SCIM API 2.0

Preview

This feature is in Public Preview.

This article describes how to use the Databricks SCIM APIs to provision users and groups to Databricks.

SCIM, or System for Cross-domain Identity Management, is an open standard that allows you to automate user provisioning. Databricks supports both UI-based SCIM provisioning and provisioning using REST APIs and JSON. The Databricks SCIM API follows version 2.0 of the SCIM protocol.

For UI-based SCIM provisioning setup, see Sync users and groups from your identity provider.

SCIM 2.0 APIs

A Databricks workspace admin can invoke all workspace-level SCIM API endpoints:

• SCIM API 2.0 (Me) for workspaces

• SCIM API 2.0 (Users) for workspaces

• SCIM API 2.0 (Groups) for workspaces

Non-admin users can invoke the workspace-level Me Get endpoint, the workspace-level Users Get endpoint to display names and IDs, and the workspace-level Group Get endpoint to display group display names and IDs.

For error codes, see SCIM API 2.0 Error Codes.

Call workspace-level SCIM APIs

To call workspace-level SCIM APIs, replace <databricks-instance> with the workspace URL of your Databricks deployment.

https://<databricks-instance>/api/2.0/preview/scim/v2/<api-endpoint>

Header parameters

Parameter	Type	Description
Authorization (required) Or: The .netrc file (if using curl)	STRING	Set to Bearer <access-token>. Important! The Databricks admin user who generates this token should not be managed by your identity provider (IdP). A Databricks admin user who is managed by the IdP can be deprovisioned using the IdP, which would cause your SCIM provisioning integration to be disabled. Instead of an Authorization header, you can use the .netrc file along with the --netrc (or -n) option. This file stores machine names and tokens separate from your code and reduces the need to type credential strings multiple times. The .netrc contains one entry for each combination of <databricks-instance> and token. For example: machine <databricks-instance> login token password <access-token>
Content-Type (required for write operations)	STRING	Set to application/scim+json.
Accept (required for read operations)	STRING	Set to application/scim+json.

Filter results

Use filters to return a subset of users or groups. For all users, the user userName and group displayName fields are supported. Admin users can filter users on the active attribute.

Operator	Description	Behavior
eq	equals	Attribute and operator values must be identical.
ne	not equal to	Attribute and operator values are not identical.
co	contains	Operator value must be a substring of attribute value.
sw	starts with	Attribute must start with and contain operator value.
and	logical AND	Match when all expressions evaluate to true.
or	logical OR	Match when any expression evaluates to true.

Sort results

Sort results using the sortBy and sortOrder query parameters. The default is to sort by ID.