All Collections
Account Admin
SCIM (Automatic user provisioning)
SCIM (Automatic user provisioning)

Use SCIM in to automatically provision users and manage their permissions. Engineering Team avatar
Written by Engineering Team
Updated over a week ago

You can use SCIM (System for Cross-domain Identity Management) in to automatically provision users and manage their permissions.

What does enabling SCIM do?

Without SCIM

By default, without SCIM, automatically creates users when they join incident Slack channels, or when they sign in to the web dashboard using Slack or SAML. When a user is deactivated in Slack, they'll be automatically deactivated in

Without SCIM, you manually grant users additional base roles and custom roles within When a new user joins, an owner/admin (or other user with a custom role that can manage permissions) can manually assign that user some additional permissions by going to (You can read more details on permissions here)


When SCIM is installed, users are automatically created in when they are assigned in the application in your Identity Provider. If a user is unassigned the application in your Identity Provider, they'll be deactivated in

Additionally, user permissions are automatically managed by your Identity Provider, and are no longer editable in This means you don't have to manually assign roles to new users, and don't have to manually downgrade users in if their access levels change in your Identity Provider. (You can read more details on permissions here)

Installing SCIM

To install SCIM, you'll need to be an owner in (or have a custom role that can manage security settings), and have admin permissions in your Identity Provider.

  1. Go to your user settings, and open the SCIM tab and click the Install button

2. Choose your Identity Provider from the list and follow the steps to set up your connection.

Please note that although we list many providers here, we're enabling providers as we confirm they send appropriate group membership updates. Please reach out if you receive a message saying your provider is not supported yet.

3. Define the relationships between groups in your Identity Provider and permissions in You only need to do this for groups that you'd like to give elevated permissions to, by default, all users are given the 'Viewer/Responder' role. To illustrate this further, here are some examples:

  • I want all people in the Engineers group to have access to and be responders. I don't need to define any mapping for this case, as this is the default.

  • I want myself and other Incident Managers to be admins in, so I add an assignment, choose the Incident Managers Okta group and then assign them the Admin role.

  • I want our IT team to be able to manage SCIM and SAML, so I add an assignment, choose the IT Okta group and then assign them a custom role with the Can manage security settings permission.

Please note that if you're not careful here you could lock yourself out - you need to have at least one group assigned the 'owner' permissions, but if you're not in that group, or you remove yourself from that group, you'll no longer be able to edit your SCIM settings. If this happens, please get in touch and we'll help out!

4. Confirm your SCIM setup. Once you've confirmed this step, we'll start creating users from SCIM and re-assigning any permissions that no longer line up with what you've defined in your SCIM group to role mappings.

Frequently asked questions

Can I use SCIM?

SCIM is available to customers on our Enterprise plan - for more pricing details, see our pricing here.

What happens to existing users when I install SCIM?

When you install SCIM, we'll link existing users to SCIM users using their email address. We'll also update their permissions as defined by the group to role mappings you provide in the SCIM settings page. If a user was previously an admin, and they're not a member of the groups that are assigned the admin role, they'll be downgraded to viewers/responders.

If a user exists in but not in SCIM, they'll retain their existing role and will be marked as 'Unlinked' in the user list. If you don't want these users to have access to the dashboard at all, we recommend you install SAML too and link that to the same Identity Provider (e.g. Okta) so that only users who are assigned the app can access the dashboard.

What happens to existing users when I uninstall SCIM?

When you uninstall SCIM, users will be left in their current state. So if you are an Owner, and you uninstall SCIM, you'll retain that owner role. Users will not be deactivated.

Can I change a user's permissions once SCIM is enabled?

No, once SCIM is installed, it becomes the source of truth for a user's permissions. If you want to elevate a users permissions, you'll need to add them to an appropriate group in your identity provider.

I've deactivated a user in SCIM, but they're still active, why is that?

As our application runs both in Slack and on our web dashboard, it's possible that a user can be deactivated in Okta, but still be an active member of your organisation's Slack workspace. If this happens, the user will be treated as 'active' until they're deactivated in Slack. If you don't want this, we recommend you manage your Slack users with the same Identity Provider set up as you manage your users.


We also support SAML, which can be set up independently from SCIM, but can use the same underlying identity provider, such as Okta. Details on how to use SAML in can be found here.

Did this answer your question?