SCIM group API reference¶
You can use the SCIM group API to access, create, and modify roles.
Snowflake uses SCIM to import roles from Okta, Azure AD and custom-built applications. The roles in these identity providers map one-to-one with Snowflake roles.
Roles, sometimes called groups, are a collection of access privileges. To access securable objects in Snowflake, privileges must be assigned to roles, and roles are assigned to other roles or users.
Access permissions and rights that are granted to the role are automatically inherited by every member, such as a user, of the role. For more information, see Overview of Access Control.
A user’s access requirements to Snowflake can change. For example, a user can change from being an individual contributor to a manager in their organization, which may require their role in Snowflake to change, or they may require access to data sets only available to managers.
As the user’s role changes in the identity provider, their access to Snowflake automatically changes when their organization role maps to the corresponding Snowflake role.
HTTP headers¶
The Snowflake SCIM API uses bearer tokens for HTTP authentication.
Each HTTP request to the Snowflake SCIM API allows the following HTTP headers:
Header |
Value |
|---|---|
|
|
|
|
|
|
|
|
Group attributes¶
You can specify group (that is, a role) attributes in the body of the API requests as key-value pairs in JSON format. These pairs contain information about the group, such as the group’s display name. Identity providers can specify their own key names for each attribute.
Snowflake supports the following SCIM attributes for role lifecycle management. Attributes are writable unless otherwise noted.
SCIM Group Attribute |
Snowflake Group Attribute |
Type |
Description |
|---|---|---|---|
|
|
String |
The immutable, unique identifier (GUID) of the role in Snowflake. Snowflake does not return this value. You can find this value by calling the Information Schema table function REST_EVENT_HISTORY. Check the IdP logs to ensure the values match. |
|
|
String |
The text shown in the user interface when referring to the group. |
|
N/A |
String |
The |
|
N/A |
String |
An array of strings to indicate the namespace URIs. For example, |
Get details about a group by displayName¶
- Method and endpoint:
GET /scim/v2/Groups?filter=displayName eq "{{group_name}}"- Description:
Returns details about a group associated with the
displayNamequery parameter.Returns the HTTP response status code
200if the HTTP request successfully completed.
Get details about a group by groupId¶
- Method and endpoint:
GET /scim/v2/Groups/{{group_id}}- Description:
Returns details about a group associated with the
group_idpath parameter.Returns the HTTP response status code
200if the HTTP request successfully completed.
Create a group¶
- Method and endpoint:
POST /scim/v2/Groups- Description:
Creates a new group in Snowflake.
Returns the HTTP response status code
201if the HTTP request successfully completed.- Examples:
Create a group with the
displayNamescim_test_group2:{ "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"], "displayName":"scim_test_group2" }
Update a group¶
- Method and endpoint:
PATCH /scim/v2/Groups/{{group_id}}- Description:
Updates the display name attribute or group membership of the group associated with the
group_idpath parameter.You must set
optoaddorreplaceto perform this HTTP request.Returns the HTTP response status code
200if the HTTP request was successfully completed.If unsuccessful, returns the HTTP response code
204.- Examples:
Update a group
displayName, remove a member and add a member:{ "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], "Operations": [{ "op": "replace", "value": { "displayName": "updated_name" } }, { "op" : "remove", "path": "members[value eq \"user_id_1\"]" }, { "op": "add", "value": [{ "value": "user_id_2" }] }] }
Delete a group¶
- Method and endpoint:
DELETE /scim/v2/Groups/{{group_id}}- Description:
Deletes the group associated with the
group_idpath parameter.