---
title: How SCIM works with Label Studio Enterprise
short: SCIM workflows and API
tier: enterprise
type: guide
order: 0
order_enterprise: 390
meta_title: How SCIM works with Label Studio Enterprise
meta_description: A description of SCIM workflows and entities
section: "Manage Your Organization"
parent: "scim_setup"
parent_enterprise: "scim_setup"
System for Cross-domain Identity Management (SCIM) is an open standard for automating the exchange of user identity information between identity domains or IT systems. SCIM is designed to make user management in cloud-based applications and services easier and more efficient, reducing the time and resources required for user administration.
For organizations using Label Studio Enterprise, SCIM provides a streamlined approach to managing user identities and access permissions. By integrating SCIM, administrators can automate the provisioning and deprovisioning of users, synchronize user data across systems, and ensure that the right individuals have access to the necessary resources within Label Studio Enterprise.
You can use SCIM to do the following:
Map groups to user roles
Note that groups are defined in the IdP, not Label Studio. However, the group to role mapping is defined in Label Studio.
You can use SCIM with Label Studio to control and interact with two entities: Users and Groups.
!!! note
Our API uses the django-scim2 library.
GET /scim/v2/Users?filter=userName =<user@email.com>&startIndex=1&count=100
200 response if user exists404 if notGET /scim/v2/Users/user@email.comCreate user: POST /scim/v2/Users/
This will also require a payload that includes user information such as email and password.
Modify group members: PUT /scim/v2/Groups/<group-name>
Example:json { "BODY": { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"], "id": "<group-name>", "displayName": "<group-name>", "members": [ { "value": "<user@email.com>", "display": "<user@email.com>" } ] } }
Create group: POST /scim/v2/Groups/<group-name>
GET /scim/v2/Groups/<group-name>These settings can also be configured in the Label Studio app from the Organization > SCIM page. From here you can map groups to user roles and map groups to workspaces (see below).
GET /api/scim/settingsPOST /api/scim/settingsYou can assign roles to users through group mapping. Use the Update SCIM settings API or log in to Label Studio and go to the Organization page. Click SCIM in the upper right.
These roles can be Annotator, Reviewer, Manager, or Administrator.
Each group can only be mapped to one role at the organization level. For more information about what permissions each role has, see Roles in Label Studio Enterprise.
You can also assign a group to the Deactivated role, which would revoke their Label Studio access.
For more granular control, you can assign project-level roles to a group.
These roles can be Annotator, Reviewer, or Inherit (meaning they inherit their organization-level role).
Unlike organization-level roles, a group can be assigned to multiple roles across multiple projects. For example, Group A can be Annotators in Project 1 and Reviewers in Project 2.
You can also use SCIM to assign user groups to a workspace, or create a new workspace if one does not already exist.
When you assign a group to a workspace, they are added as workspace members. This means that by default, they will have access to any projects within that workspace.
Their permissions for those projects will depend on their organization-level role. However, you can override this by using SCIM to assign a project-level role (see above).