Skip to main content
SCIM (System for Cross-domain Identity Management) automates user provisioning and deprovisioning in Draftt. When a new engineer joins and is added to the right group in your IdP, Draftt access is created automatically. When someone leaves and is deactivated in your IdP, their Draftt access is removed with no ticket or manual step required. SCIM is the right answer for any team where manual access requests are a bottleneck, offboarding is inconsistent, or audit requirements demand provable access lifecycle management.

How It Works

Draftt acts as the SCIM service provider. Your identity provider acts as the SCIM client, pushing user and group changes to Draftt via the SCIM 2.0 API. The sync handles three lifecycle events:
  • Provision - User is created in Draftt when added to a mapped group in your IdP.
  • Update - Profile changes (name, email) in your IdP are synced to Draftt.
  • Deprovision - User is deactivated in Draftt when removed from all mapped groups or deactivated in your IdP. Deactivated users lose access immediately but their data (ownership assignments, audit records) is preserved.
SCIM requires SSO to be configured first. Provisioned users authenticate via your IdP, not via a Draftt password.

Setup

To enable SCIM provisioning, go to Settings > User Management > SCIM Provisioning in Draftt. Generate a SCIM token and copy your SCIM base URL. Both are needed to configure your identity provider. Contact your Draftt account team if you need guidance for your specific IdP.

Group-to-Role Mapping

By default, SCIM-provisioned users receive the role configured in Settings > User Management > SCIM Provisioning > Default Role, typically Developer or Viewer. For finer control, configure group-to-role mappings. Each IdP group is mapped to a Draftt role. A user in multiple mapped groups receives the highest-privilege matching role.
IdP GroupDraftt Role
draftt-adminsAdmin
draftt-engineeringDeveloper
draftt-stakeholdersViewer
Configure these mappings in Settings > User Management > SCIM Provisioning > Group Mappings. The group names must exactly match the group names pushed by your IdP.
Keep your SCIM groups aligned with your organizational structure. A single IdP group per Draftt role is easier to maintain than complex nested group hierarchies.

Deprovisioning Behavior

When a user is deactivated in your IdP or removed from all mapped groups, Draftt:
  1. Immediately revokes their active sessions.
  2. Sets their account status to Inactive in Draftt.
  3. Preserves all data associated with their account: ownership assignments, audit log entries, policy attributions.
Inactive users do not consume a license seat. Their data remains queryable and auditable.
SCIM deprovisioning does not delete API keys issued to the deprovisioned user. Rotate or revoke API keys separately under Settings > API Keys.

Verifying Your SCIM Setup

After configuring your IdP:
  1. Go to Settings > User Management > SCIM Provisioning in Draftt.
  2. Confirm the Last sync timestamp updates after your IdP runs a sync.
  3. Check Settings > User Management > Users to verify provisioned users appear with the expected roles.

Next Steps

  • Review Roles & Permissions to define the right role defaults for SCIM-provisioned users
  • Set up SSO if not already configured. SCIM requires SSO.