Skip to main content

SCIM Integration

You can provide configuration to Snowflake Object Lifecycle Engine for the following operation with SCIM integration:

  • Manage the lifecycle of new and existing SCIM integrations



We have introduced SOLE for Data Products as a new framework for SOLE to help you easily build an ecosystem of data products. The major difference is in how you define Snowflake objects in the configuration file. Rather than having a grouped collection of objects, SOLE for Data Products goes for modular, self-describing, and explicit object definition.
Learn more about SOLE for Data Products, currently available as a public preview.

We have also introduced Data products as an extra layer on top of the data product platform capabilities making managing data products easier than ever. Learn more about Data Products, currently available as a private preview.

<configuration-key>: <value>

Supported parameters

The engine supports the parameters listed below.

Configuration KeyRequired/OptionalData Types and ValuesDescription
scim_clientRequiredStringSpecifies the client type for the SCIM integration.
Caution: The scim_client must be one of the [OKTA, AZURE, CUSTOM]. Refer to the Snowflake documentation.
provisioner_role or run_as_roleRequiredStringSpecifies the SCIM role in Snowflake that owns any users and roles that are imported from the identity provider into Snowflake using SCIM.
Caution: The provisioner_role must be one of the [OKTA_PROVISIONER, AAD_PROVISIONER, GENERIC_SCIM_PROVISIONER]. Refer to the Snowflake documentation. You cannot use both configuration keys provisioner_role and run_as_role simultaneously in a SCIM configuration.
environmentOptionalStringSpecifies the environment in which the SCIM integration is managed. Regex can be provided as well.
manage_modeOptionalString: all (default), noneConfigures what properties to manage for the SCIM integration.
See Changing Manage Mode before changing the value.
namespacingOptionalString: both (default), none, prefix, suffixSpecifies whether prefix or suffix or both are to be added to SCIM integration name
network_policyOptionalStringSpecifies an active network policy for your account. The network policy restricts the list of user IP addresses when exchanging an authorization code for an access or refresh token and when using a refresh token to obtain a new access token. If this parameter is not set, the network policy for the account, if any, is used instead.


provisioner_role: "GENERIC_SCIM_PROVISIONER"
scim_client: "AZURE"
scim_client: "AZURE"