This tutorial will walk you through some common procedures for managing users via our SCIM API. The SCIM API allows you to view, create, update, and delete users and groups programmatically, outside of the User management UI.
Requirements
Before using this tutorial, we recommend you read:
- The requirements for automated user management and using the SCIM API.
- Important user management concepts
- The primary SCIM API reference
Other related resources:
- Some SCIM 2.0 RFC documents from the Internet Engineering Task Force that are most relevant: RFC 7643 - SCIM Core Resources and Extensions, RFC 7643 - JSON Representation, and RFC 7644 - SCIM Protocol.
Overview
This tutorial shows you how to accomplish some of the most common tasks needed for adding users to New Relic from an identity provider service and managing them from there. It is meant to supplement our primary SCIM API resource.
Note that using automated user management means that your groups of users are imported into New Relic. This means that you can't use our user management UI to add users to groups. The groups are created and managed from your identity provider side.
Once you're done with getting your user groups into New Relic, you must use our Access management UI to give those groups access to roles and accounts. For more information, see user management concepts.
Configure your authentication domain for SCIM
Before you can use the SCIM API, you must first enable SCIM for your authentication domain. Note that the API access token is displayed only once after you save the configuration, so save it somewhere safe for later user.
Tip
If you need to view a bearer token later, the only way to do this is to generate a new one, and that will invalidate the old one and any integrations using the old token.
Create users and user groups in your system
The SCIM API is typically used by scripts for importing users and groups into New Relic from a database or a third-party identity provider that doesn't have pre-configured configs for New Relic.
If you want to use the SCIM API custom application or for ad-hoc requests, proceed to learn how to connect to the SCIM API.
Connect to the SCIM API
The SCIM API is available at https://scim-provisioning.service.newrelic.com/scim/v2 and this URL is viewable in the authentication domain settings page. To access the SCIM API, your client must include a bearer token with each request. The token is displayed after saving your Authentication Domain configuration.
If you're using a third-party identity provider, configure it to use Bearer token authorization and plug in your API access token. Refer to your identity provider's documentation for help configuring this. Once configured, you're all set to import users and groups.
Rather than reading the entire SCIM protocol RFCs, there are three specific sections you may find valuable: See RFC 7643 - SCIM Core Resources and Extensions and RFC 7643 - JSON Representation for the specifics. Refer to RFC 7644 - SCIM Protocol for more information about the protocol used in this tutorial.
For all requests to the SCIM API, you must provide the bearer token in an Authorization header. Here's an example with curl:
$curl -X 'GET' -H 'Accept: application/json' -H "Authorization: Bearer $TOKEN" 'https://scim-provisioning.service.newrelic.com/scim/v2/Users'Any request in the rest of this tutorial will receive a 401 Unauthorized response if the API access token is missing or invalid.
Example response:
Create users in your authentication domain
You can use the SCIM API to send a POST request to /scim/v2/Users to create a user. The following user attributes are required:
userNameThis identifier must be unique within an authentication domain. Use the user's email address.emailsSame asuserName. The email address of the user. (Despite it being calledemails, for this procedure enter only one.)activeBoolean indicating whether or not the user should be active or inactive within New Relic.
We recommend providing the following attributes for the best user experience:
name.givenNameThe user's first or given name.name.familyNameThe user's last or family name.timezoneThe user's time zone in IANA Time Zone database format.
$curl -X 'POST' -H 'Content-Type: application/json' -H "Authorization: Bearer $TOKEN" 'https://scim-provisioning.service.newrelic.com/scim/v2/Users' --data-binary @- <<EOF${$ "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],$ "userName": "bjensen@example.com",$ "name": {$ "familyName": "Jensen",$ "givenName": "Barbara"$ },$ "emails": [$ {$ "primary": true,$ "value": "bjensen@example.com"$ }$ ],$ "active": true,$ "timezone": "America/Los_Angeles"$}$EOFImportant
Take note of the returned user id. To update a user in the future you'll need to supply the same ID with the request.
Example responses
Create groups in your authentication domain
You can use the SCIM API to send a POST request to /scim/v2/Groups to create a group. The only group attribute required is:
displayNameThe group name.
$curl -X 'POST' -H 'Content-Type: application/json' -H "Authorization: Bearer $YOUR_TOKEN" 'https://scim-provisioning.service.newrelic.com/scim/v2/Groups' --data-binary @- <<EOF${$ "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],$ "displayName": "Example Group"$}$EOFImportant
Take note of the returned group id. To update a group or its members in the future you will need to supply the same ID with the request.
Example responses
View users and groups in your authentication domain
After you've created some users and groups you'll see them in the User management UI. You can also retrieve them from the SCIM API.
In this tutorial, you'll be searching for specific users and groups, but that's not the only way to view users and groups. Refer to the SCIM API reference and RFC 7644 for all the available query options.
To retrieve a user by email, send a GET request to /scim/v2/Users with a filter query parameter. The filter parameter must be URL encoded.
$curl -X 'GET' -H 'Accept: application/json' -H "Authorization: Bearer $YOUR_TOKEN" 'https://scim-provisioning.service.newrelic.com/scim/v2/Users' --get --data-urlencode 'filter=userName eq "bjensen@example.com"'Example response:
Similarly, send a GET request to /scim/v2/Groups with a filter query parameter to retrieve a group by name.
$curl -X 'GET' -H 'Accept: application/json' -H "Authorization: Bearer $YOUR_TOKEN" 'https://scim-provisioning.service.newrelic.com/scim/v2/Groups' --get --data-urlencode 'filter=displayName eq "Example Group"'Example response:
Update a user's attributes
The SCIM API supports both PUT and PATCH methods for updating users. Refer to the SCIM API supported actions and RFC 7644 for details on using PATCH. This tutorial demonstrates updating a user's attributes with the PUT method.
New Relic does not require all user attributes be included in the request body, only the attributes you want to update are necessary. Send a PUT request to /scim/v2/Users/${ID} to update the user.
$curl -X 'PUT' -H 'Content-Type: application/json' -H "Authorization: Bearer $YOUR_TOKEN" 'https://scim-provisioning.service.newrelic.com/scim/v2/Users/5a1d580f-323c-450c-8c62-479b5c9085d6' --data-binary @- <<EOF${$ "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],$ "timezone": "America/Chicago"$}$EOFExample responses
Update a group's members
The SCIM API supports both PUT and PATCH methods for updating groups. This tutorial will show how to update a group's members with the PATCH method. Refer to the SCIM API supported actions and RFC 7644 for details on using PUT.
PATCH is convenient for adding or removing group members without needing to specify the full member list in the request. To add a user to a group, use the following operation parameters:
opset toAddpathset tomembersvalueset to a list of{"value": "${USER_ID}"}with each user ID to add to the group
Send a PATCH request to /scim/v2/Groups/${ID} to update group members.
$curl -X 'PATCH' -H 'Content-Type: application/json' -H "Authorization: Bearer $YOUR_TOKEN" 'https://scim-provisioning.service.newrelic.com/scim/v2/Groups/df2b9a04-0426-4a3e-bf5f-54d5341f4e5b' --data-binary @- <<EOF${$ "schemas": [$ "urn:ietf:params:scim:api:messages:2.0:PatchOp"$ ],$ "Operations": [{$ "op": "Add",$ "path": "members",$ "value": [{$ "value": "5a1d580f-323c-450c-8c62-479b5c9085d6"$ }]$ }]$}$EOFExample response:
To remove a user from a group, use the following operation parameters:
opset toRemovepathset tomembersvalueset to a list of{"value": "${USER_ID}"}with each user ID to remove from the group
$curl -X 'PATCH' -H 'Accept: application/json' -H "Authorization: Bearer $YOUR_TOKEN" 'https://scim-provisioning.service.newrelic.com/scim/v2/Groups/df2b9a04-0426-4a3e-bf5f-54d5341f4e5b' --data-binary @- <<EOF${$ "schemas": [$ "urn:ietf:params:scim:api:messages:2.0:PatchOp"$ ],$ "Operations": [{$ "op": "Remove",$ "path": "members",$ "value": [{$ "value": "5a1d580f-323c-450c-8c62-479b5c9085d6"$ }]$ }]$}$EOFExample response:
Delete users and groups
To remove a user from an authentication domain, send a DELETE request to /scim/v2/Users/${ID}.
$curl -X 'DELETE' -H 'Accept: application/json' -H "Authorization: Bearer $YOUR_TOKEN" 'https://scim-provisioning.service.newrelic.com/scim/v2/Users/d0f4d8e3-5413-4894-a8f9-de709994e18c'Example response:
204 No ContentSimilarly, to remove a group from your authentication domain, send a DELETE request to /scim/v2/Groups/${ID}.
$curl -X 'DELETE' -H 'Accept: application/json' -H "Authorization: Bearer $YOUR_TOKEN" 'https://scim-provisioning.service.newrelic.com/scim/v2/Groups/df2b9a04-0426-4a3e-bf5f-54d5341f4e5b'Example response:
204 No ContentNext steps
Once your integration is complete, potential next steps include:
- Your New Relic users will by default start out as basic users and you have the option to upgrade them. For more information, see Manage user type.
- Set up SAML SSO.
- Once your user groups are in New Relic, you'll need to assign them specific roles and specific accounts. Learn more about how user access works.
Optional: Manage user type
Once your SCIM API integration is complete, all users brought into New Relic start out as basic users. You can use our default method for managing user type, which is using the User management UI. Optionally, you can use our SCIM API instead. To do this, you can set update your authentication domain configuration to Delegate control of user type to your identity provider or custom application.
The user's type attribute is defined in the custom schema urn:ietf:params:scim:schemas:extension:newrelic:2.0:User. Include this schema and the nrUserType string attribute in your create or update request to set a user's type.
Valid values for nrUserType include, which all are case sensitive:
Full UserCore UserBasic User
To create a new Basic User send a POST request /scim/v2/Users and include the custom New Relic schema extension:
$curl -X 'POST' -H 'Content-Type: application/json' -H "Authorization: Bearer $YOUR_TOKEN" 'https://scim-provisioning.service.newrelic.com/scim/v2/Users' --data-binary @- <<EOF${$ "schemas": [$ "urn:ietf:params:scim:schemas:core:2.0:User",$ "urn:ietf:params:scim:schemas:extension:newrelic:2.0:User"$ ],$ "userName": "jbenson@example.com",$ "name": {$ "givenName": "James",$ "familyName": "Benson"$ },$ "emails": [{$ "primary": true,$ "value": "jbenson@example.com",$ "type": "work"$ }],$ "active": true,$ "timezone": "America/Chicago",$ "urn:ietf:params:scim:schemas:extension:newrelic:2.0:User": {$ "nrUserType": "Basic User"$ }$}$EOFExample responses
To update a user's type, send a PUT request scim/v2/Users/${ID} and include the custom New Relic schema extension:
$curl -X 'PUT' -H 'Content-Type: application/json' -H "Authorization: Bearer $YOUR_TOKEN" 'https://scim-provisioning.service.newrelic.com/scim/v2/Users' --data-binary @- <<EOF${$ "schemas": [$ "urn:ietf:params:scim:schemas:core:2.0:User",$ "urn:ietf:params:scim:schemas:extension:newrelic:2.0:User"$ ],$ "urn:ietf:params:scim:schemas:extension:newrelic:2.0:User": {$ "nrUserType": "Full User"$ }$}$EOF