Question regarding setting up SCIM With Groups/users already created

I’m setting up SCIM for 1Password for the first time and wondering if enabling SCIM will affect the groups/users already in the system. I have created a new group and vault for testing, but was concerned when I enable SCIM if that will affect users/groups already created, or just the groups Ive included to be synced? If a User already has access to a vault/group, and they get added to the test group, as they will be using the same company email address, will this effect their access, even if only the test group was set to be synced on SCIM? Ive read a few posts and some documentation but was unclear on this.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Comments

  • hemal.g_1p
    hemal.g_1p
    1Password Alumni
    edited September 2022

    Hello @Kpatterson777 ,

    Thank you for question. Enabling SCIM will not affect the existing users or groups in your 1Password account. SCIM bridge will only synchronize users or groups you are choosing to synchronize from your Identity provider.

    Answer for your later concern, SCIM bridge setup will not disturb access of other existing groups for which user is already assigned with access privileges. The group you are synchronizing by SCIM bridge will have access if that group also has access.

    Do you mind sharing what identity provider you are trying to connect ?

  • Kpatterson777
    Kpatterson777
    Community Member

    Thank you for your reply :) It's Azure, and I was concerned from reading prior posts that if I had a user already in a group using a email address already being used in Azure AD, that their access to other non synced groups would be affected.

    when adding a user to a test group in 1PW, adding it though managed groups, turning on user provisioning and syncing, does it create the test group in Azure?

  • hemal.g_1p
    hemal.g_1p
    1Password Alumni
    edited September 2022

    Happy to help !

    Access for user with same email address who is part of synced groups and other non-synced groups will not be affected by SCIM integration at all.

    Additionally, Users that were previously in, will be effected by the new integration and can be suspended, renamed, reactivated etc as part of the behavior in synced groups, regardless of what groups they were in before provided they have same email address.

    With SCIM integration you can create/assign groups from your Azure directory and bring them to 1Password by syncing them. Also you can manage existing synced 1Password groups in Azure AD . The reverse is not a SCIM function i.e. a manually created group in 1Password will not be created in Azure.

    You'd then want to use the "Import" to re-link the users/groups between Identity Provider(Idp) and 1Password as these sorts of desync can happen.
    It's recommended to provision users/groups via Idp.

This discussion has been closed.