DocumentationAPI ReferenceRelease Notes
Documentation

SCIM | PRA

Suggest Edits

Benefits of SCIM integration

BeyondTrust Privileged Remote Access integrates with SCIM (System for Cross-domain Identity Management) to automate user and group provisioning. SCIM keeps accounts in sync with your identity provider, reducing manual administration and ensuring that access updates happen quickly and consistently.

  • Automate user and group provisioning from your identity provider.
  • Keep account details and permissions in sync automatically.
  • Reduce manual account management tasks.
  • Revoke access immediately when a user is removed from the identity provider.

How do I access the Security Providers page?

  1. Use a Chromium-based browser to sign in to your Privileged Remote Access URL.
    This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
  2. From the left menu, click Users & Security.
    The Users page opens and displays by default.
  3. At the top of the page, click Security Providers.
    The Security Providers page displays.

Add a security provider

  1. On the Security providers page, click + Add, and then select SCIM from the list.
    The Add Security Provider page displays.
  2. Configure the security provider following the steps below.
SCIM fields

ℹ️

  • For SCIM to function, the SCIM API must be enabled on an API account, and the API must be configured on your SCIM provider. API accounts are managed at /login > Management > API Configuration.
    The base URL to use with the SCIM provider you are connecting with is [*host]/api/scim/v2*.
  • Only one SCIM provider can be created. Once a SCIM provider has been created, the SCIM option is no longer available from the + Add dropdown.
  • SCIM user provisioning utilizes SCIM 2.0 Users and Group objects. For more information about the SCIM 2.0 standard, see https://scim.cloud/.
  • Privileged Remote Access supports SCIM APIs for groups of users. Once you have configured a SCIM provider in /login and configured users and groups in your SCIM solution, PRA reflects the same groups as what is present in your SCIM solution, allowing you to select group policies by SCIM group.

  • Name: Create a unique name to help identify this provider.

  • Enabled: If checked, your appliance can search this security provider when a user attempts to log in to the access console or /login. If unchecked, this provider will not be searched.

  • SCIM user query ID: Select the unique ID that SCIM should use for user queries.

  • SCIM group query ID: Select the unique ID that SCIM should use for group queries.

  • User attribute settings

    • Username: The SCIM attribute that contains the user’s unique username or login ID.
    • E-mail: The SCIM attribute that contains the user’s email address.
    • Display name: The SCIM attribute that contains the user's display name.

  • Authorization settings

    • Unique ID: Enter the SCIM attribute to use as the user's unique ID within BeyondTrust.
    • Default group policy: Each user who authenticates against an external server must be a member of at least one group policy in order to authenticate to your appliance, logging into either the /login interface or the access console. You can select a default group policy to apply to all users allowed to authenticate against the configured server.

ℹ️

If a default policy is defined, then any allowed user who authenticates against this server will potentially have access at the level of this default policy. Therefore, it is recommended that you set the default to a policy with minimum privileges to prevent users from gaining permissions that you do not wish them to have.

If a user is in a default group policy and is then specifically added to another group policy, the settings for the specific policy will always take precedence over the settings for the default, even if the specific policy is a lower priority than the default, and even if the default policy's settings are set to disallow override.

  1. Click Save at the top of the page.

Change priority order of security providers

  1. At the top of the Security providers page, click Change Order.
  2. Drag and drop security providers to set their priority. You can drag and drop servers within a cluster; clusters can be dragged and dropped as a whole.
  3. Click Save Order for prioritization changes to take effect.

Disable a security provider

Disable this security provider connection. This is useful for scheduled maintenance, when you want a server to be offline but not deleted.

  1. On the Security providers page, locate the security provider you want to disable.
  2. Click > Disable.

To re-enable the security provider, click > Enable.

View the log for a security provider

View the status history for a security provider connection.

  1. On the Security providers page, locate the security provider you want to view.
  2. Click > View Log.

Edit a security provider

ℹ️

If you edit the local security provider and select a default policy that does not have administrator permissions, a warning message appears. Ensure other users have administrator permissions before proceeding.

  1. On the Security providers page, locate the security provider you want to edit from the list.
  2. Click .
    The Edit security provider page displays.
  3. Edit the security provider details. The details available are the same as the Add security provider page details.
  4. Click Save at the top of the page.

Delete a security provider

  1. On the Security providers page, locate the security provider you want to delete.
  2. Click to delete the security provider.

Updated 15 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.