Product Introduction
- Definition: Basedash SCIM is a System for Cross-domain Identity Management (SCIM 2.0) provisioning integration for the Basedash AI-native business intelligence and analytics platform. It is an enterprise-grade identity lifecycle management tool.
- Core Value Proposition: It exists to automate and synchronize user, group, and organization membership between a company's central identity provider (like Okta or Microsoft Entra ID) and Basedash. Its primary value is eliminating manual, error-prone user access management within BI tools, thereby reducing security risks, administrative overhead, and friction during enterprise-wide analytics rollouts.
Main Features
- Automated User Lifecycle Management: This feature automates the entire user journey within Basedash based on signals from the SCIM-compliant identity provider. How it works: The identity provider sends SCIM 2.0 API calls (Create, Update, Patch, Delete) to Basedash's SCIM endpoint. This triggers specific actions: provisioning new users upon hire, updating their attributes and group memberships upon role change, and deactivating their organization membership upon departure. The specific technology is the SCIM 2.0 RESTful protocol.
- Group and Membership Synchronization: This feature ensures teams and departments defined in the corporate directory are accurately mirrored within Basedash. How it works: Groups created and managed in the identity provider (IdP) are propagated to Basedash via SCIM. User membership assignments to these groups are also synchronized. This creates a foundational structure for applying role-based access controls (RBAC) without manual group creation.
- Decoupled Permission Governance: A critical architectural feature where identity management is separated from resource authorization. How it works: While SCIM automates the syncing of who is a user and what groups they belong to, Basedash administrators retain full control within the platform to assign specific permissions (e.g., access to data sources, dashboards, workspaces) to those synced groups. This ensures the IdP is the source of truth for identity, while data teams remain the source of truth for data access policy.
Problems Solved
- Pain Point: Identity and access drift in business intelligence platforms. As organizations grow and change, BI tools often become unsynchronized with the official corporate directory, leading to stale accounts, incorrect team memberships, and lingering access for departed employees, which creates security and compliance vulnerabilities.
- Target Audience: Primary personas include Heads of BI, VPs of Data, Data Platform Engineers, and IT/Security leaders in mid-to-large enterprises. Secondary personas are company administrators responsible for onboarding/offboarding and security auditors who need clear access reports.
- Use Cases: Essential for enterprise-wide deployment of Basedash where the data team cannot be a manual helpdesk for access requests. Critical during mergers, acquisitions, or large-scale re-organizations where hundreds of users may need to be moved between teams or deprovisioned automatically. Mandatory for companies undergoing SOC 2 or similar compliance audits that require demonstrable, automated user lifecycle controls.
Unique Advantages
- Differentiation: Unlike generic SCIM implementations or manual user management, Basedash SCIM is part of a cohesive enterprise control stack designed specifically for the data access layer. It integrates natively with Basedash's RBAC, row-level security (RLS), and SSO, providing a unified governance model rather than a point solution. Compared to traditional BI tools, it deeply automates the identity layer that is often an afterthought.
- Key Innovation: The clear separation of concerns between identity lifecycle (managed via SCIM from the IdP) and resource authorization (managed within Basedash). This innovation prevents permission sprawl and ensures that while user provisioning is automated, sensitive data access decisions remain a deliberate, audit-trailed action controlled by data stewards, not directory admins.
Frequently Asked Questions (FAQ)
- What is SCIM and how does Basedash SCIM work? SCIM (System for Cross-domain Identity Management) is an open standard protocol for automating user provisioning and deprovisioning between applications. Basedash SCIM works by receiving SCIM 2.0 API calls from your identity provider (like Okta) to automatically create, update, or deactivate users and groups within your Basedash organization, keeping access aligned with your HR system.
- Does Basedash SCIM automatically assign permissions and admin roles? No. Basedash SCIM synchronizes user identities and group memberships, but it does not automatically assign permissions to data sources, dashboards, or administrator roles. This is a security feature. Permissions must be explicitly granted by a Basedash administrator to the synced groups, ensuring deliberate governance over sensitive data access.
- Which identity providers are compatible with Basedash SCIM? Basedash SCIM is compatible with any identity provider that supports the SCIM 2.0 standard, including Okta, Microsoft Entra ID (formerly Azure AD), OneLogin, and others. You configure the SCIM connection directly within your provider's application catalog or provisioning settings.
- How does SCIM relate to SSO and RBAC in Basedash? They are complementary enterprise controls. SSO (like SAML or OIDC) handles authentication (verifying user identity at login). SCIM handles provisioning (managing the user/group lifecycle). RBAC handles authorization (defining what resources those provisioned users and groups can access). Together, they form a complete identity and access management (IAM) framework for Basedash.
- Is Basedash SCIM available on all pricing plans? No. Basedash SCIM is an enterprise-grade feature available specifically on the Basedash Enterprise plan. Organizations interested in SCIM provisioning should contact the Basedash sales team to discuss the Enterprise plan and rollout configuration.
