Docs / Identity / SCIM

SCIM sync

Sync users and groups into Gvner for deterministic access control and auditability.

Identity Governance Console Usage Export Packs

How to use

1. Enable SCIM

Configure SCIM endpoint and credentials in your IdP.

2. Sync users/groups

Run initial sync and verify directory entries.

3. Reconcile drift

Review SCIM diffs and approve changes.

4. Lock session policy

Ensure session policy aligns with roles.

5. Export identity packet

Produce a snapshot for auditors.

SCIM workflow

1. Upsert users

Provision users with stable IDs and role metadata.

2. Upsert groups

Sync group membership for role mapping and approvals.

3. Verify drift

Review drift reports and reconcile mismatches.

SCIM API

POST /scim/users
{
  "tenant_id": "acme",
  "user_id": "u-123",
  "email": "user@acme.com",
  "roles": ["compliance", "approver"]
}

POST /scim/groups
{
  "tenant_id": "acme",
  "group_id": "g-approvers",
  "members": ["u-123", "u-456"]
}

Operational checks

Export SCIM directory weekly

Validate role mappings

Review drift report

Reconcile missing users

Review approvals coverage

Export identity packet

Key API endpoints

POST /scim/users — sync users/groups

GET /identity/ledger — identity ledger

Evidence outputs

SCIM sync receipts

Identity ledger entries