🔐 What Is SCIM? A Beginner’s Guide to User & Group Syncing in the Cloud
In today’s cloud-first world, managing user access across tools like Databricks, Azure, Slack, and Zoom can get messy. New joiners need accounts, leavers must be removed, and group permissions must stay in sync — all without mistakes.
This is where SCIM comes in.
🧾 What Is SCIM?
SCIM (System for Cross-domain Identity Management) is an open standard that makes it easy to automate the exchange of user and group information between identity providers (like Azure AD) and cloud services (like Databricks or Google Workspace).
It provides a common language (via API) to create, update, and deactivate users across systems without manual effort.
🤔 Why SCIM Matters
Without SCIM:
- 👩💼 HR adds a new employee → IT manually creates a user in 5+ apps
- 🧳 Someone leaves → Admins forget to revoke access
- 🔒 Group permissions are inconsistent across platforms
With SCIM:
- 🎯 Your Identity Provider (IdP) (e.g., Azure AD, Okta) is the single source of truth
- ✅ Users and groups are auto-synced across all tools
- 🔁 Any changes (add/remove/rename) are automatically pushed
⚙️ How SCIM Works — In Simple Steps
Let’s say your company uses Azure AD + Databricks.
- User joins your company → Added to Azure AD
- SCIM is enabled → Azure AD automatically sends a request to Databricks:
POST /Users { "userName": "alex@company.com", "displayName": "Alex Sharma" } - Databricks auto-creates the user with correct groups
- If the user leaves or changes roles, SCIM updates or deletes them automatically
📦 SCIM APIs: What’s Under the Hood
SCIM uses a set of standard REST APIs:
| API Call | Purpose |
|---|---|
GET /Users | List users in the target system |
POST /Users | Create a new user |
PATCH /Users/{id} | Update user info or group link |
DELETE /Users/{id} | Remove user |
GET /Groups | List all groups |
PATCH /Groups/{id} | Add/remove users in a group |
🧠 SCIM in Action: Databricks + Azure AD
In Databricks, enabling SCIM means:
- No more manual user onboarding
- Groups like
DataEngineers.ProdorAnalysts.NonProdsync automatically - You can query SCIM data for compliance/auditing
Example:
GET https://accounts.azuredatabricks.net/api/2.1/accounts/<account-id>/scim/v2/Users
✅ Benefits of SCIM
- 🔐 Improved security (automatic deprovisioning)
- 📉 Reduced admin overhead
- 💼 Seamless user experience
- 📊 Cleaner audit logs and identity compliance
Excellent question! Let’s walk through how user access is granted automatically in Databricks when using SCIM with synced groups — like DataEngineers.Prod.
🔁 What Happens Automatically vs. Manually
| Step | What Happens Automatically with SCIM | What You Still Need to Configure |
|---|---|---|
| ✅ User is added to a group in Azure AD | SCIM syncs user to Databricks and adds them to the matching group | ❌ SCIM does not assign permissions |
| ✅ Group is created in Databricks | Yes, auto-created if not present | |
| ❌ Access to data, clusters, etc. | ❌ Not automatic | ✅ You must manually grant privileges to the group once |
🎯 How to Make Access Automatic (One-Time Setup)
Once SCIM syncs your group (e.g. DataEngineers.Prod) into Databricks:
- Grant access to that group (once) using SQL or UI:
GRANT SELECT ON SCHEMA sales_data TO `DataEngineers.Prod`; GRANT USE CATALOG datalake TO `DataEngineers.Prod`; GRANT EXECUTE ON VOLUME pipelines TO `DataEngineers.Prod`; - Now every time a user is added to this group in Azure AD, they:
- ✅ Get synced to Databricks via SCIM
- ✅ Get added to the same Databricks group
- ✅ Inherit all the permissions granted to that group
- ❌ You do not need to touch Databricks again
📦 Think of It Like This:
- 🔑 You assign access to the group, not to the individual
- 🪄 SCIM keeps the group members synced
- 🎯 Access becomes dynamic: add/remove users in Azure AD only
🔐 Example Flow
- Admin grants access:
GRANT SELECT ON TABLE finance.transactions TO `Analysts.NonProd`; - SCIM syncs:
- Group
Analysts.NonProdis synced from Azure AD - Members:
alex@company.com,jaya@company.com
- Group
- Result:
- Alex and Jaya now have SELECT access on
finance.transactions - You never touched Databricks for them individually!
- Alex and Jaya now have SELECT access on
🛠️ Summary
| Task | Who Does It | How Often |
|---|---|---|
| Create and manage groups | Azure AD | Ongoing |
| Assign access to groups | You (Admin) | Once per group |
| Sync group memberships | SCIM | Automatic |
| Access granted to new users | Databricks | Automatic 🪄 |
🚀 Final Thoughts
If your organization is juggling multiple SaaS platforms, SCIM is the key to centralized, secure identity management. It reduces manual work, improves security posture, and scales with your team.
Whether you’re using Azure AD, Okta, or Google Workspace, enabling SCIM across tools like Databricks, Slack, and Zoom can significantly streamline your identity lifecycle.