You know that sinking feeling when someone leaves the team and still has access to every dashboard? That’s the moment you realize identity sync isn’t a nice-to-have, it’s table stakes. Metabase SCIM takes that problem off your plate by letting your identity provider handle user creation and deletion automatically.
Metabase, the open‑source BI platform, focuses on turning databases into clear charts and metrics. SCIM, short for System for Cross‑domain Identity Management, is the open standard that keeps user accounts consistent across apps. Connect them and you get a clean, auditable flow of who belongs where—without anyone manually clicking through admin screens.
When SCIM is integrated, your IdP—Okta, Azure AD, or any OIDC-compliant provider—acts as the source of truth. New hires appear in the right groups instantly. Departing users vanish before their farewell Slack message finishes sending. Permissions sync in near real time, so your data access rules actually match your org chart.
Quick answer: Metabase SCIM automates user provisioning and deprovisioning by syncing identities and roles from your identity provider directly into Metabase. It eliminates manual account management and greatly reduces authorization drift across teams.
Getting it right is mostly about mapping. Each IdP group should mirror a logical role in Metabase: analyst, viewer, admin. Keep the names identical if possible, so you can see at a glance what each mapping controls. Test one group at a time before turning on full provisioning. If you hit errors, check the SCIM endpoint URL and OAuth token scope—90% of sync failures come down to typos or expired secrets.
A few best practices worth repeating:
- Rotate SCIM tokens quarterly and log every sync event for SOC 2 visibility.
- Keep dashboards tied to group permissions, never individuals.
- Run a dry‑run import with a handful of accounts to confirm attributes like email and department map correctly.
- Use your IdP’s audit tool to verify that removals instantly reflect in Metabase.
- Document your group mapping once, then automate it with infrastructure as code.
For developers, this setup means no more waiting on IT to grant dashboard access. Onboarding happens at identity speed. Offboarding happens without an awkward ping. The feedback loop between data and security teams tightens, boosting developer velocity and cutting down on access requests that clog internal channels.
Platforms like hoop.dev turn those access rules into guardrails that enforce policy automatically. Instead of relying on humans to remember who should see what, hoop.dev ensures your Identity‑Aware Proxy wraps each endpoint with consistent checks, whether it’s Metabase, an internal API, or a test cluster.
How do I connect Metabase SCIM and Okta?
Generate a SCIM token in Metabase, then configure an app integration in Okta with the same base URL and token. Assign users or groups, and Okta will push those accounts into Metabase on its own schedule.
AI‑assisted admins can take this further. Policy bots that monitor SCIM events can suggest role adjustments or detect anomalies before they become incidents. It’s what happens when automation isn’t just fast but context‑aware.
SCIM turns access control from a chore into an automated, verifiable workflow. Connect it, forget it, and enjoy dashboards that only the right eyes ever see.
See an Environment Agnostic Identity-Aware Proxy in action with hoop.dev. Deploy it, connect your identity provider, and watch it protect your endpoints everywhere—live in minutes.