SCIM FAQ
What information can the identity provider (IdP) sync to data.world?
IdP syncs the following required information to data.world:
Object | Information synced |
---|---|
Users | Username, Email (used to generate a unique ID for the user in data.world) |
Groups | Display name |
For a full list of optional information, please go to SCIM API schemas. You can find the specification for this endpoint at Service Provider Configuration Endpoints.
Can I change the ID of a provisioned user and organization in data.world?
No, you cannot change the ID of a provisioned user or organization. The ID is permanent. However, you can change the display name, which is more prominently used in the user interface.
What will happen if an IdP user or user group is renamed?
If an IdP user or group is renamed, the change will propagate to data.world. A SCIM-managed user or organization cannot be renamed directly in data.world.
What happens if an IdP group is deleted?
When an IdP group is deleted, the corresponding organization in data.world will also be deleted. Users who were members of the deleted organization will remain, but they may lose access that was granted through the organization.
For example, if an organization had read access to a collection, all its members could read that collection. Once the organization is deleted, those users lose access to the collection.
What happens if a user is deleted from the IdP?
When a user is deleted from the IdP, the user will be deactivated and will no longer be able to sign in. Their deactivated status will be reflected in the UI. The user can be reactivated at any time without losing any information.
What happens if a username already exists in data.world?
data.world generates a unique ID for each user based on the users email from the IdP. If the email already exists in data.world, a bad request exception will occur. If two different emails generate the same ID, three random characters will be appended to the ID to ensure uniqueness.
When does the SCIM token (service account token) expire?
The SCIM token does not expire automatically. It will expire if the token is manually refreshed or if SCIM is disabled and then re-enabled.
Does SCIM provisioning work only after a provisioned user has logged into data.world?
No, once a user is provisioned to data.world, the user is created in the system regardless of whether they have logged in or not.
Can I give SCIM provisioned users access to resources before their first login?
Yes. As soon as the user group is provisioned in data.world, you can add them to the catalog organizations and assign them access to the relevant resources. When the users login to the application, they will be able to access the reources they are authorized to access.
How can I manage SCIM provisioned users/organizations in data.world?
In general, SCIM-provisioned users and organizations cannot be modified directly in data.world. They must be modified from the IdP. There are some exceptions, such as the profile image, which can be modified in data.world if the IdP does not support exporting it.
SCIM-provisioned users can be deactivated or reactivated via the data.world Admin portal.