--- title: "SCIM CLI reference" description: "Customer-hosted cloud features" --- # SCIM CLI reference #### Customer-hosted cloud features :::note Some features are only available on customer-hosted clouds. Reach out to [support@anyscale.com](mailto:support@anyscale.com) for info. ::: ## SCIM CLI ### `anyscale scim enforce-groups` Beta :::warning This command undergoes rapid iteration. Users must be tolerant of change. ::: **Usage** `anyscale scim enforce-groups [OPTIONS]` Enforce SCIM-based user group permissions by removing individual user permissions. This command removes ALL direct user permissions so that users only derive permissions from their user groups. Use --dry-run to preview what permission changes users will experience before actually applying them. **Options** - **`--dry-run`**: Preview permission changes without applying them. Shows only actual changes from users' perspective. #### Examples ::::tabs :::tab[CLI] ```bash # Preview permission changes before applying (dry-run mode) $ anyscale scim enforce-groups --dry-run (anyscale +0.5s) Running in dry-run mode. Analyzing permission changes... === Permission Changes Preview === user1@example.com: - clouds: - prod-cloud: collaborator -> readonly - staging-cloud: owner -> (removed) - projects: - proj-1: collaborator -> readonly - organization: owner -> collaborator user2@example.com: - clouds: - dev-cloud: collaborator -> (removed) --- Users to be removed (not in any active user group) --- - orphan-user@example.com (No changes were applied. Remove --dry-run to apply changes.) # Apply the changes (live mode) $ anyscale scim enforce-groups (anyscale +0.5s) Analyzing permission changes... === Permission Changes Preview === user1@example.com: - clouds: - prod-cloud: collaborator -> readonly - staging-cloud: owner -> (removed) - projects: - proj-1: collaborator -> readonly - organization: owner -> collaborator user2@example.com: - clouds: - dev-cloud: collaborator -> (removed) --- Users to be removed (not in any active user group) --- - orphan-user@example.com ╭─────────────────── ⚠️ Confirmation Required ───────────────────╮ │ WARNING: This is a destructive operation that cannot be undone. │ │ │ │ All role bindings on users will be removed. │ │ Role bindings on user groups and service accounts are unchanged. │ ╰──────────────────────────────────────────────────────────────────╯ Do you want to proceed? [y/N]: y (anyscale +1.5s) Starting SCIM permission migration... === Applied Permission Changes === user1@example.com: - clouds: - prod-cloud: collaborator -> readonly - staging-cloud: owner -> (removed) - projects: - proj-1: collaborator -> readonly - organization: owner -> collaborator user2@example.com: - clouds: - dev-cloud: collaborator -> (removed) --- Users to be removed (not in any active user group) --- - orphan-user@example.com (anyscale +2.0s) SCIM permission migration completed successfully. ``` ::: :::: ### `anyscale scim check-permissions` Beta :::warning This command undergoes rapid iteration. Users must be tolerant of change. ::: **Usage** `anyscale scim check-permissions [OPTIONS]` Check for SCIM users with incomplete permission setup. Identifies users who have a cloud role (owner or collaborator) but are missing project-level permissions. These users can access the cloud but cannot use any projects within it. **Options** #### Examples ::::tabs :::tab[CLI] ```bash # Check which users are missing project-level permissions $ anyscale scim check-permissions (anyscale +0.8s) Checking SCIM user permissions... Users with incomplete SCIM permission setup: ┏━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━┓ ┃ User Email ┃ Cloud ┃ Role ┃ Issue ┃ ┡━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━┩ │ alice@company.com │ Production │ collaborator │ No project permissions │ │ bob@company.com │ Production │ collaborator │ No project permissions │ │ bob@company.com │ Staging │ owner │ No project permissions │ └──────────────────────┴────────────┴──────────────┴─────────────────────────┘ 2 users have incomplete permission setup. Run 'anyscale policy set' to grant project-level permissions. See https://docs.anyscale.com/administration/organization/scim for details. ``` ::: :::: --- Previous: [Schedule](/reference/cli/schedule.md) | Next: [Service account](/reference/cli/service-account.md)