> ## Documentation Index
> Fetch the complete documentation index at: https://docs.oleria.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SCIM reviewer provisioning

> Provision and deprovision access review reviewers automatically from your identity provider using Oleria's governance SCIM 2.0 endpoint.

Provision and deprovision the reviewers who complete your [access review campaigns](/governance/access-review) automatically from your identity provider (IdP), instead of adding them by hand. Oleria exposes a dedicated governance SCIM 2.0 endpoint, separate from the [workspace SCIM endpoint](/administration/scim-user-provisioning), so your IdP can create and remove reviewers as your directory changes.

Reviewers are the people who receive and act on access review assignments in the reviewer portal. They are a separate population from the administrators, operators, and analysts who operate your Oleria workspace.

## How governance SCIM differs from workspace SCIM

Oleria has two independent SCIM endpoints. Use the one that matches who you are provisioning:

|             | Workspace SCIM                                                   | Governance SCIM                                             |
| :---------- | :--------------------------------------------------------------- | :---------------------------------------------------------- |
| Provisions  | Workspace users (admins, operators, analysts)                    | Access review reviewers                                     |
| Base URL    | `.../scim/v2`                                                    | `.../governance/scim/v2`                                    |
| Credentials | **Main Workspace** tab in **Settings → SCIM Configuration**      | **Governance App** tab in **Settings → SCIM Configuration** |
| Roles       | Multiple RBAC roles, assigned through group membership           | A single `reviewer` role, applied automatically             |
| Reference   | [SCIM user provisioning](/administration/scim-user-provisioning) | This page                                                   |

The authentication flow, request and response formats, and endpoint paths are otherwise identical to the workspace endpoint. This page documents only what is specific to reviewer provisioning. See [SCIM user provisioning](/administration/scim-user-provisioning) for the full request and response reference.

## Prerequisites

* Administrator access to your Oleria workspace.
* Access reviews enabled for your workspace. The **Governance App** SCIM credentials are available only when governance is deployed for your tenant.
* The governance SCIM client credentials, found on the **Governance App** tab in **Settings → SCIM Configuration**.
* A SCIM 2.0 client, such as your IdP's outbound provisioning feature, that can send a bearer token on every request.

## Authenticate to the governance SCIM API

Authenticate exactly as described in [Authenticate to the SCIM API](/administration/scim-user-provisioning#authenticate-to-the-scim-api), with two differences:

* Use the `Client ID`, `Client Secret`, and `OAuth Token URL` from the **Governance App** tab in **Settings → SCIM Configuration**, not the **Main Workspace** tab.
* Send SCIM requests to the governance **SCIM Base URL**, which ends in `/governance/scim/v2` (for example, `https://devx.YOUR_TENANT.oleria.io/governance/scim/v2`).

<Note>
  The **Main Workspace** and **Governance App** tabs issue separate credentials. A token minted with workspace credentials is not valid against the governance endpoint, and vice versa.
</Note>

## The reviewer role

Every user you provision through the governance endpoint is assigned the single `reviewer` role automatically. There is no role selection: unlike the workspace endpoint, you do not assign roles through groups, and you do not need to send a `roles` attribute. Any `roles` value you include in a create, replace, or patch request is ignored.

## Provision a reviewer

Send a `POST` to `/governance/scim/v2/Users` with the reviewer's `userName`, `name`, and `emails`:

```json theme={null}
{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
  "userName": "sam@example.com",
  "name": {
    "formatted": "Sam Rivera"
  },
  "emails": [
    {
      "primary": true,
      "value": "sam@example.com"
    }
  ]
}
```

Returns `201 Created`. The `reviewer` role is applied automatically:

```json theme={null}
{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
  "id": "ol_7c9e6f2a-1b3d-4e5f-8a90-2c4d6e8f0a1b",
  "userName": "sam@example.com",
  "name": {
    "formatted": "Sam Rivera"
  },
  "emails": [
    {
      "primary": true,
      "value": "sam@example.com"
    }
  ],
  "active": true,
  "roles": [
    {
      "value": "reviewer"
    }
  ],
  "meta": {
    "resourceType": "User",
    "location": "Users/ol_7c9e6f2a-1b3d-4e5f-8a90-2c4d6e8f0a1b"
  }
}
```

## Manage reviewers

The remaining endpoints behave the same as the workspace endpoints, under the `/governance/scim/v2` base path. See the linked sections for request and response details:

| Action                | Request                                                             | Reference                                                             |
| :-------------------- | :------------------------------------------------------------------ | :-------------------------------------------------------------------- |
| List reviewers        | `GET /governance/scim/v2/Users`                                     | [List users](/administration/scim-user-provisioning#list-users)       |
| Get a reviewer        | `GET /governance/scim/v2/Users/{id}`                                | [Get a user](/administration/scim-user-provisioning#get-a-user)       |
| Update a reviewer     | `PATCH /governance/scim/v2/Users/{id}`                              | [Update a user](/administration/scim-user-provisioning#update-a-user) |
| Deactivate a reviewer | `PATCH /governance/scim/v2/Users/{id}` with `active` set to `false` | [Update a user](/administration/scim-user-provisioning#update-a-user) |
| Delete a reviewer     | `DELETE /governance/scim/v2/Users/{id}`                             | [Delete a user](/administration/scim-user-provisioning#delete-a-user) |

## SCIM specification reference

* [SCIM definitions, overview, and concepts (RFC 7642)](https://www.rfc-editor.org/rfc/rfc7642)
* [SCIM core schema (RFC 7643)](https://www.rfc-editor.org/rfc/rfc7643)
* [SCIM protocol (RFC 7644)](https://www.rfc-editor.org/rfc/rfc7644)

## Contact us

For questions about SCIM provisioning, contact us at [support@oleria.com](mailto:support@oleria.com).
