SCIM Enterprise
System for Cross-domain Identity Management (SCIM) allows you to integrate identity providers (IdPs) with Dremio for external user management. When properly configured, IdPs send the credentials of assigned users securely via SCIM to your Dremio organization, automatically creating new user accounts if needed. These new users, also referred to as external users, may then log in to Dremio according to the policies set by your credential manager.
You cannot reset or change an external user's email address or password from Dremio because these tasks are governed by your organization's credential manager. If you delete an external user from Dremio, the IdP automatically re-adds the user's account the next time that user attempts to log in. To properly revoke access to Dremio, follow the steps for Microsoft Entra ID or Okta.
Rate Limits
To provide a consistent experience, Dremio uses rate limits for SCIM provisioning requests.
If a SCIM provisioning request is rejected due to rate limits, Dremio sends the HTTP status code 429 Too Many Requests. Dremio does not send a retry-after response header with 429 responses.
Organization-Wide Rate Limits
| Request Type | Limit (Requests per Minute) |
|---|---|
| Writes (POST, PUT, PATCH, DELETE) | 600 |
| Reads (GET) | 1000 |
User and Group Rate Limits
| Request Type | Limit (Requests per Minute) |
|---|---|
| Retrieve a user or group (GET) | 300 |
| Create, update, or delete a user or group (POST, PUT, PATCH, DELETE) | 180 |
Concurrency Limits
Dremio allows one update to a user or group at a time. While the update is in progress, Dremio locks the user or group and rejects concurrent requests to update the same user or group.
Configure Microsoft Entra ID with SCIM
You can use Microsoft Entra ID (formerly Azure Active Directory) to securely provision external users in Dremio with SCIM. SCIM provisioning with Entra ID allows you to create user accounts in Dremio, update user attributes in Dremio, deactivate Dremio user accounts, and create roles in Dremio based on Entra ID groups.
Read Configure SCIM Provisioning with Microsoft Entra ID for more information and instructions.
Configure Okta with SCIM
Dremio supports the Okta SCIM provisioning feature, which allows you to automatically create Dremio user accounts if they do not already exist, update user attributes in Dremio, and deactivate user accounts, all from Okta.
Before you can configure Okta SCIM provisioning, you must configure Okta as an IdP in Dremio. Follow the instructions in Configure Okta as an Identity Provider to integrate the Dremio Cloud application in your Okta organization and add Okta as an OpenID Connect (OIDC) IdP in Dremio.
After you configure Okta as an IdP, you can configure Okta to use SCIM for secure user provisioning.