Provision users and teams with SCIM
Automate member provisioning from your identity provider.
Available on enterprise plan.
Only admins can configure SCIM.
SCIM (System for Cross-domain Identity Management) lets you manage Attio workspace membership directly from your identity provider (IDP). When SCIM is configured, your identity provider can be used to manage workspace membership in Attio. Adding someone in your IDP provisions them in Attio, and removing them suspends their access.
SCIM works independently of Single sign-on (SSO). You can use either feature without the other, though many organizations use both together.
Set up SCIM with a developer token
First, make sure you have at least one verified domain on your workspace.
To connect your IDP using a developer token, you’ll need to be an Attio admin.
Click your workspace name and select Workspace settings.
Click Developers in the sidebar.
Click + New access token.
Give the token a name, such as "SCIM Management".
Set User Management to Read-write.
Copy the token and paste it into your identity provider's SCIM configuration.
Note: Treat this token like a password. Anyone with access to it can provision and deprovision members in your workspace.
For step-by-step instructions on configuring your identity provider, see:
Automatic seat assignment
When a new user is provisioned via SCIM, Attio uses an available seat on your subscription first. If no seats are available, the provisioning request fails.
To change this behavior, enable Automatic seat assignment in Attio:
Click your workspace name and select Workspace settings.
Click Security in the sidebar.
Under User provisioning (SCIM), toggle on Automatic seat assignment.
When enabled, Attio will use an available seat if one exists, or automatically add a new paid seat to your subscription if not.
How SCIM works
Once SCIM is configured, your IDP controls how members are provisioned and managed in Attio.
Provisioning users
Assigning a user to the Attio SCIM integration in your IDP adds them to your workspace. If a user with that email already exists in Attio, they are linked to the workspace rather than provisioned as a new user.
Users are provisioned as non-admin members by default. To provision someone as an admin, set their role to admin in your IDP before assigning them.
How a user is added depends on their email domain:
Verified domain: The user is added to the workspace directly and receives an email notifying them they've been added. New Attio users also receive a welcome email.
Non-verified domain: The user receives a workspace invite and is added once they accept it.
Deprovisioning users
Removing or deactivating a user in your IDP suspends their Attio workspace membership immediately and revokes their session.
It’s not possible to delete or downgrade the last remaining admin in a workspace. First, give another member admin access.
Manage admin and member roles
Set and update roles using the roles attribute in your IDP. Attio supports two roles: member and admin. An unrecognized role value defaults to member. If both roles are assigned to the same user, admin takes precedence.
Manage teams
SCIM groups map to Attio teams. Pushing a group from your IDP to Attio creates a new team, or you can link an IDP group to an existing team.
How Attio and your IDP work together
Your IDP is the source of truth for any members and teams provisioned through it. If a change is made directly in Attio, such as updating a role or team membership, your IDP will reconcile it back to its own state on the next sync.
Any members or teams not currently managed by your IDP can still be managed freely from within Attio and won't be affected by syncs.
Disconnect SCIM
To stop syncing, remove your credentials from your identity provider. If you connected using a developer token, you can also delete it from Workspace settings > Developers. Once the token is removed, your IDP can no longer provision or suspend members in Attio.
All changes made via SCIM remain in place and are not reverted.