> ## Documentation Index
> Fetch the complete documentation index at: https://basedash.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# SCIM provisioning

> Provision and manage Basedash users and groups from your identity provider

For organizations using the public Basedash deployment at `charts.basedash.com`, SCIM provisioning is available on the Enterprise plan. SCIM is also available in self-hosted deployments.

SCIM lets a compatible identity provider, such as Okta or Microsoft Entra ID, manage users, groups, and group memberships in your Basedash organization.

<Note>
  Only organization admins can configure SCIM or manage SCIM tokens. In
  Basedash, go to **Settings → Security** to get started.
</Note>

## Configure SCIM

1. In **Settings → Security**, create a SCIM token.
2. Give the token a name that identifies its identity provider or purpose.
3. Copy the token when it appears. SCIM tokens begin with `bd_scim_` and are shown only once.
4. In your identity provider, create a SCIM 2.0 application or connection.
5. Set the base URL and use the SCIM token as the bearer token.
6. Test the connection, then assign the users and groups you want to provision.

For Basedash Cloud, use this base URL:

```
https://charts.basedash.com/scim/v2
```

For self-hosted Basedash, append `/scim/v2` to your deployment's base URL. For example:

```
https://charts.example.com/scim/v2
```

<Warning>
  Store the token securely when you create it. Basedash stores only a hash of
  the token and cannot show it again.
</Warning>

Refer to your identity provider's documentation for its SCIM application fields and assignment workflow. The names of these settings vary between providers.

## User provisioning

Basedash supports these user lifecycle operations:

| Operation        | Behavior                                                                            |
| ---------------- | ----------------------------------------------------------------------------------- |
| Create           | Creates the user as a member of the organization without sending an invite email    |
| List and get     | Returns provisioned users individually or as a collection                           |
| Update and PATCH | Updates supported profile and active-status fields                                  |
| Deactivate       | Deactivates the user's organization membership                                      |
| Reactivate       | Reactivates a previously deactivated organization membership                        |
| Delete           | Deactivates the user's organization membership rather than deleting the user record |

Provisioned users always receive the **Member** role. Change roles separately in Basedash when needed.

The user's email address is their SCIM `userName`. Both the email address and `userName` are immutable after provisioning.

## Group provisioning

Basedash supports creating, listing, getting, updating, patching, and deleting groups through SCIM. Group membership sync adds and removes provisioned users as your identity provider changes group assignments.

<Note>
  Group sync manages group records and membership. Configure each group's
  permissions separately in Basedash.
</Note>

## Manage tokens

The SCIM token list in **Settings → Security** shows each token's name and when it was last used. Use separate named tokens when you need to identify or rotate identity provider connections independently.

To rotate a token:

1. Generate and copy a new named token.
2. Replace the bearer token in your identity provider.
3. Test provisioning with the new token.
4. Revoke the old token in **Settings → Security**.

Revoking a token prevents subsequent SCIM requests that use it. If a token is exposed or no longer needed, revoke it promptly.

## Discovery endpoints

SCIM clients can inspect the service through these discovery endpoints:

* `/ServiceProviderConfig`
* `/Schemas`
* `/ResourceTypes`

Append each path to the SCIM base URL. For example, the Basedash Cloud service provider configuration is available at:

```
https://charts.basedash.com/scim/v2/ServiceProviderConfig
```

## Limitations

* Bulk operations are not supported.
* Sorting is not supported.
* ETags are not supported.
* Password changes through `changePassword` are not supported.
* Filtering supports one `eq` comparison at a time. Compound filters and other filter operators are not supported.

## Troubleshooting

<AccordionGroup>
  <Accordion title="401 Unauthorized">
    Confirm that the identity provider sends the token in the `Authorization`
    header as a bearer token. Check that the complete token was copied, has not
    been revoked, and belongs to the Basedash organization you are provisioning.
  </Accordion>

  <Accordion title="403 Forbidden">
    The token was recognized, but SCIM is not available for the organization
    associated with it. Confirm that the organization has a plan that includes
    SCIM provisioning.
  </Accordion>

  <Accordion title="400 Bad Request">
    Inspect the response body for the invalid field or request. Common causes
    include malformed SCIM JSON, an attempt to change an immutable email or
    `userName`, and an unsupported or compound filter. Also confirm that the
    request uses the SCIM content type `application/scim+json`.
  </Accordion>
</AccordionGroup>

## Self-hosted deployments

SCIM works in self-hosted Basedash without any SCIM-specific environment variables. Use your deployment's public base URL followed by `/scim/v2`, and configure tokens from **Settings → Security** in the same way as Basedash Cloud.
