SCIM 2.0 user provisioning

VinTekh implements a strict subset of the SCIM 2.0 (RFC 7644) protocol so identity providers (Okta, Microsoft Entra Provisioning, OneLogin, JumpCloud) can keep your user roster in sync without manual invites. New users created at your IdP appear in VinTekh within seconds; deactivated users are tombstoned the same way.

What is supported

• GET /api/scim/v2/Users — paginated list with optional userName eq "…" filter
• POST /api/scim/v2/Users — create user
• GET /api/scim/v2/Users/{id} — fetch
• PUT / PATCH / DELETE /api/scim/v2/Users/{id} — update / deactivate
• GET /api/scim/v2/ServiceProviderConfig, /Schemas, /ResourceTypes — discovery

Groups are not supported in v1. Role assignment is managed via the in-app Users & RBAC page. A future tranche maps SCIM Groups to roles.

Setting up an IdP connector

1. Go to Settings → API keys and create a new key with scope scim. Copy the plaintext token immediately — it's shown only once and starts with vtk_scim_.
2. In your IdP, choose a SCIM 2.0 connector and use:
   • SCIM base URL: https://your-vintekh-host/api/scim/v2
   • Authentication: HTTP header — Bearer token
   • Token: paste the vtk_scim_… value from step 1
3. Run a connection test. You should see a 200 OK on /ServiceProviderConfig and a 200 OK on /Users?count=1.
4. Enable user provisioning. New users land with role viewer; promote them via Users & RBAC as needed.

Tenant boundary

Every SCIM call is scoped to the tenant that owns the API key. Cross- tenant reads are impossible by construction (the Prisma middleware injects the tenant filter on every query). See Architecture & data flow for the details.

Audit

Every SCIM operation lands in the Audit log with actorEmail = scim-key:<keyId>. Revoking the API key stops new operations immediately.