> ## Documentation Index
> Fetch the complete documentation index at: https://specterops-bp-2735-release-notes.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Overview

> Learn about the SCIM extension schema for BloodHound, representing SCIM-provisioned users, groups, and roles in the graph.

<img noZoom src="https://mintcdn.com/specterops-bp-2735-release-notes/2djt2Sp9UeFPjBFr/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=2djt2Sp9UeFPjBFr&q=85&s=a791748158fde5ff3b3b82b51497ab39" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

The SCIM (System for Cross-domain Identity Management) protocol is used by various cloud identity providers (IdPs), such as Okta or Entra ID, to provision user accounts and groups to and from applications.

This OpenGraph extension schema allows BloodHound to represent SCIM-provisioned users and groups as nodes in the graph. By modeling SCIM as a shared, technology-neutral layer, BloodHound avoids the need to introduce technology-specific edges for each integration (such as Okta+GitHub, Entra+GitHub, or Entra+SalesForce).

<Frame>
  <img src="https://mintcdn.com/specterops-bp-2735-release-notes/JRxjxGtPjT-Lu7sy/images/extensions/scim/scim-example.png?fit=max&auto=format&n=JRxjxGtPjT-Lu7sy&q=85&s=0bca2557e1c6daa90055c46b7c017403" alt="SCIM_Users of a SCIM_Group combined to a GH_EnterpriseTeam" width="2560" height="1351" data-path="images/extensions/scim/scim-example.png" />
</Frame>

<Note>
  The SCIM extension is a **schema-only** extension — it does not include a collector. SCIM nodes and edges are produced by other collectors such as the [OpenHound Okta and GitHub collectors](/openhound/overview#collectors). Even in BloodHound Enterprise tenants where GitHub and Okta are supported as built-in extensions, you must still upload the SCIM extension schema separately.
</Note>

## Graph Model

The SCIM extension defines a small, focused model with four node types and five edge types. See the [extension schema](/opengraph/extensions/scim/schema) for the full details.

An **SCIM\_Organization** represents a tenant in the identity provider and acts as the top-level container. It **contains** the three other node types: **SCIM\_User** (a user account provisioned via SCIM), **SCIM\_Group** (a group provisioned via SCIM), and **SCIM\_Role** (a role that can be assigned to users).

Users and groups can be **members of** groups, and users can be **assigned to** roles. A user can also be marked as the **manager of** another user.

The key edge that ties SCIM to other extensions is **SCIM\_Provisioned**, which connects a SCIM resource to a node in another extension's graph — for example, linking an Okta user (via SCIM) to the corresponding GitHub user.

## Getting Started

1. Download the SCIM extension schema from the [bloodhound-scim-extension](https://github.com/SpecterOps/bloodhound-scim-extension) repository.

2. Upload the SCIM schema to your BloodHound instance alongside the extension schemas for the collectors you are using (for example, Okta or GitHub).

   In BloodHound Enterprise v9.3.0 and later, some extensions (such as GitHub, Jamf, and Okta) are pre-installed. Verify that these are installed before you upload the SCIM companion schema.

3. Run the relevant collectors — they will produce SCIM nodes and edges automatically.

## References

* [SCIM Extension Schema (GitHub)](https://github.com/SpecterOps/bloodhound-scim-extension)
* [Okta Extension](/opengraph/extensions/okta/overview)
* [GitHub Extension](/opengraph/extensions/github/overview)
* [SCIM Schema Reference](/opengraph/extensions/scim/schema)
