Skip to main content

SCIM Integration

You can provide configuration to Snowflake Object Lifecycle Engine for the following operation with SCIM integration:

  • Manage the lifecycle of new and existing SCIM integrations


<configuration-key>: <value>

Supported parameters

The engine supports the parameters listed below.

Configuration KeyRequired/OptionalData Types and ValuesDescription
scim_clientRequiredStringSpecifies the client type for the SCIM integration.
Caution: The scim_client must be one of the [OKTA, AZURE, CUSTOM]. Refer to the Snowflake documentation.
provisioner_role or run_as_roleRequiredStringSpecifies the SCIM role in Snowflake that owns any users and roles that are imported from the identity provider into Snowflake using SCIM.
Caution: The provisioner_role must be one of the [OKTA_PROVISIONER, AAD_PROVISIONER, GENERIC_SCIM_PROVISIONER]. Refer to the Snowflake documentation. You cannot use both configuration keys provisioner_role and run_as_role simultaneously in a SCIM configuration.
environmentOptionalStringSpecifies the environment in which the SCIM integration is managed. Regex can be provided as well.
manage_modeOptionalString: all (default), noneConfigures what properties to manage for the SCIM integration.
See Changing Manage Mode before changing the value.
namespacingOptionalString: both (default), none, prefix, suffixSpecifies whether prefix or suffix or both are to be added to SCIM integration name
network_policyOptionalStringSpecifies an active network policy for your account. The network policy restricts the list of user IP addresses when exchanging an authorization code for an access or refresh token and when using a refresh token to obtain a new access token. If this parameter is not set, the network policy for the account, if any, is used instead.


provisioner_role: "GENERIC_SCIM_PROVISIONER"
scim_client: "AZURE"
scim_client: "AZURE"