System for Cross-Domain Identity Management (SCIM) is a standard for automating the exchange of user identity information between identity domains, identity-based solutions, and participating information technology resources. SCIM uses a standardized REST API and data formatted in JSON or XML to allow interoperating solutions to exchange information in a standardized way. The standard simplifies the methodology for provisioning and deprovisioning (cradle to grave) of an identity and associated accounts such that customized and proprietary connectors are not necessary to exchange information.

A real-world example would flow as follows: consider an organization provisions new employees and, at a later, date terminates them. This could easily be a temporary employee, contractor, or even a team member that changes job functions. As they are added and removed from the company’s electronic employee directory (Active Directory, LDAP, etc.), SCIM could be used to automatically create or delete (provision or deprovision) accounts for those users in other applications and share the information with other tools, such as a privileged access management solution. Ergo, a new or modified user account would be synchronized automatically for each employee using a standard protocol, and the user accounts for terminated employees would be automatically removed avoiding the potential risks associated with identities and accounts not removed from an organization. Figure 16-1 illustrates this process applied to the integration between elements of the IAM ecosystem.

In addition to standardized account record management (creating and deleting), SCIM can also be used to share information about user attributes, attribute schema, and group and role membership. Identity attributes can contain contact information to group membership applied to an account. Group membership and other attributes are generally used to manage user permissions using other solutions, like privileged access management. These values and group assignments are designed to change based on employment and environmental conditions, and SCIM provides a vehicle to synchronize this information across multiple managed domains, or directly within applications, whether on premise or in the cloud.

The benefits of SCIM are elementary. The standard has grown in expectance, and organizations can save hundreds of man-hours in provisioning and deprovisioning accounts across systems manually while also avoiding the potential pitfalls of manual human provisioning. In contrast, without a standard connection method, companies must write custom software connectors to manage these accounts across proprietary systems. This simple condition is what creates the value for most IAM vendors since they have hundreds of connectors to manage non-SCIM-compliant resources.