SCIM user API reference¶
You can use the SCIM user API to access, create, and modify user data.
HTTP headers¶
The Snowflake SCIM API uses bearer tokens for HTTP authentication.
Each HTTP request to the Snowflake SCIM API allows the following HTTP headers:
Header |
Value |
---|---|
|
|
|
|
|
|
|
|
User attributes¶
You can specify user attributes in the body of the API requests as key-value pairs in JSON format. These pairs contain information about the
user, such as the user’s display name or their email address. Identity providers can specify their own key names for each attribute. For
example, identity providers can use the key lastName
, instead of familyName
, to represent the user’s last name. Snowflake
does not support multi-value user attributes.
Important
In the table below, the attributes userName
and loginName
both refer to the attribute userName
. Snowflake
supports specifying different values for the userName
and loginName
attributes.
Snowflake supports the following attributes for user lifecycle management:
SCIM User Attribute |
Snowflake User Attribute |
Type |
Description |
---|---|---|---|
|
|
string |
The immutable, unique identifier (GUID) of the user in Snowflake. Snowflake does not return this value in the DESCRIBE USER or SHOW USERS output. For requests on endpoints that require this attribute, such as |
|
|
string |
The identifier used to login into Snowflake. For more information about these attributes, see CREATE USER. |
|
|
string |
The first name of the user. |
|
|
string |
The last name of the user. |
|
|
string |
The email address of the user. |
|
|
string |
The text shown in the user interface when referring to the user. |
|
N/A |
string |
The unique identifier set by the provisioning client (e.g. Azure, Okta). |
|
|
string |
The password for the user. This value is not returned in the JSON response. If the |
|
|
boolean |
Disables the user when set to |
|
N/A |
string |
A list of groups to which the user belongs. The group The user’s groups are immutable and their membership must be updated using the SCIM groups API. |
|
|
string |
The time the user was added to Snowflake. |
|
|
string |
The time the user was last modified in Snowflake. |
|
N/A |
string |
The type of resource for the user. You should use |
|
N/A |
string |
A comma-separated array of strings specifying the namespace URIs. Snowflake supports the following values:
|
Custom attributes¶
You can set custom attributes that are not defined by RFC 7643 (https://datatracker.ietf.org/doc/html/rfc7643), such as
defaultRole
.
You can use the following namespaces to set custom attributes when making POST, PUT, and PATCH requests:
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User
This namespace was part of the original SCIM implementation in Snowflake. You can only use this namespace for setting custom attributes in Okta SCIM security integrations.
You cannot use this namespace to set custom attributes in Microsoft Azure SCIM security integrations or custom SCIM integrations.
urn:ietf:params:scim:schemas:extension:2.0:User
You can use this namespace to set custom attributes for all SCIM integrations. You must use this namespace for setting custom attributes in Microsoft Azure SCIM security integrations or Custom SCIM security integrations.
Snowflake supports the following custom attributes:
SCIM User Custom Attribute |
Snowflake User Attribute |
Type |
Description |
---|---|---|---|
|
|
string |
The virtual warehouse that is active by default for the user’s session upon login. |
|
|
string |
The primary role that is active by default for the user’s session upon login. |
|
|
string |
The list of secondary roles that are active for the user’s session upon login. You can set this
attribute to |
|
|
string |
The type of user. Default: |
Check if a user exists¶
- Method and endpoint:
GET /scim/v2/Users?filter=userName eq "{{user_name}}"
- Description:
Returns details about a user associated with the
userName
query parameter.Returns the HTTP response status code
200
if the HTTP request successfully completed.
Get details about a user¶
- Method and endpoint:
GET /scim/v2/Users/{{user_id}}
- Description:
Returns details about a user associated with the
user_id
path parameter.Returns the HTTP response status code
200
if the HTTP request successfully completed.
Create a user¶
- Method and endpoint:
POST /scim/v2/Users
- Description:
Creates a user in Snowflake.
Returns the HTTP response status code
201
if the HTTP request successfully completed.If the user already exists or the HTTP request failed for a different reason, then Snowflake returns the HTTP response status code
409
.- Examples:
Create a user with
userName
andloginName
mapped to the same value:{ "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:2.0:User" ], "userName": "test_user_1", "password": "test", "name": { "givenName": "test", "familyName": "user" }, "emails": [ {"value": "test.user@snowflake.com"} ], "displayName": "test user", "active": true }
Create a user with
userName
andloginName
mapped to different values:Note
If you use Okta as your identity provider, follow this procedure.
{ "active": true, "displayName": "test user", "emails": [ {"value": "test.user@snowflake.com"} ], "name": { "familyName": "test_last_name", "givenName": "test_first_name" }, "password": "test_password", "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" ], "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { "snowflakeUserName": "USER5" }, "userName": "USER5" }
Replace user attributes¶
- Method and endpoint:
PATCH /scim/v2/Users/{{id}}
- Description:
Replaces attributes of the user associated with the
id
path parameter.You must set
op
toreplace
to perform this HTTP request.active
allows the following values:false
: deactivates the user.true
: activates the user.
Returns the HTTP response status code
200
if the HTTP request was successfully completed.If unsuccessful, returns the HTTP response code
204
.- Examples:
Deactivate a user and update their
givenName
todeactivated_user
:{ "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], "Operations": [ {"op": "replace", "value": { "active": false }} {"op": "replace", "value": { "givenName": "deactivated_user" }} ], }
Update a user with
userName
andloginName
mapped to the same value:{ "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], "Operations": [ {"op": "replace", "value": { "active": false }} ] }
Update a user with
userName
andloginName
mapped to different values.If Okta is your identity provider, follow this procedure.
{ "Operations": [ { "op": "replace", "path": "userName", "value": "test_updated_name" }, { "op": "replace", "path": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.snowflakeUserName", "value": "USER5" } ], "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"] }
Update a user¶
- Method and endpoint:
PUT /scim/v2/Users/{{id}}
- Description:
Updates the attributes of the user associated with the
id
path parameter.If unsuccessful, returns the HTTP response code
400
. The HTTP request is unsuccessful if the request tries to change immutable attributes or if the attributes being changed do not exist in Snowflake.- Examples:
Update a user and their
"defaultRole"
,"defaultSecondaryRoles"
, and"defaultWarehouse"
attributes.To specify the
"defaultRole"
,"defaultSecondaryRoles"
, and"defaultWarehouse"
attributes, you must use one of theextension
schemas. ThedefaultSecondaryRoles
attribute only accepts"ALL"
as a value.Note
The PUT method is more expensive than the PATCH method. Use the PATCH operation instead.
{ "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" ], "userName": "test_user_1", "password": "test", "name": { "givenName": "test", "familyName": "user" }, "emails": [{ "primary": true, "value": "test.user@snowflake.com", "type": "work" } ], "displayName": "test user", "active": true, "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { "defaultRole" : "test_role", "defaultSecondaryRoles" : "ALL", "defaultWarehouse" : "test_warehouse" } }
Delete a user¶
- Method and endpoint:
DELETE /scim/v2/Users/{{id}}
- Description:
Deletes the user associated with the
id
path parameter.