docs/source/guide/scim_workflow.md
System for Cross-domain Identity Management (SCIM) is an open standard for automating the exchange of user identity information between identity domains or IT systems. SCIM is designed to make user management in cloud-based applications and services easier and more efficient, reducing the time and resources required for user administration.
For organizations using Label Studio Enterprise, SCIM provides a streamlined approach to managing user identities and access permissions. By integrating SCIM, administrators can automate the provisioning and deprovisioning of users, synchronize user data across systems, and ensure that the right individuals have access to the necessary resources within Label Studio Enterprise.
You can use SCIM to do the following:
Add users
Remove users (set their user role to Deactivated)
Assign users to groups
Unassign a user from a group
Map groups to user roles
Note that groups are defined in the IdP, not Label Studio. However, the group to role mapping is defined in Label Studio.
You can use SCIM with Label Studio to control and interact with two entities: Users and Groups.
!!! note Our API uses the django-scim2 library.
Search for users: GET /scim/v2/Users?filter=userName =<[email protected]>&startIndex=1&count=100
200 response if user exists404 if notGet user: GET /scim/v2/Users/[email protected]
Create user: POST /scim/v2/Users/
This will also require a payload that includes user information such as email and password.
Modify group members: PUT /scim/v2/Groups/<group-name>
Example:
{ "BODY": { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"], "id": "<group-name>", "displayName": "<group-name>", "members": [ { "value": "[email protected]", "display": "[email protected]" } ] } } ```
POST /scim/v2/Groups/<group-name>GET /scim/v2/Groups/<group-name>These settings can also be configured in the Label Studio app from the Organization > SCIM page. From here you can map groups to user roles and map groups to workspaces (see below).
GET /api/scim/settingsPOST /api/scim/settingsYou can assign roles to users through group mapping. Use the Update SCIM settings API or log in to Label Studio and go to the Organization page. Click SCIM in the upper right.
These roles can be Annotator, Reviewer, Manager, or Administrator.
Each group can only be mapped to one role at the organization level. For more information about what permissions each role has, see Roles in Label Studio Enterprise.
You can also assign a group to the Deactivated role, which would revoke their Label Studio access.
For more granular control, you can assign project-level roles to a group.
These roles can be Annotator, Reviewer, or Inherit (meaning they inherit their organization-level role).
Unlike organization-level roles, a group can be assigned to multiple roles across multiple projects. For example, Group A can be Annotators in Project 1 and Reviewers in Project 2.
You can also use SCIM to assign user groups to a workspace, or create a new workspace if one does not already exist.
When you assign a group to a workspace, they are added as workspace members. This means that by default, they will have access to any projects within that workspace.
Their permissions for those projects will depend on their organization-level role. However, you can override this by using SCIM to assign a project-level role (see above).