Definition
SCIM
SCIM (System for Cross-domain Identity Management) is an open standard for automating the exchange of user identity data between an identity provider and the apps an organization uses. It lets IT provision, update, and deprovision accounts centrally: when someone joins, changes roles, or leaves, those changes propagate automatically to every connected application.
Key takeaways
- SCIM is an open standard that automates exchanging user identity data between an identity provider and the apps an organization uses.
- It centralizes the account lifecycle: provisioning, role updates, and deprovisioning propagate automatically to every connected app.
- Its most critical operation is deprovisioning — closing the security gap left by orphaned accounts when employees depart.
- It complements SSO: SSO governs login, SCIM governs whether the account exists and reflects the user's current role.
Managing user accounts by hand across dozens of SaaS tools is slow and dangerous — a departed employee whose accounts linger is a security liability. SCIM solves this with a standardized REST API and JSON schema for users and groups, so an identity provider (the source of truth for who works here) can push lifecycle changes to every downstream application automatically.
The headline operation is deprovisioning. When an employee leaves, the identity provider deactivates them once, and SCIM ensures every connected app revokes access — closing the window where an orphaned account could be abused. The same flow handles onboarding (auto-creating accounts) and role changes (updating group membership that drives in-app permissions).
SCIM is the natural companion to single sign-on: SSO answers can this person log in right now, while SCIM answers does this person's account exist and reflect their current role. Together they let a central identity system govern the full account lifecycle. Both are typically enterprise-tier capabilities because they presuppose an identity provider.
Planoda offers SCIM provisioning alongside SSO on its enterprise tier, so administrators can automate account lifecycle and role mapping from their identity provider.
Related terms
- SSO (Single Sign-On)Single sign-on (SSO) lets users access many applications with one set of credentials, authenticating through a central identity provider instead of a separate login per app. Sign in once and you're recognized everywhere connected. SSO improves security and user experience at once — fewer passwords to reuse or forget, and centralized control over who can access what.
- OAuthOAuth is an open standard for delegated authorization: it lets a user grant one application limited access to their data in another, without sharing their password. Instead of handing over credentials, the user approves a scoped grant and the app receives a token it presents on the user's behalf. OAuth handles authorization — what an app may do — not who the user is.
- RBAC (Role-Based Access Control)Role-based access control (RBAC) governs what users can do by assigning them roles — such as admin, member, or viewer — that carry defined permissions, rather than granting rights to each person individually. It scales access management: change a role's permissions once and every user with that role updates, and onboarding becomes assigning a role, not wiring up dozens of grants.
- Principle of Least PrivilegeThe principle of least privilege holds that every user, service, or process should be granted only the minimum permissions needed to do its job — and nothing more. By default-denying access and granting narrowly, you shrink the attack surface: a compromised account or buggy component can only reach what it was explicitly allowed, limiting the blast radius of any failure.
- SOC 2SOC 2 is an auditing standard from the AICPA that assesses how a service organization handles customer data against five trust service criteria: security, availability, processing integrity, confidentiality, and privacy. A SOC 2 report, produced by an independent auditor, is the common way SaaS vendors demonstrate to customers that their controls are designed and operating effectively.