← Glossary·Security

SCIM

Also known as: System for Cross-domain Identity Management
SOC 2ISO 27001

Open standard for automated user provisioning/deprovisioning from an IdP to SaaS apps.

SCIM 2.0 (RFC 7643/7644) is a REST-based protocol for managing identities across cloud services. It standardises user/group create, read, update, delete operations between an IdP (Okta, Entra ID) and a SaaS resource.

Why it matters
Manual user offboarding within 24 hours of termination is a CC6 control. SCIM is the only scalable way to evidence it across more than ~50 employees.

Related terms

SSO (Single Sign-On)
Federated authentication via SAML 2.0 or OIDC against a central identity provider (Okta, Entra ID, Google).
Least Privilege (Principle of)
Users and services receive only the minimum access required to perform their function.
User Access Review
Periodic review by data owners confirming each user's access remains appropriate; typically quarterly.

Does your program actually cover SCIM?

Run a free ComplianceIQ audit against SOC 2 and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free SOC 2 auditBack to glossary