Skip to content

What is SCIM, and how does it support joiner-mover-leaver provisioning?

Short answer

SCIM (System for Cross-domain Identity Management) is a standard REST/JSON API and schema for creating, updating, and deleting user accounts across applications. Wired to an HR system or IdP, it automates the joiner-mover-leaver lifecycle: accounts and entitlements are provisioned on hire, adjusted on role change, and — most importantly — deprovisioned on departure, eliminating the orphaned accounts attackers love.

Identity isn't just authentication — it's the whole lifecycle of an account from hire to exit. SCIM is the standard that lets you automate that lifecycle instead of relying on manual tickets.

What SCIM is

The System for Cross-domain Identity Management defines a common REST/JSON API and user/group schema so an identity source (an IdP like Entra or Okta, often fed by an HR system) can push account changes into downstream applications automatically. Instead of each SaaS app having a bespoke admin API, they speak the same SCIM dialect: POST to create a user, PATCH to update, DELETE/deactivate to remove.

Joiner-mover-leaver

  • Joiner. A new hire appears in the HR system; the IdP provisions accounts and baseline entitlements in connected apps automatically — day-one access, no ticket queue.
  • Mover. On a role or department change, attributes update and entitlements are added or — crucially — removed, preventing privilege accumulation ("access creep") as people move around.
  • Leaver. On termination, accounts are deprovisioned within minutes, not weeks.

Why the leaver step is the security payoff

The most dangerous IAM failure is the orphaned account — an ex-employee or contractor whose access was never revoked. Those accounts sit unused (so nobody notices), often keep standing privileges, and are prime targets for credential stuffing and insider misuse. Manual offboarding is slow and error-prone; SCIM-driven deprovisioning closes the gap deterministically.

How it fits with SSO

SCIM and SSO are complementary, not competitors: SSO (SAML/OIDC) handles authentication at login time, while SCIM handles account existence and entitlements in the app beforehand. SSO without provisioning still leaves stale accounts behind; you want both.

What interviewers look for: you define SCIM as standardized provisioning, you walk the joiner-mover-leaver flow, and you single out timely deprovisioning / orphaned accounts as the core risk it addresses.

Likely follow-ups

  • Why is timely deprovisioning the highest-value part of the lifecycle?
  • How do SCIM and SSO (SAML/OIDC) complement each other?
  • What's the risk of relying on manual offboarding tickets instead?

Sources

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.