Employee Identity and Access Management (EIAM) supports a subset of SCIM 2.0 operations, allowing you to synchronize users and user groups from your self-managed application into EIAM. This reference covers the supported endpoints, constraints per operation, and request/response examples.
Usage notes
EIAM implements SCIM 2.0 based on RFC 7642, RFC 7643, and RFC 7644. For supported schemas, see /Schemas.
Authentication
All /Users and /Groups requests require a bearer token. Discovery endpoint requests (/ServiceProviderConfig, /ResourceTypes, /Schemas) do not require authentication.
Two methods are available to obtain a bearer token:
Static bearer token: Set a static token on the Synchronize Application to IDaaS tab of the Account Synchronization tab in the IDaaS console application management page.
OAuth 2.0 Client Credentials: Dynamically obtain an access token using the OAuth 2.0 Client Credentials grant. Provide your client ID and client secret to request a token. See GenerateToken.
In all examples below, replace {BaseUrl} with the SCIM Base URL value from your EIAM instance application, and replace <BearerToken> with a valid bearer token.
Supported operations
| Category | Operation | Supported |
|---|---|---|
| Discovery endpoint | /ServiceProviderConfig | Yes |
| Discovery endpoint | /ResourceTypes | Yes |
| Discovery endpoint | /Schemas | Yes |
| /Users | POST /Users | Yes |
| /Users | GET /Users/{id} | Yes |
| /Users | GET /Users | Yes |
| /Users | PUT /Users/{id} | Yes |
| /Users | PATCH /Users/{id} | Yes |
| /Users | DELETE /Users/{id} | Yes |
| /Groups | POST /Groups | Yes |
| /Groups | GET /Groups/{id} | Yes |
| /Groups | GET /Groups | Yes |
| /Groups | PUT /Groups/{id} | Yes |
| /Groups | PATCH /Groups/{id} | Yes |
| /Groups | DELETE /Groups/{id} | Yes |
| /Me | N/A | No |
| /Bulk | N/A | No |
| /.Search | N/A | No |
Discovery endpoint
/ServiceProviderConfig
Returns the features supported by EIAM.
No authentication required.
Request
curl {BaseUrl}/ServiceProviderConfig --header "Content-type:application/scim+json"Response
{
"documentationUri": "",
"patch": {
"supported": true
},
"bulk": {
"supported": false,
"maxOperations": 0,
"maxPayloadSize": 0
},
"filter": {
"supported": true,
"maxResults": 100
},
"changePassword": {
"supported": true
},
"sort": {
"supported": false
},
"etag": {
"supported": false
},
"authenticationSchemes": [
{
"name": "OAuth Bearer Token",
"description": "Authentication scheme using the OAuth Bearer Token Standard",
"specUri": "https://www.rfc-editor.org/info/rfc6750",
"type": "oauthbearertoken",
"primary": true
}
],
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"
]
}/ResourceTypes
Returns the resource types supported by EIAM (users and user groups).
No authentication required.
Request
curl {BaseUrl}/ResourceTypes --header "content-type:application/scim+json"Response
{
"startIndex": 1,
"totalResults": 2,
"itemsPerPage": 2,
"Resources": [
{
"name": "Group",
"description": "Group",
"endpoint": "/Groups",
"schema": "urn:ietf:params:scim:schemas:core:2.0:Group",
"id": "Group",
"meta": {
"resourceType": "Group",
"location": "{BaseUrl}/ResourceTypes/Group"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
]
},
{
"name": "User",
"description": "User Account",
"endpoint": "/Users",
"schema": "urn:ietf:params:scim:schemas:core:2.0:User",
"schemaExtensions": [
{
"schema": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
"required": false
}
],
"id": "User",
"meta": {
"resourceType": "User",
"location": "{BaseUrl}/ResourceTypes/User"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
]
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
]
}/Schemas
Returns the schemas supported by EIAM: users, enterprise users, and user groups.
No authentication required. Query by resource type is supported. Only the fields in the sample response below are supported.
Requests
# All schemas
curl {BaseUrl}/Schemas --header "content-type:application/scim+json"
# User schema
curl {BaseUrl}/Schemas/urn:ietf:params:scim:schemas:core:2.0:User --header "content-type:application/scim+json"
# Group schema
curl {BaseUrl}/Schemas/urn:ietf:params:scim:schemas:core:2.0:Group --header "content-type:application/scim+json"
# Enterprise user schema
curl {BaseUrl}/Schemas/urn:ietf:params:scim:schemas:extension:enterprise:2.0:User --header "content-type:application/scim+json"Response
{
"startIndex": 1,
"totalResults": 3,
"itemsPerPage": 3,
"Resources": [
{
"name": "User",
"description": "User Account",
"attributes": [
{
"name": "userName",
"type": "string",
"multiValued": false,
"description": "Unique identifier for the User typically used by the user to directly authenticate to the service provider.",
"required": true,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "server"
},
{
"name": "displayName",
"type": "string",
"multiValued": false,
"description": "The name of the User, suitable for display to end-users. The name SHOULD be the full name of the User being described if known.",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "password",
"type": "string",
"multiValued": false,
"description": "The User's clear text password. This attribute is intended to be used as a means to specify an initial password when creating a new User or to reset an existing User's password.",
"required": false,
"caseExact": false,
"mutability": "writeOnly",
"returned": "never",
"uniqueness": "none"
},
{
"name": "emails",
"type": "complex",
"subAttributes": [
{
"name": "value",
"type": "string",
"multiValued": false,
"description": "E-mail addresses for the user. The value SHOULD be canonicalized by the Service Provider, e.g. bjensen@example.com instead of bjensen@EXAMPLE.COM. Canonical Type values of work, home, and other.",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "display",
"type": "string",
"multiValued": false,
"description": "A human readable name, primarily used for display purposes.",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "type",
"type": "string",
"multiValued": false,
"description": "A label indicating the attribute's function; e.g., 'work' or 'home'.",
"required": false,
"canonicalValues": [
"work",
"home",
"other"
],
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "primary",
"type": "boolean",
"multiValued": false,
"description": "A Boolean value indicating the 'primary' or preferred attribute value for this attribute, e.g., the preferred mailing address or primary e-mail address. The primary attribute value 'true' MUST appear no more than once.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
}
],
"multiValued": true,
"description": "E-mail addresses for the user. The value SHOULD be canonicalized by the Service Provider, e.g., bjensen@example.com instead of bjensen@EXAMPLE.COM. Canonical Type values of work, home, and other.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "server"
},
{
"name": "phoneNumbers",
"type": "complex",
"subAttributes": [
{
"name": "value",
"type": "string",
"multiValued": false,
"description": "Phone number of the User",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "display",
"type": "string",
"multiValued": false,
"description": "A human readable name, primarily used for display purposes.",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "type",
"type": "string",
"multiValued": false,
"description": "A label indicating the attribute's function; e.g., 'work' or 'home' or 'mobile' etc.",
"required": false,
"canonicalValues": [
"work",
"home",
"mobile",
"fax",
"pager",
"other"
],
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "primary",
"type": "boolean",
"multiValued": false,
"description": "A Boolean value indicating the 'primary' or preferred attribute value for this attribute, e.g., the preferred phone number or primary phone number. The primary attribute value 'true' MUST appear no more than once.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
}
],
"multiValued": true,
"description": "Phone numbers for the User. The value SHOULD be canonicalized by the Service Provider according to format in RFC3966 e.g., 'tel:555xxxx5555'. Canonical Type values of work, home, mobile, fax, pager and other.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "server"
},
{
"name": "phoneRegion",
"type": "string",
"multiValued": false,
"description": "PhoneRegion for the User. eg.86.If not filled, the default value is 86",
"required": false,
"caseExact": false,
"mutability": "writeOnly",
"returned": "never",
"uniqueness": "none"
},
{
"name": "id",
"type": "string",
"multiValued": false,
"description": "A unique identifier for a SCIM resource as defined by the service provider.",
"required": true,
"caseExact": false,
"mutability": "readOnly",
"returned": "always",
"uniqueness": "server"
},
{
"name": "externalId",
"type": "string",
"multiValued": false,
"description": "A String that is an identifier for the resource as defined by the provisioning client.",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "meta",
"type": "complex",
"subAttributes": [
{
"name": "resourceType",
"type": "string",
"multiValued": false,
"description": "The resource Type",
"required": false,
"caseExact": true,
"mutability": "readOnly",
"returned": "always",
"uniqueness": "none"
},
{
"name": "location",
"type": "reference",
"multiValued": false,
"description": "The location (URI) of the resource",
"required": false,
"caseExact": true,
"mutability": "readOnly",
"returned": "always",
"uniqueness": "none"
}
],
"multiValued": false,
"description": ".",
"required": false,
"caseExact": false,
"mutability": "readOnly",
"returned": "default",
"uniqueness": "none"
},
{
"name": "schemas",
"type": "string",
"multiValued": true,
"description": ".",
"required": true,
"caseExact": true,
"mutability": "readOnly",
"returned": "always",
"uniqueness": "none"
}
],
"id": "urn:ietf:params:scim:schemas:core:2.0:User",
"meta": {
"resourceType": "Schema",
"location": "{BaseUrl}/Schemas/urn:ietf:params:scim:schemas:core:2.0:User"
}
},
{
"name": "Group",
"description": "Group",
"attributes": [
{
"name": "displayName",
"type": "string",
"multiValued": false,
"description": "A human-readable name for the Group.",
"required": true,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "members",
"type": "complex",
"subAttributes": [
{
"name": "value",
"type": "string",
"multiValued": false,
"description": "The identifier of a group member.",
"required": true,
"caseExact": false,
"mutability": "immutable",
"returned": "default",
"uniqueness": "none"
},
{
"name": "ref",
"type": "reference",
"multiValued": false,
"description": "The URI of the member resource.",
"required": true,
"caseExact": true,
"mutability": "immutable",
"returned": "default",
"uniqueness": "none",
"referenceTypes": [
"User"
]
},
{
"name": "display",
"type": "string",
"multiValued": false,
"description": "A human readable name, primarily used for display purposes.",
"required": false,
"caseExact": false,
"mutability": "immutable",
"returned": "default",
"uniqueness": "none"
}
],
"multiValued": true,
"description": "A list of members of the Group.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "id",
"type": "string",
"multiValued": false,
"description": "A unique identifier for a SCIM resource as defined by the service provider.",
"required": true,
"caseExact": false,
"mutability": "readOnly",
"returned": "always",
"uniqueness": "server"
},
{
"name": "externalId",
"type": "string",
"multiValued": false,
"description": "A String that is an identifier for the resource as defined by the provisioning client.",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "meta",
"type": "complex",
"subAttributes": [
{
"name": "resourceType",
"type": "string",
"multiValued": false,
"description": "The resource Type",
"required": false,
"caseExact": true,
"mutability": "readOnly",
"returned": "always",
"uniqueness": "none"
},
{
"name": "location",
"type": "reference",
"multiValued": false,
"description": "The location (URI) of the resource",
"required": false,
"caseExact": true,
"mutability": "readOnly",
"returned": "always",
"uniqueness": "none"
}
],
"multiValued": false,
"description": ".",
"required": false,
"caseExact": false,
"mutability": "readOnly",
"returned": "default",
"uniqueness": "none"
},
{
"name": "schemas",
"type": "string",
"multiValued": true,
"description": ".",
"required": true,
"caseExact": true,
"mutability": "readOnly",
"returned": "always",
"uniqueness": "none"
}
],
"id": "urn:ietf:params:scim:schemas:core:2.0:Group",
"meta": {
"resourceType": "Schema",
"location": "{BaseUrl}/Schemas/urn:ietf:params:scim:schemas:core:2.0:Group"
}
},
{
"name": "EnterpriseUser",
"description": "Enterprise User",
"attributes": [
{
"name": "organization",
"type": "string",
"multiValued": false,
"description": "Identifies the name of an organization.",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
}
],
"id": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
"meta": {
"resourceType": "Schema",
"location": "{BaseUrl}/Schemas/urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
}
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
]
}Users
POST /Users
Creates (synchronizes) a user in EIAM.
Constraints
Only fields defined in /Schemas are supported.
To assign a user to a specific organizational unit, include the enterprise user extension (
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User) and set theorganizationfield to the organizational unit ID. If omitted, the user is assigned to the synchronization target organizational unit.
Request
curl {BaseUrl}/Users \
--header 'Authorization: Bearer <BearerToken>' \
--header "content-type:application/scim+json" \
-X POST \
-d '<data>'Without organizational unit assignment
{
"userName": "<user username>",
"externalId": "<external Id>",
"displayName": "<user display name>",
"active": true,
"emails": [
{
"primary": true,
"type": "work",
"value": "<user email>"
}
],
"phoneRegion": "86",
"phoneNumbers": [
{
"primary": true,
"type": "work",
"value": "<user phoneNumber>"
}
],
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
]
}With organizational unit assignment
{
"userName": "<user username>",
"externalId": "<external Id>",
"displayName": "<user display name>",
"active": true,
"emails": [
{
"primary": true,
"type": "work",
"value": "<user email>"
}
],
"phoneRegion": "86",
"phoneNumbers": [
{
"primary": true,
"type": "work",
"value": "<user phoneNumber>"
}
],
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"organization": "<user organizationalUnitId>"
}
}Response
HTTP/1.1 201{
"id": "<userId>",
"userName": "<user username>",
"displayName": "<user display name>",
"active": true,
"emails": [
{
"value": "<user email>",
"type": "work",
"primary": true
}
],
"phoneNumbers": [
{
"value": "<user phoneNumber>",
"type": "work",
"primary": true
}
],
"externalId": "<external Id>",
"meta": {
"resourceType": "User",
"created": "2025-02-25T09:56:48.622Z",
"lastModified": "2025-02-25T09:56:48.622Z",
"location": "{BaseUrl}/Users/<userId>"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"organization": "<user organizationalUnitId>"
}
}GET /Users/{id}
Returns a single user by ID.
Constraints
If the specified ID does not match an existing user, the request is rejected.
Only users synchronized to EIAM via SCIM can be queried.
Request
curl {BaseUrl}/Users/<userId> \
--header 'Authorization: Bearer <BearerToken>' \
--header "content-type:application/scim+json" \
-X GETResponse
HTTP/1.1 200{
"id": "<userId>",
"userName": "<user username>",
"displayName": "<user display name>",
"active": true,
"emails": [
{
"value": "<user email>",
"type": "work",
"primary": true
}
],
"phoneNumbers": [
{
"value": "<user phoneNumber>",
"type": "work",
"primary": true
}
],
"externalId": "<external Id>",
"meta": {
"resourceType": "User",
"created": "2025-02-25T09:56:48.622Z",
"lastModified": "2025-02-25T09:56:48.622Z",
"location": "{BaseUrl}/Users/<userId>"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"organization": "<user organizationalUnitId>"
}
}GET /Users
Returns a list of users. Supports filtering and pagination.
Constraints
Without a
filterparameter: returns only users synchronized to EIAM via SCIM.With a
filterparameter: returns users within the synchronization scope that match the filter. Supports only theeqandandoperators. Thefiltervalue must be URL-encoded.Default page size: 20. Maximum page size: 100. If
countexceeds 100, only 100 entries are returned.
Request
curl {BaseUrl}/Users?<parameters> \
--header 'Authorization: Bearer <BearerToken>' \
--header "content-type:application/scim+json" \
-X GETParameters
| Parameter | Description | Example |
|---|---|---|
filter | Filter expression. Supports eq expressions on externalId, id, userName, emails[type eq "work"].value, and phoneNumbers[type eq "work"].value. Must be URL-encoded. | filter=userName eq "alice" |
startIndex | Page number. Default: 1. | startIndex=1 |
count | Number of entries per page. Default: 20. Maximum: 100. | count=20 |
Filter expression examples:
filter=externalId eq "<external Id>"
filter=id eq "user_xxxxxxxx"
filter=userName eq "<user username>"
filter=emails[type eq "work"].value eq "<user email>"
filter=emails[type eq "work" and value eq "<user email>"]
filter=phoneNumbers[type eq "work"].value eq "<user phoneNumber>"
filter=phoneNumbers[type eq "work" and value eq "<user phoneNumber>"]Response
HTTP/1.1 200{
"startIndex": 1,
"totalResults": 2,
"itemsPerPage": 20,
"Resources": [
{
"userName": "username1",
"displayName": "displayName1",
"active": true,
"emails": [
{
"value": "test1@example.com",
"type": "work",
"primary": true
}
],
"phoneNumbers": [
{
"value": "333*****333",
"type": "work",
"primary": true
}
],
"id": "user_addxxxxxxxxxxxxxxx1",
"externalId": "externalId1",
"meta": {
"resourceType": "User",
"created": "2025-03-06T03:16:40.201Z",
"lastModified": "2025-03-06T03:16:40.201Z",
"location": "{BaseUrl}/Users/user_addxxxxxxxxxxxxxxx1"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
]
},
{
"userName": "username2",
"displayName": "displayName2",
"active": true,
"emails": [
{
"value": "test2@example.com",
"type": "work",
"primary": true
}
],
"phoneNumbers": [
{
"value": "333*****334",
"type": "work",
"primary": true
}
],
"id": "user_g3od4xxxxxxxxxxxxxxx2",
"externalId": "externalId2",
"meta": {
"resourceType": "User",
"created": "2025-03-06T06:58:35.997Z",
"lastModified": "2025-03-06T06:58:35.997Z",
"location": "{BaseUrl}/Users/user_g3od4xxxxxxxxxxxxxxx2"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
]
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
]
}To iterate through all pages, incrementstartIndexbycountafter each request and repeat untilstartIndexexceedstotalResults. TheitemsPerPage,startIndex, andtotalResultsvalues in the response are integers, not strings.
PUT /Users/{id}
Replaces all attributes of a user.
Constraints
The
idparameter is required.PUT overwrites all user attributes. Fields not included in the request body are reset to empty.
Only fields defined in /Schemas are supported.
Applies to users synchronized to EIAM via SCIM and to self-managed users. After a PUT on a self-managed user, EIAM automatically converts the user to a SCIM-synchronized user.
Request
curl {BaseUrl}/Users/<userId> \
--header 'Authorization: Bearer <BearerToken>' \
--header "content-type:application/scim+json" \
-X PUT \
-d '<data>'{
"id": "<userId>",
"userName": "<user username>",
"externalId": "<external Id>",
"displayName": "<user display name>",
"emails": [
{
"primary": true,
"type": "work",
"value": "<user email>"
}
],
"phoneRegion": "86",
"phoneNumbers": [
{
"primary": true,
"type": "work",
"value": "<user phoneNumber>"
}
],
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"organization": "<user organizationalUnitId>"
}
}Response
HTTP/1.1 200{
"id": "<userId>",
"userName": "<user username>",
"displayName": "<user display name>",
"active": true,
"emails": [
{
"value": "<user email>",
"type": "work",
"primary": true
}
],
"phoneNumbers": [
{
"value": "<user phoneNumber>",
"type": "work",
"primary": true
}
],
"externalId": "<external Id>",
"meta": {
"resourceType": "User",
"created": "2025-02-25T09:56:48.622Z",
"lastModified": "2025-02-25T09:56:48.622Z",
"location": "{BaseUrl}/Users/<userId>"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"organization": "<user organizationalUnitId>"
}
}PATCH /Users/{id}
Updates specific attributes of a user.
Constraints
The
idparameter is required.Supports the
addandreplaceoperations. Theremoveoperation is ignored.Only fields defined in /Schemas are supported.
Applies to users synchronized to EIAM via SCIM and to self-managed users. After a PATCH on a self-managed user, EIAM automatically converts the user to a SCIM-synchronized user.
Request
curl {BaseUrl}/Users/<userId> \
--header 'Authorization: Bearer <BearerToken>' \
--header "content-type:application/scim+json" \
-X PATCH \
-d '<data>'All PATCH examples use the PatchOp schema: urn:ietf:params:scim:api:messages:2.0:PatchOp.
Add a field without specifying `path`
{
"Operations": [
{
"op": "add",
"value": {
"displayName": "updateDisplayName"
}
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
]
}Update a field with `path`
{
"Operations": [
{
"op": "Replace",
"path": "displayName",
"value": "updateDisplayName"
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
]
}Update email without specifying `path`
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [
{
"op": "Replace",
"value": {
"emails": [
{
"value": "test@example.com",
"type": "work",
"primary": true
}
]
}
}
]
}Update email with `path`
{
"Operations": [
{
"op": "Replace",
"path": "emails[type eq \"work\"].value",
"value": "test@example.com"
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
]
}Deactivate a user account with `path`
{
"Operations": [
{
"op": "Replace",
"path": "active",
"value": "false"
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
]
}Deactivate a user account without `path`
{
"Operations": [
{
"op": "Replace",
"value": {
"active": false
}
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
]
}Response
HTTP/1.1 204Theremoveoperation is not supported for user attributes. If you include aremoveoperation in the request, it is silently ignored.
DELETE /Users/{id}
Deletes a user.
Constraints
The
idparameter is required.Only users synchronized to EIAM via SCIM can be deleted.
Request
curl {BaseUrl}/Users/<userId> \
--header 'Authorization: Bearer <BearerToken>' \
--header "content-type:application/scim+json" \
-X DELETEResponse
HTTP/1.1 204Groups
POST /Groups
Creates (synchronizes) a user group in EIAM.
Constraints
Only fields defined in /Schemas are supported.
A maximum of 1,000 members can be specified. Exceeding this limit returns an error.
Members that do not exist in EIAM or have not been synchronized are silently ignored.
Request
curl {BaseUrl}/Groups \
--header 'Authorization: Bearer <BearerToken>' \
--header "content-type:application/scim+json" \
-X POST \
-d '<data>'{
"externalId": "<external Id>",
"displayName": "<group name>",
"members": [
{
"value": "user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue",
"$ref": "{BaseUrl}/Users/user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue",
"type": "User"
},
{
"value": "user_d3rmo3xxxxxxxxxbo6vhcfq",
"$ref": "{BaseUrl}/Users/user_d3rmo3xxxxxxxxxbo6vhcfq",
"type": "User"
}
],
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}Response
HTTP/1.1 201{
"id": "group_bz7xxxxxxxxxx3hhxdha",
"displayName": "<group name>",
"externalId": "<external Id>",
"members": [
{
"value": "user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue",
"$ref": "{BaseUrl}/Users/user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue"
}
],
"meta": {
"resourceType": "Group",
"created": "2025-03-06T06:35:46.009Z",
"lastModified": "2025-03-06T06:35:46.009Z",
"location": "{BaseUrl}/Groups/group_bz7xxxxxxxxxx3hhxdha"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}GET /Groups/{id}
Returns a user group by ID, including its members.
Constraints
If the specified ID does not match an existing user group, the request is rejected.
Only user groups synchronized to EIAM via SCIM can be queried.
To exclude the
membersfield from the response, passexcludedAttributes=members.
Request
curl {BaseUrl}/Groups/<groupId>?<parameters> \
--header 'Authorization: Bearer <BearerToken>' \
--header "content-type:application/scim+json" \
-X GETParameters
| Parameter | Description | Example |
|---|---|---|
excludedAttributes | Fields to exclude from the response. Set to members to omit member details. | members |
Response
HTTP/1.1 200{
"id": "<groupId>",
"displayName": "<group name>",
"externalId": "<external Id>",
"members": [
{
"value": "user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue",
"$ref": "{BaseUrl}/Users/user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue"
}
],
"meta": {
"resourceType": "Group",
"created": "2025-03-06T06:35:46.009Z",
"lastModified": "2025-03-06T06:35:46.009Z",
"location": "{BaseUrl}/Groups/group_bz7xxxxxxxxxx3hhxdha"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}GET /Groups
Returns a list of user groups. Supports filtering and pagination.
Constraints
Without a
filterparameter: returns all synchronized user groups. Member details are not included in list responses.With a
filterparameter: returns user groups matching the filter. Supports only theeqandandoperators. Thefiltervalue must be URL-encoded.Default page size: 20. Maximum page size: 100. If
countexceeds 100, only 100 entries are returned.
Request
curl {BaseUrl}/Groups?<parameters> \
--header 'Authorization: Bearer <BearerToken>' \
--header "content-type:application/scim+json" \
-X GETParameters
| Parameter | Description | Example |
|---|---|---|
filter | Filter expression. Supports eq expressions on displayName, externalId, and id. Must be URL-encoded. | filter=displayName eq "demoDisplayName" |
startIndex | Page number. Default: 1. | startIndex=1 |
count | Number of entries per page. Default: 20. Maximum: 100. | count=20 |
Filter expression examples:
filter=displayName eq "demoDisplayName"
filter=externalId eq "demoExternalId"
filter=id eq "demoGroupId"Response
HTTP/1.1 200{
"startIndex": 1,
"totalResults": 2,
"itemsPerPage": 20,
"Resources": [
{
"displayName": "GroupName1",
"id": "group_7xh7xxxxxxxxxxgvajbbowpe",
"externalId": "externalId1",
"meta": {
"resourceType": "Group",
"created": "2025-03-07T10:03:21.784Z",
"lastModified": "2025-03-07T10:03:21.784Z",
"location": "{BaseUrl}/Groups/group_7xh7xxxxxxxxxxgvajbbowpe"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
},
{
"displayName": "GroupName2",
"id": "group_bz7qhxxxxxxxxxle3hhxdha",
"externalId": "externalId2",
"meta": {
"resourceType": "Group",
"created": "2025-03-06T06:35:46.009Z",
"lastModified": "2025-03-06T10:46:36.549Z",
"location": "{BaseUrl}/Groups/group_bz7qhxxxxxxxxxle3hhxdha"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
]
}Member details (members field) are not returned in list responses. Use GET /Groups/{id} to retrieve member information for a specific group.PUT /Groups/{id}
Replaces all attributes of a user group, including its member list.
Constraints
The
idparameter is required.PUT overwrites the original attributes. You can replace the member list with up to 1,000 members. Exceeding this limit returns an error.
Only fields defined in /Schemas are supported.
Only user groups synchronized to EIAM via SCIM can be modified. Only SCIM-synchronized users can be added as members.
The response includes the updated user group and all its members.
Request
curl {BaseUrl}/Groups/<groupId> \
--header 'Authorization: Bearer <BearerToken>' \
--header "content-type:application/scim+json" \
-X PUT \
-d '<data>'{
"id": "<groupId>",
"displayName": "<group name>",
"externalId": "<external Id>",
"members": [
{
"value": "user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue",
"$ref": "{BaseUrl}/Users/user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue"
}
],
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}Response
HTTP/1.1 200{
"id": "<groupId>",
"displayName": "<group name>",
"externalId": "<external Id>",
"members": [
{
"value": "user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue",
"$ref": "{BaseUrl}/Users/user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue"
}
],
"meta": {
"resourceType": "Group",
"created": "2025-03-06T06:35:46.009Z",
"lastModified": "2025-03-06T06:35:46.009Z",
"location": "{BaseUrl}/Groups/group_bz7xxxxxxxxxx3hhxdha"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}PATCH /Groups/{id}
Updates specific attributes of a user group.
Constraints
The
idparameter is required.Supports the
add,replace, andremoveoperations.Member limits per operation:
replace: up to 1,000 membersadd: up to 100 membersremove: up to 100 members
Only user groups synchronized to EIAM via SCIM can be modified. Only SCIM-synchronized users can be added or removed as members.
The response includes the updated user group and all its members.
Request
curl {BaseUrl}/Groups/<groupId> \
--header 'Authorization: Bearer <BearerToken>' \
--header "content-type:application/scim+json" \
-X PATCH \
-d '<data>'Remove all SCIM-synchronized members from the group
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [
{
"op": "remove",
"path": "members"
}
]
}Add and remove specific members
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [
{
"op": "remove",
"path": "members",
"value": [
{
"value": "user_dm57xxxxxxxxxxx5wzecz"
}
]
},
{
"op": "add",
"path": "members",
"value": [
{
"value": "user_sdfqxxxxxxxxxxkzhw5wz"
}
]
}
]
}Replace the member list
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [
{
"op": "replace",
"path": "members",
"value": [
{
"value": "user_dm57xxxxxxxxxxx5wzecz"
}
]
}
]
}Response
HTTP/1.1 200{
"id": "<groupId>",
"displayName": "<group name>",
"externalId": "<external Id>",
"members": [
{
"value": "user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue",
"$ref": "{BaseUrl}/Users/user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue"
}
],
"meta": {
"resourceType": "Group",
"created": "2025-03-06T06:35:46.009Z",
"lastModified": "2025-03-06T06:35:46.009Z",
"location": "{BaseUrl}/Groups/group_bz7xxxxxxxxxx3hhxdha"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}DELETE /Groups/{id}
Deletes a user group.
Constraints
The
idparameter is required.Only user groups synchronized to EIAM via SCIM can be deleted.
If a user is added to the user group, the user is removed from the user group when you delete the user group.
Request
curl {BaseUrl}/Groups/<groupId> \
--header 'Authorization: Bearer <BearerToken>' \
--header "content-type:application/scim+json" \
-X DELETEResponse
HTTP/1.1 204