Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Manage SCIM Users in Skyhigh

Last updated
Save as PDF

Limited Availability: To access SCIM Provisioning, contact Skyhigh Support.

When you create a user in your IdP or push a group from your IdP, the individual users and the group members will not have permissions assigned and will be in a zero-access state in Skyhigh.

To view the SCIM-provisioned users, log in to the Skyhigh Dashboard > Settings > User Management > Users and Roles > select the Users tab.

The following sections describe how individual and group-provisioned SCIM users appear on the Users tab. They also explain how roles are assigned to Linked Groups (the external IdP groups associated with each user).

Manage SCIM-Provisioned Group Users and Access Permissions

► Click to know more about SCIM-provisioned group users and access permissions in Skyhigh.

When a group is pushed from IdP to Skyhigh, its users appear on the User Management > Users and Roles > Users tab and are in a zero-access state.

1 - Pushed users in Skyhugh.png

The following items help you to understand the SCIM-provisioned user status in the User Management > Users and Roles > Users tab when a group is pushed from an IdP:

Active. Green in the Active column indicates the user is active, while grey indicates an inactive user.
User Type. Displays SCIM-provisioned user to indicate that the identity is managed and synchronized via an external Identity Provider (IdP). The table below describes the icons used in Skyhigh to identify each user type.

Icon	User Type
	Primary user
	Manually added user
	Manually added user and administrator
	SCIM provisioned user
	SCIM provisioned user and administrator

Access. Set to a No Access state by default. Click Edit to assign roles to the linked group.
Linked Group. Displays the name of the synchronized Identity Provider (IdP) group that the user belongs to. Displays the group name only after the group has been assigned to the Skyhigh application within your IdP and successfully pushed via SCIM sync.
Roles(s). Displays No Roles Assigned by default. Once a specific role and permission set is assigned to the corresponding linked group, the inherited role name will automatically populate here.
Permissions. Displays the specific access privileges associated with the user. Once a role is mapped to the linked group, the inherited permissions will automatically populate and be listed here.
Last SCIM Sync. Displays the timestamp for the last SCIM sync.
Actions
- Edit. Click to assign roles to the linked group. For details, see Configure Role-Based Access Control (RBAC) for SCIM Groups.

Configure Role-Based Access Control (RBAC) for SCIM Groups

► Click to know more about configuring RBAC for SCIM-provisioned groups.

You can map Skyhigh roles to SCIM- provisioned users.

Follow the steps below to configure a role for a linked group in Skyhigh:

Go to Settings > User Management > Users and Roles > select the Roles tab.
Click Edit corresponding to the role. To create a role, see Create a Role.
On the Edit Role page, click Select Groups from the Link Role to Group(s) field.
On the Select Group panel, the groups that are pushed from the IdP to Skyhigh appear. Select the desired group. Switch on the toggle Show Selected Only to view only the selected linked groups.
Click Done. The Linked Group column now displays the specific linked group mapped to the Skyhigh role on the Users and Roles > Roles tab.

Now you can view the Role(s) column with the specific role assigned to the corresponding linked group on the Users and Roles > Users tab.

9-on users page roles appear.png

NOTE: Once a role is mapped to a linked group, any new users added to that group in your Identity Provider will be automatically provisioned in Skyhigh and will inherit the group's assigned roles and permissions.

Manage SCIM-Provisioned Individual Users and Access Permissions

► Click to know more about SCIM-provisioned individual users and access permissions in Skyhigh.

When a user is created in IdP and added to the application, the Skyhigh Users and Roles > Users tab populates the synced users. The users will be in a zero-access state.

The following images illustrate an individual user within the Identity Provider (IdP) who is assigned to the Skyhigh application and how synchronized users automatically appear and are managed within the Skyhigh User Management console.

Individual user in IdP.png

Individual User in Skyhigh (SCIM provisioned).png

The following items help you to understand the SCIM-provisioned individual user status in the User Management > Users and Roles > Users tab:

Active. Green in the Active column indicates the user is active, while grey indicates that the user is inactive.
User Type. Displays SCIM-provisioned user to indicate that the identity is managed and synchronized via an external Identity Provider (IdP).
Access. Set to a No Access state by default, as roles cannot be directly assigned to an individual SCIM-provisioned user.
Linked Group. If the user is an SCIM-provisioned individual user, this field will be grayed out.
Roles(s). Displays No Roles Assigned because permissions for SCIM users are inherited through role-to-group assignments rather than individual assignments.
Last SCIM Sync. Displays the timestamp for the last SCIM sync.
Actions
- Edit. You cannot edit the roles and permissions for the SCIM-provisioned individual user. However, you can edit the toggle button to activate or deactivate the user and assign jurisdictions. To know more about jurisdiction details, see About Data Jurisdictions.