> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Overview

> Learn about the SCIM extension schema for BloodHound, representing SCIM-provisioned users, groups, and roles in the graph.

<img noZoom src="https://mintcdn.com/specterops/tTIczgde9H07oLXf/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=tTIczgde9H07oLXf&q=85&s=ad49a576589f4d2a8081df77d07fdf56" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

The SCIM (System for Cross-domain Identity Management) protocol is used by various cloud identity providers (IdPs), such as Okta or Entra ID, to provision user accounts and groups to and from applications.

This OpenGraph extension schema allows BloodHound to represent SCIM-provisioned users and groups as nodes in the graph. By modeling SCIM as a shared, technology-neutral layer, BloodHound avoids the need to introduce technology-specific edges for each integration (such as Okta+GitHub, Entra+GitHub, or Entra+SalesForce).

<Frame>
  <img src="https://mintcdn.com/specterops/W4zca1jfW6ghta4N/images/extensions/scim/scim-example.png?fit=max&auto=format&n=W4zca1jfW6ghta4N&q=85&s=8c2af87f12d956c300d50eddfac00966" alt="SCIM_Users of a SCIM_Group combined to a GH_EnterpriseTeam" width="2560" height="1351" data-path="images/extensions/scim/scim-example.png" />
</Frame>

<Note>
  The SCIM extension is a **schema-only** extension — it does not include a collector. SCIM nodes and edges are produced by other collectors such as the [OpenHound Okta and GitHub collectors](/openhound/overview#collectors). Upload the SCIM extension schema alongside the schemas for those platforms.
</Note>

## Graph Model

The SCIM extension defines a small, focused model with four node types and five edge types. See the [extension schema](/opengraph/extensions/scim/schema) for the full details.

An **SCIM\_Organization** represents a tenant in the identity provider and acts as the top-level container. It **contains** the three other node types: **SCIM\_User** (a user account provisioned via SCIM), **SCIM\_Group** (a group provisioned via SCIM), and **SCIM\_Role** (a role that can be assigned to users).

Users and groups can be **members of** groups, and users can be **assigned to** roles. A user can also be marked as the **manager of** another user.

The key edge that ties SCIM to other extensions is **SCIM\_Provisioned**, which connects a SCIM resource to a node in another extension's graph — for example, linking an Okta user (via SCIM) to the corresponding GitHub user.

## Getting Started

1. Download the SCIM extension schema from the [bloodhound-scim-extension](https://github.com/SpecterOps/bloodhound-scim-extension) repository.
2. Upload the schema to your BloodHound instance alongside the extension schemas for the collectors you are using (e.g., Okta, GitHub).
3. Run the relevant collectors — they will produce SCIM nodes and edges automatically.

## References

* [SCIM Extension Schema (GitHub)](https://github.com/SpecterOps/bloodhound-scim-extension)
* [Okta Extension](/opengraph/extensions/okta/overview)
* [GitHub Extension](/opengraph/extensions/github/overview)
* [SCIM Schema Reference](/opengraph/extensions/scim/schema)