charts.basedash.com, SCIM provisioning is available on the Enterprise plan. SCIM is also available in self-hosted deployments.
SCIM lets a compatible identity provider, such as Okta or Microsoft Entra ID, manage users, groups, and group memberships in your Basedash organization.
Only organization admins can configure SCIM or manage SCIM tokens. In
Basedash, go to Settings → Security to get started.
Configure SCIM
- In Settings → Security, create a SCIM token.
- Give the token a name that identifies its identity provider or purpose.
- Copy the token when it appears. SCIM tokens begin with
bd_scim_and are shown only once. - In your identity provider, create a SCIM 2.0 application or connection.
- Set the base URL and use the SCIM token as the bearer token.
- Test the connection, then assign the users and groups you want to provision.
/scim/v2 to your deployment’s base URL. For example:
User provisioning
Basedash supports these user lifecycle operations:| Operation | Behavior |
|---|---|
| Create | Creates the user as a member of the organization without sending an invite email |
| List and get | Returns provisioned users individually or as a collection |
| Update and PATCH | Updates supported profile and active-status fields |
| Deactivate | Deactivates the user’s organization membership |
| Reactivate | Reactivates a previously deactivated organization membership |
| Delete | Deactivates the user’s organization membership rather than deleting the user record |
userName. Both the email address and userName are immutable after provisioning.
Group provisioning
Basedash supports creating, listing, getting, updating, patching, and deleting groups through SCIM. Group membership sync adds and removes provisioned users as your identity provider changes group assignments.Group sync manages group records and membership. Configure each group’s
permissions separately in Basedash.
Manage tokens
The SCIM token list in Settings → Security shows each token’s name and when it was last used. Use separate named tokens when you need to identify or rotate identity provider connections independently. To rotate a token:- Generate and copy a new named token.
- Replace the bearer token in your identity provider.
- Test provisioning with the new token.
- Revoke the old token in Settings → Security.
Discovery endpoints
SCIM clients can inspect the service through these discovery endpoints:/ServiceProviderConfig/Schemas/ResourceTypes
Limitations
- Bulk operations are not supported.
- Sorting is not supported.
- ETags are not supported.
- Password changes through
changePasswordare not supported. - Filtering supports one
eqcomparison at a time. Compound filters and other filter operators are not supported.
Troubleshooting
403 Forbidden
403 Forbidden
The token was recognized, but SCIM is not available for the organization
associated with it. Confirm that the organization has a plan that includes
SCIM provisioning.
400 Bad Request
400 Bad Request
Inspect the response body for the invalid field or request. Common causes
include malformed SCIM JSON, an attempt to change an immutable email or
userName, and an unsupported or compound filter. Also confirm that the
request uses the SCIM content type application/scim+json.Self-hosted deployments
SCIM works in self-hosted Basedash without any SCIM-specific environment variables. Use your deployment’s public base URL followed by/scim/v2, and configure tokens from Settings → Security in the same way as Basedash Cloud.