Identity
Updated July 2026
SCIM 2.0 provisioning
Keep Embrasure users, groups, roles, and offboarding aligned with your identity provider. Each workspace gets its own endpoint and revocable bearer tokens.
01
Configure your provider
- In Embrasure, open Workspace settings, Sign-in, Advanced sign-in, then SCIM 2.0 provisioning.
- Issue a token for the connection and copy it immediately. Embrasure stores only the token hash.
- Paste the displayed base URL into your provider's SCIM connector and use the token as the bearer secret.
- Provision a viewer first, then test a role update and deactivation before broad assignment.
- Never use the workspace owner for deactivation testing. SCIM cannot grant or deactivate the owner role.
02
Provider settings
| Protocol | SCIM 2.0 |
|---|---|
| Authentication | HTTP bearer token |
| Resources | Users and Groups |
| Unique user field | userName, normally the user's work email |
| Unique group field | displayName |
| Provisioning actions | Create, read, replace, patch, deactivate, delete, and group member add/remove |
03
Roles and access
Map the SCIM User roles attribute to one of: admin, security_admin, billing_admin, editor, or viewer. Unmapped and unsupported values become viewer. SCIM cannot grant the owner role.
Groups are synchronized as governance principals; workspace access roles are assigned on each User resource.
04
Offboarding and token rotation
Setting a user's active attribute to false removes non-owner workspace membership and revokes active agent sessions, personal API tokens, and per-user connector credentials. Deleting a user performs the same access cut-off while retaining a disabled directory record for audit continuity.
Rotate provisioning tokens from Workspace settings. Rotation issues a replacement and revokes the previous token immediately. Keep one token per provider connection so a compromised integration can be isolated without disrupting another.
05
Troubleshooting
- 401 means the bearer token is missing, malformed, invalid, expired, or revoked. 403 means a valid token was used for a different workspace.
- Confirm that your provider uses the exact workspace base URL shown in Embrasure.
- Use the token's Last used timestamp to confirm that connection tests reached Embrasure.
- SCIM errors use the standard SCIM Error response and include scimType when a filter, path, or value is invalid.