Help Center
News
Help Center
News
Sign in
Document
Documents & PoliciesQuestionnairesControls & Technical and Organizational Measures (TOMs)Report ExplorerAsset RegisterFrameworksRecord of Processing Activities (ROPA)Exporting your ROPAVendorsImpact Assessments (IA)Legitimate Interest DocumentationsMeetings & ActivitiesRetentions & Deletions PeriodsData Collection Point (DCP)Add documents to vendors
DPIA
Assessments
ROPA
Assets
International Standards & Frameworks
TOMs & Controls
Categories & Attributes
Data Collection Points
Legal Basis
Legitimate Interest
Documents & Policies
Retention & Deletion
Data Flow
Vendors
Questionnaires
Manage
Process Risk OverviewData Flow Map
Dashboards
AI Assistance & Automation
Projects
Tasks
Meetings & Activities
Workflows & Automations
Reporting
React & Resolve
TasksProjectsIncidents & BreachesData Subject Requests
Risk Scenarios & Treatments
Incidents & Breaches
Release Notes
Q2 2026
Q1 2026
Q4 2025
Q3 2025
Q2 2025
Q1 2025
Q4 2024
Q3 2024
Q2 2024
Q1 2024
Q4 2023
Q3 2023
Q2 2023
Q1 2023
Q4 2022
Q3 2022
Getting Started
Quickstart GuideQuestionnairesTasksProcess Risk OverviewIT SettingsFrameworksThe Information Security / Asset Risk ModelData Subject RequestsDownloading an elementLegitimate Interest DocumentationsAssigning Audiences to ElementsDocuments & PoliciesControls & Technical and Organizational Measures (TOMs)General SettingsCreating attributes that fit your industryDocument list for onboardingThe Data Protection Risk ModelIncidents & BreachesProjectsManaging audiencesAdd documents to vendorsHow to answer an assessment/questionnaireSetting up the first organization or companyData Collection Point (DCP)Use AI to create elementsSetting Risk models in General SettingsSharing ElementsHow can a user change the language?Data Flow MapRecord of Processing Activities (ROPA)Time MachineCreate and evaluate assessments Company Widget FeatureAsset RegisterVendorsImpact Assessments (IA)Creating organizational unitsExporting your ROPAMeetings & ActivitiesTerms for legitimate processingRetentions & Deletions PeriodsHow to create a new user and how to change the password for loginReport ExplorerMaturity modelAdding risk scenarios to assets or asset groupsRelevant Risk SzenariosPriverion GRC Platform overviewDocument list for onboardingHow can a user change the language?Setting up the first organization or companyCreating attributes that fit your industry
User account
Sharing & Group functions
Features
How-To Guides & Tips
Get Help
Legal
Settings
General Settings
Compliance settings
Identity and access management
SCIM overviewSCIM configurationAPI tokensIdentity & Access Management overviewLocal authenticationSAML and OAuth settingsIAM logsIAM notification settingsRoles mappingRoles mapping groups
IT Settings
Risk Settings

SCIM overview

View SCIM provisioning status, endpoints and recent activity.

SCIM Overview

The SCIM Overview screen is your control centre for automated user provisioning in Priverion. It shows you whether SCIM is active, how many users and groups have been synchronised from your external identity provider, and gives you the exact endpoint URLs you need to paste into that identity provider's configuration. IT administrators and Data Protection Officers come here most often during initial setup, when troubleshooting a sync problem, or when migrating from one identity provider to another. Without the information on this screen, your identity provider has no addresses to send provisioning requests to, and automatic account lifecycle management simply cannot happen.

How to open it

Navigate to IT Settings in the main left-hand sidebar. Inside IT Settings, select IAM Settings, then expand the menu and click SCIM2. The SCIM Overview screen loads immediately.

You need the IT Settings IAM permission to access this area. If your role does not include this permission, the SCIM2 menu entry will not appear in the sidebar at all, and navigating directly to the URL will show a full access-denied page instead of any partial content.

What you see

When you arrive, a breadcrumb trail at the top of the content area shows your location — something like IT Settings › IAM Settings › SCIM2 — with two small arrow buttons on either side of the SCIM2 label so you can jump to the previous or next IAM screen without going back to the menu.

Below the breadcrumb, the main content is divided into two parts. The upper part is a Configuration card that displays three read-only facts: the current SCIM status (Active or Inactive), the number of SCIM-provisioned users, and the number of SCIM-provisioned groups. Any action buttons appear inline to the right of the Configuration heading. Below the card, three rows show the SCIM endpoint URLs — the Base URL, the Users endpoint, and the Groups endpoint — each with a small copy icon to its right.

The screen has three different states depending on your deployment. If SCIM has not been enabled in your Priverion deployment at all, you will see a warning panel with an explanatory message and no endpoint URLs. If you have already set up the Microsoft Entra ID native integration, you will see a different warning explaining that SCIM and Entra ID cannot run at the same time. In both warning states, no action buttons or endpoint URLs appear. The step-by-step guidance below describes the normal operational state, where SCIM is available and the full Configuration card and all three endpoint rows are visible.

Working with this screen

Verifying that SCIM is live after initial setup

Once you have finished configuring SCIM in your identity provider — for example, entering the Tenant URL and bearer token in Microsoft Entra ID's enterprise application provisioning settings — come back to this screen to confirm everything is working.

Look at the SCIM Status row in the Configuration card. If it shows Active, the toggle is on and Priverion is ready to accept provisioning requests. Check the SCIM Users count next: this number tells you how many accounts have already been pushed in by your identity provider. If your IdP ran its first sync overnight, you should see a count that matches your expected initial batch. Finally, click the copy icon next to the Base URL and compare the copied value against what you entered in your identity provider — they should be identical. If everything matches, you are done.

Bear in mind that the user and group counts reflect the state at the moment the page loaded, not a live feed. If a large sync just completed, reload the page to see the updated figures.

Copying the endpoint URLs for a new identity provider setup

When you are configuring a new identity provider and need to tell it where to send SCIM requests, this screen gives you all three addresses you need.

  • Scroll down below the Configuration card to the three endpoint rows.
  • Click the copy icon next to Base URL. The icon briefly turns into a green checkmark, confirming the address is now on your clipboard. Paste it into your identity provider's Tenant URL (or equivalent) field.
  • Click the copy icon next to Endpoint Info — Users and note this address. Some identity providers ask for the Users and Groups endpoints separately rather than deriving them from the Base URL.
  • Click the copy icon next to Endpoint Info — Groups and note this address as well.

Each copy icon operates independently, so copying the Groups endpoint does not clear what you already copied for the Base URL.

Heads up: The green checkmark confirms the text reached your clipboard, but it does not verify that the URL is reachable from your identity provider's network. If your IdP reports a connection error after setup, come back here and check that the Base URL shown exactly matches what you entered — including any trailing slash and the company identifier segment at the end.

Temporarily deactivating SCIM during an IdP migration

If you are switching identity providers or pausing provisioning for maintenance, you can stop SCIM from accepting inbound requests without losing your configuration.

  • On the SCIM Overview screen, confirm that SCIM Status shows Active.
  • Click the Deactivate button to the right of the Configuration heading. Priverion sends a request to turn provisioning off.
  • If the request succeeds, a green success notification appears and the SCIM Status row immediately changes to Inactive. The Deactivate button disappears because it only appears when SCIM is on.
  • Make the necessary changes in your identity providers.
  • When you are ready to re-enable SCIM, you will need to do that through the SAML/OAuth edit screen — there is no Activate button on the Overview page itself.
Tip: Deactivating SCIM does not delete any provisioned users. It simply stops new provisioning requests from being accepted. Existing accounts remain untouched until you re-enable SCIM and your IdP syncs again.

Bulk-deleting all SCIM-provisioned users after decommissioning

If your organisation is retiring its SCIM integration entirely and wants to clean up the automatically provisioned accounts before setting up a fresh identity management approach, you can remove all SCIM users in one action.

This option is only visible to administrators who have deletion rights — not everyone with access to the IAM settings will see it.

  • On the SCIM Overview screen, locate the Delete All Users button to the right of the Configuration heading (it shows a trash-can icon).
  • Click it. A confirmation prompt appears asking you to confirm that you want to permanently remove all SCIM-provisioned users.
  • Confirm. The button becomes disabled and its icon switches to a spinning indicator while the deletion is in progress — this prevents you from triggering a second deletion by accident.
  • After a few moments, a success notification appears, for example: "152 users deleted in total."
  • Reload the page — the SCIM Users count in the Configuration card will now show zero.
Heads up: This action is immediate and cannot be undone from within Priverion. The only way to restore deleted accounts is to trigger a fresh synchronisation from your identity provider, or to re-create them manually. Always confirm with your IdP administrator before proceeding.

Field reference

SCIM Status — Shows whether SCIM is currently Active or Inactive for your organisation. This value updates immediately after you click Deactivate and the request succeeds. It reflects the live state; you do not need to reload the page to confirm the change.

SCIM Users — The total count of user accounts in Priverion that were created through SCIM provisioning, as opposed to accounts created manually. This is a snapshot taken when the page loaded; reload the page to see the latest figure after a sync.

SCIM Groups — The total count of groups in Priverion that were synchronised from your identity provider via SCIM. Also a page-load snapshot.

Base URL — The root SCIM address for your Priverion tenant, in the format https://<your-domain>/pp/scim/v2/<company-identifier>. This is the address your identity provider must be configured to send all SCIM requests to.

Endpoint Info — Users — The Base URL with /Users appended. This is the SCIM Users resource endpoint.

Endpoint Info — Groups — The Base URL with /Groups appended. This is the SCIM Groups resource endpoint.

How this connects to the rest of Priverion

The SCIM Overview screen sits within the IAM Settings section of IT Settings, alongside SAML/OAuth configuration and Active Directory settings. Use the left and right arrow buttons in the breadcrumb bar to step between those screens without returning to the menu.

Because SCIM controls the entire user account lifecycle, what you configure here affects nearly every other part of Priverion. When SCIM is Active, every new employee added to your company directory is provisioned into Priverion automatically, and every departing employee's account is deactivated automatically. This means that features like task assignments, processing activity ownership, risk owner fields, and vendor contacts all depend on those accounts existing and being current. Turning SCIM off stops new accounts from arriving; turning it back on resumes provisioning.

If you use the Delete All Users action, any element in Priverion that was previously assigned to one of those SCIM-provisioned accounts — tasks, Records of Processing Activities, risk models, and so on — will lose its assigned user. Priverion refreshes its user management lists automatically after the deletion, but it does not automatically reassign orphaned elements.

Finally, SCIM and the dedicated Microsoft Entra ID integration are mutually exclusive. If Entra ID is active, this screen will show a warning and no SCIM configuration will be available. You must choose one approach or the other.

After finishing work on this screen, your logical next step is typically to verify the identity provider is sending requests successfully (check SCIM Users on a subsequent reload) and then review your SAML/OAuth settings on the adjacent IAM screen.

Tips & common pitfalls

Heads up: There is no Activate button on the Overview screen. If SCIM is currently Inactive and you want to turn it back on, you must go to the SAML/OAuth edit screen. If you arrive here expecting a toggle and do not see one, SCIM is already off — this is by design, not a bug.
Tip: The two warning states — "SCIM is disabled at the platform level" and "Entra ID is active" — look visually similar (both show a warning icon and a short message). Read the message carefully: the platform-level disabled state means SCIM is not available in your deployment at all and requires a deployment configuration change or a call to Priverion support. The Entra ID conflict means you have made a configuration choice that blocks SCIM. The steps to resolve them are completely different.
  • User and group counts are snapshots, not live figures. After a large sync from your identity provider, you will need to reload the page to see the updated numbers. There is no auto-refresh.
  • The Delete All Users action cannot be undone from within Priverion. The only recovery path is a fresh sync from your identity provider or manual re-creation. Treat this button with the same care you would give a database restore operation.
  • The copy icons confirm clipboard success, not URL validity. A green checkmark means the text is on your clipboard; it does not mean your identity provider can reach the URL. If your IdP reports SCIM connection errors after setup, verify the Base URL here matches exactly what you entered in the IdP — including trailing slashes and the full company identifier at the end.
  • Deletion rights are separate from IAM read access. Not every administrator who can view this screen will see the Delete All Users button. If you need to perform a bulk deletion and the button is not visible, contact a senior administrator in your organisation.


Was this article helpful?

English
Powered by Product Fruits