HPE GreenLake SCIM User and Group Management

This page provides an introduction and quick start guide for the SCIM User and Group Management API:

• Overview—See a high-level description of the API.
• Developer guide—Review a quick start guide that helps you get started with the API.

Overview

The HPE GreenLake SCIM User and Group Management API provides standardized user and group management operations compliant with SCIM (System for Cross-domain Identity Management) 2.0 specifications. This API enables you to automate identity lifecycle management, synchronize user data across systems, and maintain group memberships throughout your HPE GreenLake cloud environment.

System for Cross-domain Identity Management (SCIM) is an open standard that enables the secure automation of user and group data between a company's cloud applications and a service provider. You can create an external SCIM integration to synchronize users and groups between your identity provider and an organization in HPE GreenLake cloud.

When you configure a SCIM integration for your organization, users and user groups are created and managed in the organization by your IdP. On the platform, workspace administrators manage role assignments for integration users and user groups but cannot do any of the following:

• Create, update, and delete users for the domain associated with the integration
• Add or remove user groups or change the membership of user groups created through the integration

Once users or user groups are added to the organization through an integration, the workspace administrator assigns roles to these users and user groups in specific workspaces.

Features

• Create, read, update, and delete user accounts with SCIM 2.0 compliance
• Manage user groups and group memberships
• List users assigned to specific groups and groups assigned to users
• HPE GreenLake-specific extensions for enhanced user and group metadata
• Support for POSIX user extensions

Use cases

• Identity provisioning automation—Create and configure user accounts when new employees join, ensuring consistent access across all HPE GreenLake services
• Group-based access management—Organize users into groups based on roles, departments, projects, and so on to streamline permission management and maintain security boundaries
• Directory synchronization—Synchronize user and group information between external identity providers and HPE GreenLake

What's new

Date: 2025-08-18

Initial public release of the HPE GreenLake SCIM User and Group Management API.

View the Changelog for more information

Related documentation

• SCIM Definitions, Overview, Concepts and Requirements
• SCIM Core Schema
• SCIM Protocol
• HPE GreenLake Cloud User Guide: Organization Governance
• JSON Web Token Best Current Practices

Developer guide

This section covers authentication, permissions, and practical examples for implementing user and group management using the SCIM API.

Prerequisites

Endpoints

Endpoints are the host URLs to which you will submit your API requests. To access HPE GreenLake SCIM User and Group Management APIs, use the unified API:

• https://global.api.greenlake.hpe.com

URIs

• /identity/v2beta1/scim/v2/Users
• /identity/v2beta1/scim/v2/Users/{userId}
• /identity/v2beta1/scim/v2/Groups
• /identity/v2beta1/scim/v2/Groups/{groupId}
• /identity/v2beta1/scim/v2/extensions/Groups/{groupId}/users
• /identity/v2beta1/scim/v2/extensions/Users/{userId}/groups

Getting an access token

You must create a personal API client and generate an access token to make API calls. HPE GreenLake APIs use OAuth-based access tokens used as an authorization bearer token. To do this:

1. Create a personal API client.
   • Select the HPE GreenLake Cloud Platform service.
2. Generate an access token.
   • View code samples for generating an access token.
3. Use the access token as an authorization bearer token to make secure REST API calls.

Access and permissions

:::info Learn more about configuring roles and permissions in the HPE GreenLake Cloud User Guide. :::

Rate limits

Group management:

User management:

Group extensions:

User extensions:

Making it all work

This section provides examples of creating users and explains SCIM attributes, HPE GreenLake extensions, and POSIX user attributes.

Creating a new user with SCIM attributes

Use the POST /identity/v2beta1/scim/v2/Users endpoint to create a new user account with required SCIM attributes and HPE GreenLake extensions.

To learn more about the SCIM attributes and extensions, see Understanding SCIM.

Example request body:

{
  "schemas": "urn:ietf:params:scim:schemas:core:2.0:User",
  "userName": "abc@xyz.com",
  "displayName": "Barbara Jensen",
  "urn:ietf:params:scim:schemas:extensions:hpe-greenlake:2.0:User": {
    "countryCode": "US"
  },
  "name": {
    "familyName": "Jensen",
    "givenName": "Barbara"
  },
  "emails": [
    {
      "primary": true,
      "value": "abc@xyz.com"
   }
  ]
}

Sample API response:

{
  "schemas": "urn:ietf:params:scim:schemas:core:2.0:User",
  "id": "00gs3w909WxZ4CIjl356",
  "active": false,
  "userName": "abc@xyz.com",
  "displayName": "Joe Smith",
  "meta": {
    "created": "string",
    "lastModified": "string",
    "lastLogin": "string",
    "location": "string",
    "resourceType": "User",
    "version": "string"
  },
  "urn:ietf:params:scim:schemas:extensions:hpe-greenlake:2.0:User": {
    "status": "STAGED",
    "countryCode": "US",
    "primaryEmailVerified": true,
    "hpe_principal": "user:448ebfdb-7bc9-402f-9eb0-f9a86c06ca5a",
    "source": "Local",
    "sourceInstance": "organization UUID"
  },
  "name": {
    "familyName": "Jensen",
    "givenName": "Barbara"
  },
  "emails": [
    {
      "primary": true,
      "value": "abc@xyz.com"
    }
  ]
}

Understanding SCIM

SCIM (System for Cross-domain Identity Management) schemas define the attributes and structure of resources like users and groups in identity management systems. These schemas provide a standardized way to represent identity data, enabling interoperability between different systems and services.

A SCIM schema consists of:

• A unique identifier (URI)
• A set of attribute definitions
• Metadata about the resource type

SCIM schemas allow organizations to:

• Consistently represent user identity data across systems.
• Automate user provisioning and deprovisioning.
• Enable secure identity synchronization between applications.
• Support cloud-based identity management solutions.

For more information, see the SCIM 2.0 documentation.

HPE GreenLake implements extensions to the SCIM schemas.

Example HPE SCIM schemas:

{
    "Resources": [
        {
            "schemas": "urn:ietf:params:scim:schemas:core:2.0:User",
            "id": "00gs3w909WxZ4CIjl356",
            "active": false,
            "userName": "abc@xyz.com",
            "displayName": "Joe Smith",
            "meta": {
                "created": "string",
                "lastModified": "string",
                "lastLogin": "string",
                "location": "string",
                "resourceType": "User",
                "version": "string"
            },
            "urn:ietf:params:scim:schemas:extensions:hpe-greenlake:2.0:User": {
                "status": "STAGED",
                "countryCode": "US",
                "primaryEmailVerified": true,
                "hpe_principal": "user:448ebfdb-7bc9-402f-9eb0-f9a86c06ca5a",
                "source": "Local",
                "sourceInstance": "organization UUID"
            },
            "name": {
                "familyName": "Smith",
                "givenName": "Joe"
            },
            "emails": [
                {
                    "primary": true,
                    "value": "abc@xyz.com"
                }
            ]
        }
    ]
}

{
  "Resources": [
    {
      "schemas": "urn:ietf:params:scim:schemas:core:2.0:Group",
      "id": "00gs3w909WxZ4CIjl356",
      "displayName": "Sales Group",
      "meta": {
        "created": "string",
        "lastModified": "string",
        "location": "string",
        "resourceType": "Group"
      },
      "urn:ietf:params:scim:schemas:extensions:hpe-greenlake:2.0:Group": {
        "hpe_principal": "user-group:448ebfdb-7bc9-402f-9eb0-f9a86c06ca5a",
        "groupDescription": "Office users",
        "source": "Local",
        "sourceInstance": "organization UUID"
      }
    }
  ]
}
  

Creating a user with SCIM and POSIX attributes

Use the POST /identity/v2beta1/scim/v2/Users endpoint to create a new user account with required SCIM attributes and POSIX-user attributes relevant to POSIX-compliant systems. To learn more, see Understanding POSIX.

Sample request body:

{
  "schemas": "urn:ietf:params:scim:schemas:core:2.0:User",
  "userName": "abc@xyz.com",
  "displayName": "Barbara Jensen",
  "urn:ietf:params:scim:schemas:extensions:hpe-greenlake:2.0:User": {
    "countryCode": "US"
  },
  "name": {
    "familyName": "Jensen",
    "givenName": "Barbara"
  },
  "emails": [
    {
      "primary": true,
      "value": "abc@xyz.com"
    }
  ]
}

Sample API response:

{
  "schemas": "urn:ietf:params:scim:schemas:core:2.0:User",
  "id": "00gs3w909WxZ4CIjl356",
  "active": false,
  "userName": "abc@xyz.com",
  "displayName": "Barbara Jensen",
  "meta": {
    "created": "string",
    "lastModified": "string",
    "lastLogin": "string",
    "location": "string",
    "resourceType": "User",
    "version": "string"
  },
  "urn:ietf:params:scim:schemas:extensions:hpe-greenlake:2.0:User": {
    "status": "STAGED",
    "countryCode": "US",
    "primaryEmailVerified": true,
    "hpe_principal": "user:448ebfdb-7bc9-402f-9eb0-f9a86c06ca5a",
    "source": "Local",
    "sourceInstance": "organization UUID"
  },
  "name": {
    "familyName": "Jensen",
    "givenName": "Barbara"
  },
  "emails": [
    {
      "primary": true,
      "value": "abc@xyz.com"
    }
  ],
  "urn:ietf:params:scim:schemas:extensions:hpe-greenlake:2.0:posix:User": {
    "uid": 1001,
    "userName": "jdoe",
    "gid": 2001,
    "homeDirectory": "/home/jdoe",
    "shell": "/bin/bash"
  }
}

Understanding POSIX

POSIX (Portable Operating System Interface) is a family of standards specified by the IEEE to maintain compatibility between different operating systems. It defines the API, command line shells, and utility interfaces for software compatibility with variants of Unix and other operating systems.

The POSIX user extension provides essential attributes needed for user accounts on POSIX-compliant systems. This extension is used when:

• Provisioning users to Linux/Unix servers or containers.
• Integrating with file systems that require numeric user or group IDs.
• Managing SSH access or shell accounts.
• Synchronizing with LDAP directories that include POSIX attributes.

The POSIX extension contains:

• uid—A numeric identifier for the user account (User ID).
• userName—The login name for the user.
• gid—The primary group identifier (Group ID) for the user.
• homeDirectory—The user's home directory path, for example, /home/username.
• shell—The user's default command shell, for example, /bin/bash.

An example of a POSIX user schema:

{
  "urn:ietf:params:scim:schemas:extensions:hpe-greenlake:2.0:posix:User": {
    "uid": 1001,
    "userName": "jdoe",
    "gid": 2001,
    "homeDirectory": "/home/jdoe",
    "shell": "/bin/bash"
  }
}

Understanding strongly claimed domains

To enable the SCIM integration features, it is necessary to configure a strongly claimed domain in the organization.

• GreenLake provides a TXT record that the user puts into their DNS records that GreenLake can validate automatically.
• Once validated, the organization has claimed the domain.

For more details, see Claiming a domain.