Help Center
News
Help Center
News
Sign in
Document
Documents & PoliciesQuestionnairesControls & Technical and Organizational Measures (TOMs)Report ExplorerAsset RegisterFrameworksRecord of Processing Activities (ROPA)Exporting your ROPAVendorsImpact Assessments (IA)Legitimate Interest DocumentationsMeetings & ActivitiesRetentions & Deletions PeriodsData Collection Point (DCP)Add documents to vendors
DPIA
Assessments
ROPA
Assets
International Standards & Frameworks
TOMs & Controls
Categories & Attributes
Data Collection Points
Legal Basis
Legitimate Interest
Documents & Policies
Retention & Deletion
Data Flow
Vendors
Questionnaires
Manage
Process Risk OverviewData Flow Map
Dashboards
AI Assistance & Automation
Projects
Tasks
Meetings & Activities
Workflows & Automations
Reporting
React & Resolve
TasksProjectsIncidents & BreachesData Subject Requests
Risk Scenarios & Treatments
Incidents & Breaches
Release Notes
Q2 2026
Q1 2026
Q4 2025
Q3 2025
Q2 2025
Q1 2025
Q4 2024
Q3 2024
Q2 2024
Q1 2024
Q4 2023
Q3 2023
Q2 2023
Q1 2023
Q4 2022
Q3 2022
Getting Started
Quickstart GuideQuestionnairesTasksProcess Risk OverviewIT SettingsFrameworksThe Information Security / Asset Risk ModelData Subject RequestsDownloading an elementLegitimate Interest DocumentationsAssigning Audiences to ElementsDocuments & PoliciesControls & Technical and Organizational Measures (TOMs)General SettingsCreating attributes that fit your industryDocument list for onboardingThe Data Protection Risk ModelIncidents & BreachesProjectsManaging audiencesAdd documents to vendorsHow to answer an assessment/questionnaireSetting up the first organization or companyData Collection Point (DCP)Use AI to create elementsSetting Risk models in General SettingsSharing ElementsHow can a user change the language?Data Flow MapRecord of Processing Activities (ROPA)Time MachineCreate and evaluate assessments Company Widget FeatureAsset RegisterVendorsImpact Assessments (IA)Creating organizational unitsExporting your ROPAMeetings & ActivitiesTerms for legitimate processingRetentions & Deletions PeriodsHow to create a new user and how to change the password for loginReport ExplorerMaturity modelAdding risk scenarios to assets or asset groupsRelevant Risk SzenariosPriverion GRC Platform overviewDocument list for onboardingHow can a user change the language?Setting up the first organization or companyCreating attributes that fit your industry
User account
Sharing & Group functions
Features
How-To Guides & Tips
Get Help
Legal
Settings
General Settings
Compliance settings
Identity and access management
SCIM overviewSCIM configurationAPI tokensIdentity & Access Management overviewLocal authenticationSAML and OAuth settingsIAM logsIAM notification settingsRoles mappingRoles mapping groups
IT Settings
Risk Settings

SCIM configuration

Configure SCIM 2.0 provisioning with your identity provider.

SCIM Configuration

The SCIM Configuration screen is the central place where your IT administrator retrieves the credentials that your organisation's identity provider (IdP) — such as Microsoft Entra ID, Okta, or Google Workspace — needs to connect to Priverion automatically. Once configured correctly, every time an employee joins or leaves your organisation, their Priverion account is created or deactivated without anyone having to log in and do it manually. This screen lives inside the Identity & Access Management section of IT Settings and is one of two complementary IAM screens; the other handles SSO (single sign-on). SCIM handles who has an account; SSO handles how they log in.

How to open it

Navigate to this screen as follows:

  • In the left-hand sidebar, click IT Settings — the section dedicated to technical platform configuration.
  • Inside IT Settings, locate and expand the Identity & Access Management group.
  • Under that group, click SCIM.
  • The page that opens is the Configuration view.
Access requirement: This screen is available to users whose role includes the IT Settings — Identity & Access Management permission. If you do not have this permission, the page will show a "403 Forbidden" message instead of any content. Ask your system administrator to review your role if you believe you should have access.

What you see

When you arrive at the SCIM Configuration screen, the overall layout follows the same two-level structure you see throughout IT Settings. The top navigation bar runs across the entire top of the page and gives you access to your profile, notifications, and any organisation-switching controls. Down the left side, a secondary sidebar lists all IT Settings sections. The Identity & Access Management group is expanded, and SCIM is highlighted as the currently active item — so you always know where you are.

The main content area sits to the right of the secondary sidebar. This is where the SCIM-specific controls — the endpoint URL, the bearer token display, and any regenerate or copy buttons — will appear. At the time of writing, the main content area is being prepared for release; you may arrive at this screen and find the central panel blank. This is a known, expected state during rollout and is not an error in your browser or your account. See Tips & common pitfalls below for more detail.

One small but intentional difference from most DPMS screens: there is no breadcrumb trail at the top of the page. Navigation here relies on the secondary sidebar, which shows every IT Settings sub-section just one click away.

Working with this screen

Setting up your SCIM connection for the first time

If your organisation has never connected its identity provider to Priverion, this is where the process starts. Once the SCIM controls are visible in the main content area, you will find a SCIM Base URL — this is the web address that your IdP needs to send all provisioning requests to. You will also find a Bearer Token — a long, randomly generated secret that proves to Priverion that the incoming requests are genuine.

Here is how a typical first-time setup flows:

  • Open the SCIM Configuration screen. Copy the SCIM Base URL displayed in the main content area. This address is unique to your organisation in Priverion.
  • Copy the Bearer Token as well. If a token has not yet been generated for your organisation, look for a Generate Token or Create Token button and click it. The token will appear once and should be copied immediately.
  • Open your identity provider's administration console — for example, the Priverion application tile in Okta, or the Enterprise Application provisioning settings in Microsoft Entra ID — in a separate browser tab.
  • Paste the SCIM Base URL into the appropriate provisioning URL field in your IdP, and paste the Bearer Token into the secret token or API token field.
  • Save the settings in your IdP and use the IdP's built-in Test Connection button to confirm it can reach Priverion successfully.
  • Return to Priverion. No further action is needed on this screen unless you later need to rotate the token.

From this point on, whenever someone is added to or removed from the relevant group in your directory, Priverion will reflect that change automatically — typically within minutes.

Rotating your bearer token after a security concern

If a security review suggests that your existing SCIM token may have been exposed — for example, it appeared in a log file, was shared accidentally, or a team member with access to it has left — you should rotate it immediately. A rotated token is a new token; the old one stops working the instant you confirm the rotation.

  • Navigate to IT Settings → Identity & Access Management → SCIM → Configuration.
  • In the main content area, locate the Regenerate Token or Rotate Token button. Click it.
  • A confirmation prompt will warn you that the existing token will be invalidated immediately. Read this carefully: your IdP will be unable to sync with Priverion until you update it with the new token. If possible, schedule the rotation during a quiet period when your IdP is unlikely to attempt a sync.
  • Confirm the action. A new bearer token is displayed. Copy it straight away — you may not be able to see it again after you navigate away.
  • Open your IdP's administration console and replace the old token with the new one in the provisioning settings.
  • Save the IdP settings. SCIM provisioning will resume immediately using the new token.

No user accounts are deleted or deactivated during a token rotation. The token only governs how the IdP authenticates to Priverion's SCIM endpoint — it has no effect on users' own Priverion sessions or data.

Verifying SCIM configuration status for an audit

Compliance auditors and Data Protection Officers sometimes need to confirm, for an audit log, that automated user provisioning is in place. This does not require any changes to be made — read access is sufficient.

  • Ask your IT administrator to grant your user account temporary access to the IT Settings — Identity & Access Management section.
  • Navigate to IT Settings → Identity & Access Management → SCIM → Configuration.
  • Confirm that a SCIM Base URL is displayed (confirming that an endpoint is configured for your organisation) and that a token has been issued (confirming the connection has been set up at least once).
  • Note the status in your audit log and navigate away. You do not need to copy or change anything.

Reviewing your SCIM setup before migrating to a new identity provider

If your organisation is switching from one IdP to another — for example, moving from an on-premises Active Directory to Microsoft Entra ID in the cloud — you will want to understand the current SCIM configuration before making changes.

  • Open IT Settings → Identity & Access Management → SCIM → Configuration.
  • Review the current SCIM Base URL. This address does not change when you switch IdPs; only the IdP side needs to be reconfigured.
  • Decide whether to reuse the existing bearer token or generate a new one for the incoming IdP. Generating a new token is the safer choice because it prevents the old IdP from making any further sync attempts after you cut over.
  • Set up the new IdP using the SCIM Base URL and either the existing or newly generated token.
  • Test the connection from the new IdP. Once confirmed, remove the SCIM provisioning integration from the old IdP. Priverion's endpoint remains unchanged throughout.

How this connects to the rest of DPMS

The SCIM Configuration screen is one of two screens under Identity & Access Management in IT Settings — the other being the SSO / SAML Configuration screen. It is worth thinking of them as a pair:

  • SCIM (this screen) determines who has an account in Priverion. When your IdP syncs a new employee, Priverion creates their account automatically. When the IdP removes them, Priverion deactivates their access.
  • SSO (the adjacent screen) determines how users authenticate. A correctly configured SSO setup means employees log in with their existing corporate credentials instead of a separate Priverion password.

Both screens need to be configured for a fully automated, corporate-credential-based user experience. Configuring SCIM without SSO means accounts are created automatically but users still log in separately. Configuring SSO without SCIM means users can log in with corporate credentials but accounts must be created and removed manually.

Beyond user lifecycle management, SCIM configuration directly affects several other areas of DPMS:

  • Group synchronisation. If your IdP pushes group membership via SCIM, the groups that appear in Priverion's audience and access management features will reflect your directory's groups. A broken SCIM connection means group membership in Priverion drifts out of sync with your actual directory.
  • Offboarding compliance. Data protection law — including GDPR — requires timely removal of access when a person leaves your organisation. SCIM automates this. If SCIM is misconfigured or disabled, former employees may retain access longer than permitted, which is a compliance risk.
  • User Management screen. After completing your SCIM setup, you can verify that users provisioned by your IdP have arrived correctly by checking the User Management or People screen elsewhere in DPMS.

Once SCIM is configured, the most natural next step is to visit the SSO Configuration screen (immediately adjacent in the secondary sidebar) to complete the authentication side of the integration.

Tips & common pitfalls

Heads up: If you arrive at this screen and the main content area is blank, this is not a bug — it means the SCIM form controls are still being released. Check with your Priverion administrator or support contact for the current rollout status for your organisation.
Heads up: Token rotation is irreversible and immediate. The moment you confirm a token rotation, the old token stops working. Your IdP will fail its next sync attempt until you update it with the new token. Always have the new token ready to paste into your IdP before clicking confirm, and plan the rotation during a low-traffic period.
  • Access is all-or-nothing. If a colleague reports that they cannot see the SCIM Configuration screen at all — they see a "403 Forbidden" page instead — the first thing to check is whether their role includes the IT Settings IAM permission. There is no partial view of this screen; either you have access or you see the 403 page.
  • SCIM and SSO are separate configurations. Setting up SCIM does not automatically configure SSO, and vice versa. Both must be configured independently under the Identity & Access Management section. Do not assume that a successful SCIM connection means your users can log in with corporate credentials — that requires the SSO screen.
  • Breadcrumbs are absent by design. Unlike most detail screens in DPMS, the SCIM Configuration screen does not show a breadcrumb trail at the top. Use the secondary sidebar on the left to navigate between IT Settings sections.
  • The secondary sidebar requires the IAM group to be expanded. If you land on IT Settings and cannot find the SCIM item, look for the Identity & Access Management group and expand it — SCIM appears as a sub-item within that group.
  • Treat the bearer token like a password. Store it securely in your IdP's secret management system, not in a shared document or email. Rotate it if anyone with access to it leaves your team, if it appears in a log file, or if you have any reason to believe it may have been seen by an unintended party.
  • SCIM creates accounts; it does not grant permissions. When SCIM provisions a new user in Priverion, the account is created, but the user's role and permissions within DPMS are governed separately. Confirm with your IT administrator how roles are assigned after provisioning — either via group-to-role mapping or manually.


Was this article helpful?

English
Powered by Product Fruits