SCIM user API reference¶

You can use the SCIM user API to access, create, and modify user data.

HTTP headers¶

The Snowflake SCIM API uses bearer tokens for HTTP authentication.

Each HTTP request to the Snowflake SCIM API allows the following HTTP headers:

Header	Value
`Authorization` (Required)	`Bearer <access_token>`
`Content-Type`	`application/scim+json`
`Accept-Encoding`	`utf-8`
`Accept-Charset`	`utf-8`

User attributes¶

You can specify user attributes in the body of the API requests as key-value pairs in JSON format. These pairs contain information about the user, such as the user’s display name or their email address. Identity providers can specify their own key names for each attribute. For example, identity providers can use the key lastName, instead of familyName, to represent the user’s last name. Snowflake does not support multi-value user attributes.

Important

In the table below, the attributes userName and loginName both refer to the attribute userName. Snowflake supports specifying different values for the userName and loginName attributes.

Snowflake supports the following attributes for user lifecycle management:

SCIM User Attribute	Snowflake User Attribute	Type	Description
`id`	`ID`	string	The immutable, unique identifier (GUID) of the user in Snowflake. Snowflake does not return this value in the DESCRIBE USER or SHOW USERS output. For requests on endpoints that require this attribute, such as `PATCH scim/v2/Users/{{id}}`, the `id` attribute can be found using the REST_EVENT_HISTORY function. Check the IdP logs to ensure the values match.
`userName`	`NAME`, `LOGIN_NAME`	string	The identifier used to login into Snowflake. For more information about these attributes, see CREATE USER.
`name.givenName`	`FIRST_NAME`	string	The first name of the user.
`name.familyName`	`LAST_NAME`	string	The last name of the user.
`emails`	`EMAIL`	string	The email address of the user.
`displayName`	`DISPLAY_NAME`	string	The text shown in the user interface when referring to the user.
`externalID`	N/A	string	The unique identifier set by the provisioning client (e.g. Azure, Okta).
`password`	`PASSWORD`	string	The password for the user. This value is not returned in the JSON response. If the `SYNC_PASSWORD` property in the SCIM security integration is set to `FALSE`, and the SCIM API request specifies the `password` attribute, Snowflake ignores the value for the `password` attribute. All other attributes in the API request are processed normally.
`active`	`DISABLED`	boolean	Disables the user when set to `false`.
`groups`	N/A	string	A list of groups to which the user belongs. The group `displayName` is required. The user’s groups are immutable and their membership must be updated using the SCIM groups API.
`meta.created`	`CREATED_ON`	string	The time the user was added to Snowflake.
`meta.lastModified`	`UPDATED_ON`	string	The time the user was last modified in Snowflake.
`meta.resourceType`	N/A	string	The type of resource for the user. You should use `user` as a value for this attribute.
`schemas`	N/A	string	A comma-separated array of strings specifying the namespace URIs. Snowflake supports the following values: `urn:ietf:params:scim:schemas:core:2.0:User` `urn:ietf:params:scim:schemas:extension:enterprise:2.0:User` `urn:ietf:params:scim:schemas:extension:2.0:User`

Custom attributes¶

You can set custom attributes that are not defined by RFC 7643, such as defaultRole.

You can use the following namespaces to set custom attributes when making POST, PUT, and PATCH requests:

urn:ietf:params:scim:schemas:extension:enterprise:2.0:User

This namespace was part of the original SCIM implementation in Snowflake. You can only use this namespace for setting custom attributes in Okta SCIM security integrations.

You cannot use this namespace to set custom attributes in Microsoft Azure SCIM security integrations or custom SCIM integrations.

urn:ietf:params:scim:schemas:extension:2.0:User

You can use this namespace to set custom attributes for all SCIM integrations. You must use this namespace for setting custom attributes in Microsoft Azure SCIM security integrations or Custom SCIM security integrations.

Snowflake supports the following custom attributes:

SCIM User Custom Attribute	Snowflake User Attribute	Type	Description
`defaultWarehouse`	`DEFAULT_WAREHOUSE`	string	The virtual warehouse that is active by default for the user’s session upon login.
`defaultRole`	`DEFAULT_ROLE`	string	The primary role that is active by default for the user’s session upon login.
`defaultSecondaryRoles`	`DEFAULT_SECONDARY_ROLES`	string	The list of secondary roles that are active for the user’s session upon login. You can set this attribute to `ALL` as an alias for `('ALL')`, or you can set this attribute to `NONE` or `""` as an alias for `()`.
`type`	`TYPE`	string	The type of user. Default: `null`. You can set this attribute to `person`, `service`, `legacy_service`, or `null`. For more information about types of users, see the TYPE object property of users.

Check if a user exists¶

Method and endpoint:

GET /scim/v2/Users?filter=userName eq "{{user_name}}"

Description:

Returns details about a user associated with the userName query parameter.

Returns the HTTP response status code 200 if the HTTP request successfully completed.

Get details about a user¶

Method and endpoint:

GET /scim/v2/Users/{{user_id}}

Description:

Returns details about a user associated with the user_id path parameter.

Returns the HTTP response status code 200 if the HTTP request successfully completed.

Create a user¶

Method and endpoint:

POST /scim/v2/Users

Description:

Creates a user in Snowflake.

Returns the HTTP response status code 201 if the HTTP request successfully completed.

If the user already exists or the HTTP request failed for a different reason, then Snowflake returns the HTTP response status code 409.

Examples:

Create a user with userName and loginName mapped to the same value:

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User",
    "urn:ietf:params:scim:schemas:extension:2.0:User"
  ],
  "userName": "test_user_1",
  "password": "test",
  "name": {
    "givenName": "test",
    "familyName": "user"
  },
  "emails": [
    {"value": "test.user@snowflake.com"}
  ],
  "displayName": "test user",
  "active": true
}

Copy

Create a user with userName and loginName mapped to different values:

Note

If you use Okta as your identity provider, follow this procedure.

{
  "active": true,
  "displayName": "test user",
  "emails": [
    {"value": "test.user@snowflake.com"}
  ],
  "name": {
    "familyName": "test_last_name",
    "givenName": "test_first_name"
  },
  "password": "test_password",
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User",
    "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
  ],
  "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
    "snowflakeUserName": "USER5"
  },
  "userName": "USER5"
}

Copy

Replace user attributes¶

Method and endpoint:

PATCH /scim/v2/Users/{{id}}

Description:

Replaces attributes of the user associated with the id path parameter.

You must set op to replace to perform this HTTP request.

active allows the following values:

false: deactivates the user.
true: activates the user.

Returns the HTTP response status code 200 if the HTTP request was successfully completed.

If unsuccessful, returns the HTTP response code 204.

Examples:

Deactivate a user and update their givenName to deactivated_user:

{
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
  "Operations": [
    {"op": "replace", "value": { "active": false }}
    {"op": "replace", "value": { "givenName": "deactivated_user" }}
  ],
}

Copy

Update a user with userName and loginName mapped to the same value:

{
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
  "Operations": [
    {"op": "replace", "value": { "active": false }}
  ]
}

Copy

Update a user with userName and loginName mapped to different values.

If Okta is your identity provider, follow this procedure.

{
  "Operations": [
    {
      "op": "replace",
      "path": "userName",
      "value": "test_updated_name"
    },
    {
      "op": "replace",
      "path": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.snowflakeUserName",
      "value": "USER5"
    }
  ],
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"]
}

Copy

Update a user¶

Method and endpoint:

PUT /scim/v2/Users/{{id}}

Description:

Updates the attributes of the user associated with the id path parameter.

If unsuccessful, returns the HTTP response code 400. The HTTP request is unsuccessful if the request tries to change immutable attributes or if the attributes being changed do not exist in Snowflake.

Examples:

Update a user and their "defaultRole", "defaultSecondaryRoles", and "defaultWarehouse" attributes.

To specify the "defaultRole", "defaultSecondaryRoles", and "defaultWarehouse" attributes, you must use one of the extension schemas. The defaultSecondaryRoles attribute only accepts "ALL" as a value.

Note

The PUT method is more expensive than the PATCH method. Use the PATCH operation instead.

{
  "schemas": [
   "urn:ietf:params:scim:schemas:core:2.0:User",
   "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
  ],
  "userName": "test_user_1",
  "password": "test",
  "name": {
    "givenName": "test",
    "familyName": "user"
  },
  "emails": [{
    "primary": true,
    "value": "test.user@snowflake.com",
    "type": "work"
  }
  ],
  "displayName": "test user",
  "active": true,
  "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
    "defaultRole" : "test_role",
    "defaultSecondaryRoles" : "ALL",
    "defaultWarehouse" : "test_warehouse"
  }
}

Copy

Delete a user¶

Method and endpoint:: DELETE /scim/v2/Users/{{id}}
Description:: Deletes the user associated with the id path parameter.