Skip to main content
ADMIN RESOURCE

​​​​​​​Best Practices for using SCIM for Admin Management and SCIM for Content Access

  • July 14, 2026
  • 1 reply
  • 34 views

Forum|alt.badge.img+5

Using SCIM for both Admin Management (“Admin SCIM”) and Content Access (“Content SCIM”) creates a synchronized ecosystem where identity, licensing, and collaboration are managed from a single source of truth.

 


The Core Advantage: "Dual-Layer Automation"

While Admin SCIM handles the individual (licensing and hierarchy), Content SCIM handles the workflow (collaboration and documents). Using them together provides:

1. Zero-Touch Onboarding & Offboarding:

A user added to the IdP can instantly receive a license based on their group’s setting (via Admin SCIM) and is auto-joined to their Lucid team hub (via Content SCIM). Upon termination, removing them from the IdP revokes the license and wipes document access simultaneously, closing security gaps.
 

2. Clean Governance

Feature

Admin SCIM (The "Who")

Content SCIM (The "What")

Focus

Licensing

Document & Folder Permissions

Grouping

Organizational Groups (e.g., "Engineering")

Teams (e.g., "Product Launch 2026")

Potential Benefits

  • Accurate cost center tracking
  • Automated license allocation
  • Automated hierarchy mapping
  • Instant collaboration
  • Zero-cost team updates
  • Seamless template sharing

 


Best Practices

  •  Should I manage users in Lucid or my IdP?
    • To keep both applications aligned, use your IdP as the single source of truth and avoid manual user or group management directly within Lucid Software.
      • Use Admin SCIM for organizational groups, and license management workflows.
      • Use Content SCIM for team membership and document sharing workflows.
    • Automate group membership through your IdP to prevent configuration drift and avoid manual user or group management within Lucid Software.
       
  •  Who should be granted a license?
    • We strongly encourage all users that are part of a Team to be granted a license to maximize their ability to use the Team’s content.
       
  • Do I need both applications?
    • Not always. Your configuration depends on your organization's goals.
    • Use SCIM for admin management if you want:
      • Organizational group management which supports:
        • Automated license assignment and removal
        • Automatically assigning users into groups with different security settings
    • Add SCIM for content access if you want:
      • Lucid Teams management which supports:
        • Team-based document sharing workflows
        • Automatic removal of team document access from former employees

 


Keep in Mind

  • If you want to delete or deactivate a user that is synced with both apps, you must delete and deactivate them from both apps.
  • Avoid syncing the same user with conflicting or different attributes between the two apps.
  • If a user is synced only by Content SCIM, they will be in the Default Organizational Group. If a user is synced only by Admin SCIM, then they will not be a member of any Lucid Teams. 


 

Comments

Forum|alt.badge.img

We have an Enterprise license on LucidGov. We are using Okta as our IdP. We have Okta configured for both Admin SCIM and Content SCIM as described in this article. 

 

We’re seeing sync discrepancies, particularly on the Admin SCIM side. (The initial sync was successful, so we believe that the bearer token and configuration is correct.) 

 

Here’s our scenario: 

  • Users A and B are members of the “lucid-users” group in Okta, which is used for Admin SCIM. Users in this group are automatically assigned a license as part of the “lucid-users” Organization.
  • User A is a member of a “lucid-team-A” group in Okta, which is used for Content SCIM. Users in this group are automatically assigned to the “lucid-team-a” Team (in Lucid).
  • User B is a member of the “lucid-team-B” group in Okta, which is used for Content SCIM. Users in this group are automatically assigned to the “lucid-team-b” Team (in Lucid).
  • The “lucid-users” Organization is configured to automatically assign each user a license.
  • The root Organization is configured for manual license assignment.

 

If we remove User B from the “lucid-users” group in Okta, I would expect the following to happen:

  1. User B should still be a member of the “lucid-team-b” Team.
  2. User B should be removed from the “lucid-users” Organization and moved back to the root Organization for my enterprise.
  3. User B’s license should be revoked (based on the Organization settings)
  4. User B may be deactivated? (This is unclear from the article, though I suspect for the user to be deactivated, User B may need to also be removed from all Teams?)

 

What we actually see: No change to User B.

  • Still a member of the “lucid-team-b” Team ← (expected behavior)
  • Still a member of the “lucid-team” Organization ← (!) we believe this is an error
  • Still assigned a license ← (!) we believe this is an error
  • Still active ← (unclear based on documentation)

 

The audit logs do not appear to have sufficient detail to diagnose SCIM sync issues. We have not yet investigated pulling log events from the API. Please advise if this is expected behavior, how we can confirm the behavior via logs, and if we should open a support ticket for further investigation.