self-managed user, the system automatically changes the user to one who is synchronized to EIAM by using SCIM.
Sample request
curl {BaseUrl}/Users/<userId> --header 'Authorization: Bearer <BearerToken>' --header "content-type:application/scim+json" -X PATCH -d '<data>'The following sample code provides an example of the data field:
Example 1: Add the displayName field and do not specify the path parameter
{
"Operations": [
{
"op": "add",
"value": {
"diplayName": "updateDisplayName"
}
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
]
}Example 2: Modify the displayName field and specify the path parameter
{
"Operations": [
{
"op": "Replace",
"path": "diplayName",
"value": "updateDisplayName"
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
]
}Example 3: Modify the emails field and do not specify the path parameter
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [{
"op": "Replace",
"value": {
"emails": [{
"value": "test@example.com",
"type": "work",
"primary": true
}]
}
}]
}Example 4: Modify the emails field and specify the path parameter
{
"Operations": [
{
"op": "Replace",
"path": "emails[type eq \"work\"].value",
"value": "test@example.com"
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
]
}Example 5: Disable the account field and specify the path parameter
{
"Operations": [
{
"op": "Replace",
"path": "active",
"value": "false"
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
]
}Example 6: Disable the account field and do not specify the path parameter
{
"Operations": [
{
"op": "Replace",
"value": {
"active": false
}
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
]
}Sample response
HTTP/1.1 204DELETE /Users/{id}
Description
Deletes a user.
Limits
The id parameter is required.
You can delete only synchronized users.
Sample request
curl {BaseUrl}/Users/<userId> --header 'Authorization: Bearer <BearerToken' --header "content-type:application/scim+json" -X DELETESample response
HTTP/1.1 204Group
POST /Groups
Description
Synchronizes a user group.
Limits
For more information about the limits on fields, see the "/Schemas" section of this topic.
You can specify up to 1,000 users. If the number of users exceeds 1,000, an error occurs.
If a specified user does not exist or is not synchronized, ignore the user.
If you create a user group, the information about the user group is returned.
Sample request
{
"externalId": "<external Id>",
"displayName": "<group name>",
"members": [
{
"value": "user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue",
"$ref": "{BaseUrl}/Users/user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue",
"type": "User"
},
{
"value": "user_d3rmo3xxxxxxxxxbo6vhcfq",
"$ref": "{BaseUrl}/Users/user_d3rmo3xxxxxxxxxbo6vhcfq",
"type": "User"
}
],
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}
Sample response
HTTP/1.1 201
{
"id": "group_bz7xxxxxxxxxx3hhxdha",
"displayName": "<group name>",
"externalId": "<external Id>",
"members": [
{
"value": "user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue",
"$ref": "{BaseUrl}/Users/user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue"
}
],
"meta": {
"resourceType": "Group",
"created": "2025-03-06T06:35:46.009Z",
"lastModified": "2025-03-06T06:35:46.009Z",
"location": "{BaseUrl}/Groups/group_bz7xxxxxxxxxx3hhxdha"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}GET /Groups/{id}
Description
Queries a user group.
Limits
The user group specified by the ID is returned. By default, the members value is returned.
You can specify excludedAttributes=members. In this case, the members field is ignored if the request contains the excludedAttributes parameter.
If the value of the id parameter is not the ID of an existing user group, the request is rejected.
You can query only the user groups that are synchronized to EIAM by using SCIM.
Sample request
curl {BaseUrl}/Groups/<groupId><?parameters> --header 'Authorization: Bearer <BearerToken>' --header "content-type:application/scim+json" -X GETThe following table describes the supported parameters.
Parameter | Value description | Example |
excludedAttributes | Specifies which field is not returned. Set the value to members, which means that the members field is not returned. | members |
Sample response
HTTP/1.1 200
{
"id": "<groupId>",
"displayName": "<group name>",
"externalId": "<external Id>",
"members": [
{
"value": "user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue",
"$ref": "{BaseUrl}/Users/user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue"
}
],
"meta": {
"resourceType": "Group",
"created": "2025-03-06T06:35:46.009Z",
"lastModified": "2025-03-06T06:35:46.009Z",
"location": "{BaseUrl}/Groups/group_bz7xxxxxxxxxx3hhxdha"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}GET /Groups
Description
Queries the information about specific user groups or queries all user groups.
Limits
If you specify the filter parameter, the user group that meets the conditions in the filter parameter is returned. The filter parameter supports only the EQ and AND operators.
If you do not specify the filter parameter, all user groups are returned. The users in the user groups are not returned.
The standard pagination method of SCIM 2.0 is supported. By default, 20 entries are returned per page. A maximum of 100 entries can be returned per page. If the number of entries exceeds 100, only 100 entries are returned.
You can query only synchronized user groups.
Sample request
curl {BaseUrl}/Groups<?parameters> --header 'Authorization: Bearer <BearerToken>' --header "content-type:application/scim+json" -X GETThe following table describes the supported parameters.
Parameter | Value description | Example |
filter | Only the eq expressions of displayName, externalId, and id are supported. The filter parameter must be URL-encoded. |
|
startIndex | The page number. This parameter is optional. Default value: 1. | startIndex=1 |
count | The number of users per page. This parameter is optional. Default value: 20. A maximum of 100 entries can be returned per page. If the number of entries exceeds 100, only 100 entries are returned. | count=20 |
Sample response
HTTP/1.1 200
{
"startIndex": 1,
"totalResults": 2,
"itemsPerPage": 20,
"Resources": [
{
"displayName": "GroupName1",
"id": "group_7xh7xxxxxxxxxxgvajbbowpe",
"externalId": "externalId1",
"meta": {
"resourceType": "Group",
"created": "2025-03-07T10:03:21.784Z",
"lastModified": "2025-03-07T10:03:21.784Z",
"location": "{BaseUrl}/Groups/group_7xh7xxxxxxxxxxgvajbbowpe"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
},
{
"displayName": "GroupName2",
"id": "group_bz7qhxxxxxxxxxle3hhxdha",
"externalId": "externalId2",
"meta": {
"resourceType": "Group",
"created": "2025-03-06T06:35:46.009Z",
"lastModified": "2025-03-06T10:46:36.549Z",
"location": "{BaseUrl}/Groups/group_bz7qhxxxxxxxxxle3hhxdha"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
]
}PUT /Groups/{id}
Description
Replaces the information about a user group.
Limits
The id parameter is required. You can modify only the fields that are defined in the "/Schemas" section of this topic.
A PUT request is used to overwrite the original attributes. You can replace the users in the user groups. You can specify up to 1,000 users. If the number of users exceeds 1,000, an error is reported.
You can modify only the user groups that are synchronized to EIAM by using SCIM. You can replace only users that are synchronized to EIAM by using SCIM in the user groups.
The information about the user group and all users are returned.
Sample request
curl {BaseUrl}/Groups/<groupId> --header 'Authorization: Bearer <BearerToken>' --header "content-type:application/scim+json" -X PUT -d '<data>'The following sample code provides an example of the data field:
{
"id": "<groupId>",
"displayName": "<group name>",
"externalId": "<external Id>",
"members": [
{
"value": "user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue",
"$ref": "{BaseUrl}/Users/user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue"
}
],
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}Sample response
HTTP/1.1 200
{
"id": "<groupId>",
"displayName": "<group name>",
"externalId": "<external Id>",
"members": [
{
"value": "user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue",
"$ref": "{BaseUrl}/Users/user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue"
}
],
"meta": {
"resourceType": "Group",
"created": "2025-03-06T06:35:46.009Z",
"lastModified": "2025-03-06T06:35:46.009Z",
"location": "{BaseUrl}/Groups/group_bz7xxxxxxxxxx3hhxdha"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}PATCH /Groups/{id}
Description
Updates the information about a user group.
Limits
The id parameter is required. You can modify only the fields that are defined in the "/Schemas" section of this topic.
You can use a PATCH request for the Add, Replace, and Remove operations.
You can replace up to 1,000 users. If the number of users exceeds 1,000, an error is reported.
You can add up to 100 users. If the number of users exceeds 100, an error is reported.
You can remove up to 100 users. If the number of users exceeds 100, an error is reported.
You can modify only the user groups that are synchronized to EIAM by using SCIM. You can update only users that are synchronized to EIAM by using SCIM in the user groups.
The information about the user group and all users are returned.
Sample request
curl {BaseUrl}/Groups/<groupId> --header 'Authorization: Bearer <BearerToken>' --header "content-type:application/scim+json" -X PATCH -d '<data>'The following sample code provides an example of the data field:
Example 1: Remove all users who are synchronized to EIAM by using SCIM from the user group
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [
{
"op": "remove",
"path": "members"
}
]
}Example 2: Add users to or remove users from the user group
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [
{
"op": "remove",
"path": "members",
"value": [{
"value": "user_dm57xxxxxxxxxxx5wzecz"
}]
{
"op": "add",
"path": "members",
"value": [{
"value": "user_sdfqxxxxxxxxxxkzhw5wz"
}]
}
]
}Example 3: Replace users
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [
{
"op": "replace",
"path": "members",
"value": [{
"value": "user_dm57xxxxxxxxxxx5wzecz"
}]
}
]
}Sample response
HTTP/1.1 200
{
"id": "<groupId>",
"displayName": "<group name>",
"externalId": "<external Id>",
"members": [
{
"value": "user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue",
"$ref": "{BaseUrl}/Users/user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue"
}
],
"meta": {
"resourceType": "Group",
"created": "2025-03-06T06:35:46.009Z",
"lastModified": "2025-03-06T06:35:46.009Z",
"location": "{BaseUrl}/Groups/group_bz7xxxxxxxxxx3hhxdha"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}DELETE /Groups/{id}
Description
Deletes a user group.
Limits
The id parameter is required.
If a user is added to the user group, the user is removed from the user group when you delete the user group.
You can delete only the user groups that are synchronized to EIAM by using SCIM.
Sample request
curl {BaseUrl}/Groups/<groupId> --header 'Authorization: Bearer <BearerToken>' --header "content-type:application/scim+json" -X DELETESample response
HTTP/1.1 204