Manage users, groups, and roles with SCIM
13 minute read
Overview
The System for Cross-domain Identity Management (SCIM) API allows instance or organization admins to manage users, groups, and custom roles in their W&B organization. SCIM groups map to W&B teams.
The SCIM API is accessible at <host-url>/scim/ and supports the /Users and /Groups endpoints with a subset of the fields found in the RC7643 protocol. It additionally includes the /Roles endpoints which are not part of the official SCIM schema. W&B adds the /Roles endpoints to support automated management of custom roles in W&B organizations.
If you are an admin of multiple Enterprise SaaS Cloud organizations, you must configure the organization where SCIM API requests are sent. Click your profile image, then click User Settings. The setting is named Default API organization. This is required for all hosting options, including Dedicated Cloud, Self-managed instances, and SaaS Cloud. In SaaS Cloud, the organization admin must configure the default organization in user settings to ensure that the SCIM API requests go to the right organization.
The chosen hosting option determines the value for the <host-url> placeholder used in the examples in this page.
In addition, examples use user IDs such as abc and def. Real requests and responses have hashed values for user IDs.
Authentication
Access to the SCIM API can be authenticated in two ways:
Users
An organization or instance admin can use basic authentication with their API key to access the SCIM API. Set the HTTP request’s Authorization header to the string Basic followed by a space, then the base-64 encoded string in the format username:API-KEY. In other words, replace the username and API key with your values separated with a : character, then base-64-encode the result. For example, to authorize as demo:p@55w0rd, the header should be Authorization: Basic ZGVtbzpwQDU1dzByZA==.
Service accounts
An organization service account with the admin role can access the SCIM API. The username is left blank and only the API key is used. Find the API key for service accounts in the Service account tab in the organization dashboard. Refer to Organization-scoped service accounts.
Set the HTTP request’s Authorization header to the string Basic followed by a space, then the base-64 encoded string in the format :API-KEY (notice the colon at the beginning with no username). For example, to authorize with only an API key such as sa-p@55w0rd, set the header to: Authorization: Basic OnNhLXBANTV3MHJk.
User Management
The SCIM user resource maps to W&B users. Use these endpoints to manage users in your organization.
Get User
Retrieves information for a specific user in your organization.
Endpoint
- URL:
<host-url>/scim/Users/{id} - Method: GET
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| id | string | Yes | The unique ID of the user |
Example
GET /scim/Users/abc
(Status 200)
{
"active": true,
"displayName": "Dev User 1",
"emails": {
"Value": "dev-user1@test.com",
"Display": "",
"Type": "",
"Primary": true
},
"id": "abc",
"meta": {
"resourceType": "User",
"created": "2023-10-01T00:00:00Z",
"lastModified": "2023-10-01T00:00:00Z",
"location": "Users/abc"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"userName": "dev-user1"
}
List Users
Retrieves a list of all users in your organization.
Endpoint
- URL:
<host-url>/scim/Users - Method: GET
Example
GET /scim/Users
(Status 200)
{
"Resources": [
{
"active": true,
"displayName": "Dev User 1",
"emails": {
"Value": "dev-user1@test.com",
"Display": "",
"Type": "",
"Primary": true
},
"id": "abc",
"meta": {
"resourceType": "User",
"created": "2023-10-01T00:00:00Z",
"lastModified": "2023-10-01T00:00:00Z",
"location": "Users/abc"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"userName": "dev-user1"
}
],
"itemsPerPage": 9999,
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"startIndex": 1,
"totalResults": 1
}
Create User
Creates a new user in your organization.
Endpoint
- URL:
<host-url>/scim/Users - Method: POST
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| emails | array | Yes | Array of email objects. Must include a primary email |
| userName | string | Yes | The username for the new user |
Example
POST /scim/Users
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"emails": [
{
"primary": true,
"value": "dev-user2@test.com"
}
],
"userName": "dev-user2"
}
POST /scim/Users
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:teams:2.0:User"
],
"emails": [
{
"primary": true,
"value": "dev-user2@test.com"
}
],
"userName": "dev-user2",
"urn:ietf:params:scim:schemas:extension:teams:2.0:User": {
"teams": ["my-team"]
}
}
Response
(Status 201)
{
"active": true,
"displayName": "Dev User 2",
"emails": {
"Value": "dev-user2@test.com",
"Display": "",
"Type": "",
"Primary": true
},
"id": "def",
"meta": {
"resourceType": "User",
"created": "2023-10-01T00:00:00Z",
"location": "Users/def"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"userName": "dev-user2"
}
(Status 201)
{
"active": true,
"displayName": "Dev User 2",
"emails": {
"Value": "dev-user2@test.com",
"Display": "",
"Type": "",
"Primary": true
},
"id": "def",
"meta": {
"resourceType": "User",
"created": "2023-10-01T00:00:00Z",
"location": "Users/def"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:teams:2.0:User"
],
"userName": "dev-user2",
"organizationRole": "member",
"teamRoles": [
{
"teamName": "my-team",
"roleName": "member"
}
],
"groups": [
{
"value": "my-team-id"
}
]
}
Delete User
Maintain admin access
You must ensure that at least one admin user exists in your instance or organization at all times. Otherwise, no user will be able to configure or maintain your organization’s W&B account. If an organization uses SCIM or another automated process to deprovision users from W&B, a deprovisioning operation could inadvertently remove the last remaining admin from the instance or organization.
For assistance with developing operational procedures, or to restore admin access, contact support.
Fully deletes a user from your organization.
Endpoint
- URL:
<host-url>/scim/Users/{id} - Method: DELETE
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| id | string | Yes | The unique ID of the user to delete |
Example
DELETE /scim/Users/abc
(Status 204)
PATCH endpoint.Deactivate User
Temporarily deactivates a user in your organization.
Endpoint
- URL:
<host-url>/scim/Users/{id} - Method: PATCH
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| id | string | Yes | The unique ID of the user to deactivate |
| op | string | Yes | Must be “replace” |
| value | object | Yes | Object with {"active": false} |
Example
PATCH /scim/Users/abc
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [
{
"op": "replace",
"value": {"active": false}
}
]
}
(Status 200)
{
"active": true,
"displayName": "Dev User 1",
"emails": {
"Value": "dev-user1@test.com",
"Display": "",
"Type": "",
"Primary": true
},
"id": "abc",
"meta": {
"resourceType": "User",
"created": "2023-10-01T00:00:00Z",
"lastModified": "2023-10-01T00:00:00Z",
"location": "Users/abc"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"userName": "dev-user1"
}
Reactivate User
Reactivates a previously deactivated user in your organization.
Endpoint
- URL:
<host-url>/scim/Users/{id} - Method: PATCH
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| id | string | Yes | The unique ID of the user to reactivate |
| op | string | Yes | Must be “replace” |
| value | object | Yes | Object with {"active": true} |
Example
PATCH /scim/Users/abc
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [
{
"op": "replace",
"value": {"active": true}
}
]
}
(Status 200)
{
"active": true,
"displayName": "Dev User 1",
"emails": {
"Value": "dev-user1@test.com",
"Display": "",
"Type": "",
"Primary": true
},
"id": "abc",
"meta": {
"resourceType": "User",
"created": "2023-10-01T00:00:00Z",
"lastModified": "2023-10-01T00:00:00Z",
"location": "Users/abc"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"userName": "dev-user1"
}
Assign Organization Role
Assigns an organization-level role to a user.
Endpoint
- URL:
<host-url>/scim/Users/{id} - Method: PATCH
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| id | string | Yes | The unique ID of the user |
| op | string | Yes | Must be “replace” |
| path | string | Yes | Must be “organizationRole” |
| value | string | Yes | Role name (“admin” or “member”) |
viewer role is deprecated and can no longer be set in the UI. W&B assigns the member role to a user if you attempt to assign the viewer role using SCIM. The user is automatically provisioned with Models and Weave seats if possible. Otherwise, a Seat limit reached error is logged. For organizations that use Registry, the user is automatically assigned the viewer role in registries that are visible at the organization level.Example
PATCH /scim/Users/abc
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [
{
"op": "replace",
"path": "organizationRole",
"value": "admin"
}
]
}
(Status 200)
{
"active": true,
"displayName": "Dev User 1",
"emails": {
"Value": "dev-user1@test.com",
"Display": "",
"Type": "",
"Primary": true
},
"id": "abc",
"meta": {
"resourceType": "User",
"created": "2023-10-01T00:00:00Z",
"lastModified": "2023-10-01T00:00:00Z",
"location": "Users/abc"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"userName": "dev-user1",
"teamRoles": [
{
"teamName": "team1",
"roleName": "admin"
}
],
"organizationRole": "admin"
}
Assign Team Role
Assigns a team-level role to a user.
Endpoint
- URL:
<host-url>/scim/Users/{id} - Method: PATCH
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| id | string | Yes | The unique ID of the user |
| op | string | Yes | Must be “replace” |
| path | string | Yes | Must be “teamRoles” |
| value | array | Yes | Array of objects with teamName and roleName |
Example
PATCH /scim/Users/abc
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [
{
"op": "replace",
"path": "teamRoles",
"value": [
{
"roleName": "admin",
"teamName": "team1"
}
]
}
]
}
(Status 200)
{
"active": true,
"displayName": "Dev User 1",
"emails": {
"Value": "dev-user1@test.com",
"Display": "",
"Type": "",
"Primary": true
},
"id": "abc",
"meta": {
"resourceType": "User",
"created": "2023-10-01T00:00:00Z",
"lastModified": "2023-10-01T00:00:00Z",
"location": "Users/abc"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"userName": "dev-user1",
"teamRoles": [
{
"teamName": "team1",
"roleName": "admin"
}
],
"organizationRole": "admin"
}
Group resource
The SCIM group resource maps to W&B teams, that is, when you create a SCIM group in a W&B deployment, it creates a W&B team. Same applies to other group endpoints.
Get team
- Endpoint:
<host-url>/scim/Groups/{id} - Method: GET
- Description: Retrieve team information by providing the team’s unique ID.
- Request Example:
GET /scim/Groups/ghi
- Response Example:
(Status 200)
{
"displayName": "wandb-devs",
"id": "ghi",
"members": [
{
"Value": "abc",
"Ref": "",
"Type": "",
"Display": "dev-user1"
}
],
"meta": {
"resourceType": "Group",
"created": "2023-10-01T00:00:00Z",
"lastModified": "2023-10-01T00:00:00Z",
"location": "Groups/ghi"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}
List teams
- Endpoint:
<host-url>/scim/Groups - Method: GET
- Description: Retrieve a list of teams.
- Request Example:
GET /scim/Groups
- Response Example:
(Status 200)
{
"Resources": [
{
"displayName": "wandb-devs",
"id": "ghi",
"members": [
{
"Value": "abc",
"Ref": "",
"Type": "",
"Display": "dev-user1"
}
],
"meta": {
"resourceType": "Group",
"created": "2023-10-01T00:00:00Z",
"lastModified": "2023-10-01T00:00:00Z",
"location": "Groups/ghi"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}
],
"itemsPerPage": 9999,
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"startIndex": 1,
"totalResults": 1
}
Create team
- Endpoint:
<host-url>/scim/Groups - Method: POST
- Description: Create a new team resource.
- Supported Fields:
| Field | Type | Required |
|---|---|---|
| displayName | String | Yes |
| members | Multi-Valued Array | Yes (value sub-field is required and maps to a user ID) |
- Request Example:
Creating a team called wandb-support with dev-user2 as its member.
POST /scim/Groups
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
"displayName": "wandb-support",
"members": [
{
"value": "def"
}
]
}
- Response Example:
(Status 201)
{
"displayName": "wandb-support",
"id": "jkl",
"members": [
{
"Value": "def",
"Ref": "",
"Type": "",
"Display": "dev-user2"
}
],
"meta": {
"resourceType": "Group",
"created": "2023-10-01T00:00:00Z",
"lastModified": "2023-10-01T00:00:00Z",
"location": "Groups/jkl"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}
Update team
- Endpoint:
<host-url>/scim/Groups/{id} - Method: PATCH
- Description: Update an existing team’s membership list.
- Supported Operations:
addmember,removemember
members[value eq "{user_id}"] to remove a specific user, or members to remove all users from the team.{team_id} with the actual team ID and {user_id} with the actual user ID in your requests.Adding a user to a team
Adding dev-user2 to wandb-devs:
PATCH /scim/Groups/{team_id}
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [
{
"op": "add",
"path": "members",
"value": [
{
"value": "{user_id}"
}
]
}
]
}
(Status 200)
{
"displayName": "wandb-devs",
"id": "ghi",
"members": [
{
"Value": "abc",
"Ref": "",
"Type": "",
"Display": "dev-user1"
},
{
"Value": "def",
"Ref": "",
"Type": "",
"Display": "dev-user2"
}
],
"meta": {
"resourceType": "Group",
"created": "2023-10-01T00:00:00Z",
"lastModified": "2023-10-01T00:01:00Z",
"location": "Groups/ghi"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}
Removing a specific user from a team
Removing dev-user2 from wandb-devs:
PATCH /scim/Groups/{team_id}
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [
{
"op": "remove",
"path": "members[value eq \"{user_id}\"]"
}
]
}
(Status 200)
{
"displayName": "wandb-devs",
"id": "ghi",
"members": [
{
"Value": "abc",
"Ref": "",
"Type": "",
"Display": "dev-user1"
}
],
"meta": {
"resourceType": "Group",
"created": "2023-10-01T00:00:00Z",
"lastModified": "2023-10-01T00:01:00Z",
"location": "Groups/ghi"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}
Removing all users from a team
Removing all users from wandb-devs:
PATCH /scim/Groups/{team_id}
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [
{
"op": "remove",
"path": "members"
}
]
}
(Status 200)
{
"displayName": "wandb-devs",
"id": "ghi",
"members": null,
"meta": {
"resourceType": "Group",
"created": "2023-10-01T00:00:00Z",
"lastModified": "2023-10-01T00:01:00Z",
"location": "Groups/ghi"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}
Delete team
- Deleting teams is currently unsupported by the SCIM API since there is additional data linked to teams. Delete teams from the app to confirm you want everything deleted.
Role resource
The SCIM role resource maps to W&B custom roles. As mentioned earlier, the /Roles endpoints are not part of the official SCIM schema, W&B adds /Roles endpoints to support automated management of custom roles in W&B organizations.
Get custom role
- Endpoint:
<host-url>/scim/Roles/{id} - Method: GET
- Description: Retrieve information for a custom role by providing the role’s unique ID.
- Request Example:
GET /scim/Roles/abc
- Response Example:
(Status 200)
{
"description": "A sample custom role for example",
"id": "Um9sZTo3",
"inheritedFrom": "member", // indicates the predefined role
"meta": {
"resourceType": "Role",
"created": "2023-11-20T23:10:14Z",
"lastModified": "2023-11-20T23:31:23Z",
"location": "Roles/Um9sZTo3"
},
"name": "Sample custom role",
"organizationID": "T3JnYW5pemF0aW9uOjE0ODQ1OA==",
"permissions": [
{
"name": "artifact:read",
"isInherited": true // inherited from member predefined role
},
...
...
{
"name": "project:update",
"isInherited": false // custom permission added by admin
}
],
"schemas": [
""
]
}
List custom roles
- Endpoint:
<host-url>/scim/Roles - Method: GET
- Description: Retrieve information for all custom roles in the W&B organization
- Request Example:
GET /scim/Roles
- Response Example:
(Status 200)
{
"Resources": [
{
"description": "A sample custom role for example",
"id": "Um9sZTo3",
"inheritedFrom": "member", // indicates the predefined role that the custom role inherits from
"meta": {
"resourceType": "Role",
"created": "2023-11-20T23:10:14Z",
"lastModified": "2023-11-20T23:31:23Z",
"location": "Roles/Um9sZTo3"
},
"name": "Sample custom role",
"organizationID": "T3JnYW5pemF0aW9uOjE0ODQ1OA==",
"permissions": [
{
"name": "artifact:read",
"isInherited": true // inherited from member predefined role
},
...
...
{
"name": "project:update",
"isInherited": false // custom permission added by admin
}
],
"schemas": [
""
]
},
{
"description": "Another sample custom role for example",
"id": "Um9sZToxMg==",
"inheritedFrom": "viewer", // indicates the predefined role that the custom role inherits from
"meta": {
"resourceType": "Role",
"created": "2023-11-21T01:07:50Z",
"location": "Roles/Um9sZToxMg=="
},
"name": "Sample custom role 2",
"organizationID": "T3JnYW5pemF0aW9uOjE0ODQ1OA==",
"permissions": [
{
"name": "launchagent:read",
"isInherited": true // inherited from viewer predefined role
},
...
...
{
"name": "run:stop",
"isInherited": false // custom permission added by admin
}
],
"schemas": [
""
]
}
],
"itemsPerPage": 9999,
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"startIndex": 1,
"totalResults": 2
}
Create custom role
- Endpoint:
<host-url>/scim/Roles - Method: POST
- Description: Create a new custom role in the W&B organization.
- Supported Fields:
| Field | Type | Required |
|---|---|---|
| name | String | Name of the custom role |
| description | String | Description of the custom role |
| permissions | Object array | Array of permission objects where each object includes a name string field that has value of the form w&bobject:operation. For example, a permission object for delete operation on W&B runs would have name as run:delete. |
| inheritedFrom | String | The predefined role which the custom role would inherit from. It can either be member or viewer. |
- Request Example:
POST /scim/Roles
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Role"],
"name": "Sample custom role",
"description": "A sample custom role for example",
"permissions": [
{
"name": "project:update"
}
],
"inheritedFrom": "member"
}
- Response Example:
(Status 201)
{
"description": "A sample custom role for example",
"id": "Um9sZTo3",
"inheritedFrom": "member", // indicates the predefined role
"meta": {
"resourceType": "Role",
"created": "2023-11-20T23:10:14Z",
"lastModified": "2023-11-20T23:31:23Z",
"location": "Roles/Um9sZTo3"
},
"name": "Sample custom role",
"organizationID": "T3JnYW5pemF0aW9uOjE0ODQ1OA==",
"permissions": [
{
"name": "artifact:read",
"isInherited": true // inherited from member predefined role
},
...
...
{
"name": "project:update",
"isInherited": false // custom permission added by admin
}
],
"schemas": [
""
]
}
Delete custom role
- Endpoint:
<host-url>/scim/Roles/{id} - Method: DELETE
- Description: Delete a custom role in the W&B organization. Use it with caution. The predefined role from which the custom role inherited is now assigned to all users that were assigned the custom role before the operation.
- Request Example:
DELETE /scim/Roles/abc
Feedback
Was this page helpful?
Glad to hear it! If you have more to say, please let us know.
Sorry to hear that. Please tell us how we can improve.