Guides

User lifecycle management with SCIM

Suggest Edits

Managing User Access with the Marq SCIM API

Managing user access in an organization, from onboarding to offboarding, can be challenging due to the use of various systems and permissions. However, with the increasing use of APIs, organizations can automate user provisioning and management. One standard for this is the System for Cross-domain Identity Management (SCIM), which provides API methods and JSON objects to define and manage users and groups across systems.

This article focuses on the Marq SCIM API (User API & Group API), its capabilities, and standard processes for implementing automatic provisioning and user management in Marq.

Marq SCIM API Overview

The Marq SCIM API allows organizations to automate user access management. It leverages an identity provider and provides an interface for integrating with other identity providers supporting the SCIM protocol. The documentation includes walkthroughs for configuring Okta or Azure Active Directory (AD) instances, enabling automatic user provisioning and access control based on these identity providers.

Furthermore, you can independently call the SCIM API for greater control and customization. This allows middleware to create, update, and delete users, as well as manage group membership.

User Lifecycle Management with the Marq SCIM API

Understanding the information used during onboarding and as users transition into new roles is crucial for efficient system and data utilization. Let's explore some common scenarios in automated user management and how the Marq SCIM API can assist in automating the user journey.

New User Onboarding

Creating new user accounts in an application is a fundamental aspect of automated user management. The ideal user experience is to provide immediate access to all necessary resources upon account creation.

For example, when a company adds a new user to the MarqUsers group, the integration layer can call the SCIM Users API to look up the user, ensuring they don't already exist in the system. If the user, let's say [email protected], doesn't exist, the integration layer can call the create method with the user's details. This method requires the username (Marq email address), family name, and given name. Additional information like department, employee number, and other metadata fields can also be included for dynamic template population.

Group Modification and Creation

The ability to modify team memberships is another core feature of the Group API, enabling users to access work relevant to their roles.

After creating groups, you can use the SCIM API to synchronize them between systems. Similar to creating users, you can look up the group ID using the Groups API and an appropriate filter. Based on filter conventions you can find an equals or starts with by implementing the ?filter=displayName and utilize eq or sw. The example below, we will filter for all groups that start with Cali

https://users.app.marq.com/scim/v2/Groups/?filter=displayName sw Cali

Once you receive all groups that match the filter, you can use the associated Group ID to update the group's members by calling the update method with a JSON payload containing the user IDs. This method also allows for changing the group's name in Marq if necessary.

User Data Update

As users and their roles change within an organization, applications and access must be updated accordingly. Linking users and groups to Marq through identifiers enables support for such changes.

For example, when Jane Doe starts, her role and membership in the "California" team are created. Later, if Jane joins the "East Region Marketing" team as a Marq administrator, additional access and permissions can be granted by updating her user attributes through the API. This involves adding the "Template Admin" role and modifying her group memberships.

Using the API, you would then:

  • Update Jane's permission by adding Template Admin role attribute using the Users API.
  • Remove Jane from the California group using the Groups API.
  • Add Jane to the East Region Marketing group using the Groups API.

Chaining these API calls together facilitates comprehensive user updates as their roles evolve.

User Offboarding and Deletion

When a user leaves the organization or no longer requires Marq access, their accounts need to be cleaned up. The Delete User API can be used to delete the account. Alternatively, if the user accounts need to be retained but inactive, the Update User API can set their status to inactive.

Conclusion

The Marq SCIM API provides the necessary components to manage user lifecycles in your organization. By leveraging existing user information, security groups, and roles, user and group management in Marq can be largely automated.

See also

Updated 7 months ago