Entitlement required: readUserGroups (Read users and groups), or manageUserGroups (Manage users and groups), or manageAllUserGroups (Synchronize users and groups), or manageUserStandardGroups (Manage users and standard groups), or readUsers (Read all users but not group memberships), or readUsersGroupMembership (Read all users and group memberships), or readUsersStandardGroupMembership (Read all users and standard group memberships), or manageUsers (Manage all users), or manageUsersInStandardGroups (Manage users in standard groups).
Note: You only need one entitlement, but you can have more than one.
Searching, sorting, paging, and filtering are supported. A maximum of 2500 records are returned for a search query.
To improve performance, specify the list of the attributes that you want returned by using the attributes query parameter.
Search operators supported:
eq | The attribute and operator values must be identical for a match. |
ne | The attribute and operator values are not identical. |
co | The entire operator value must be a substring of the attribute value for a match. For performance reasons, use sw or ew operators instead of co. |
sw | The entire operator value must be a substring of the attribute value, starting at the beginning of the attribute value. |
ew | The entire operator value must be a substring of the attribute value, matching at the end of the attribute value. |
pr | If the attribute has a value, there is a match. |
npr | If the attribute does not have a value, there is a match. |
gt | If the attribute value is greater than the operator value, there is a match. The actual comparison is dependent on the attribute type. |
ge | If the attribute value is greater than or equal to the operator value, there is a match. The actual comparison is dependent on the attribute type. |
lt | If the attribute value is less than the operator value, there is a match. The actual comparison is dependent on the attribute type. |
le | If the attribute value is less than or equal to the operator value, there is a match. The actual comparison is dependent on the attribute type. |
Example search queries:
filter=userName eq "bob"&attributes=userName |
filter=name.familyName eq "Marley"&attributes=name |
filter=meta.created ge "2011-09-20T00:00:00Z" and meta.created le "2021-09-21T00:00:00Z"&attributes=userName,meta.created,emails&sortBy=userName&count=2500 |
filter=urn:ietf:params:scim:schemas:extension:ibm:2.0:User:customAttributes.favoriteColor eq "blue"&attributes=userName,urn:ietf:params:scim:schemas:extension:ibm:2.0:User:customAttributes.favoriteColor&count=2500 |
filter=urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department eq "2A"&attributes=userName,emails,urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager |
filter=not (emails ew "@example.com")&attributes=userName,emails |
filter=emails ew "@example.com" and (phoneNumbers eq "15551212" or phoneNumbers eq "1(555)1212")&attributes=userName,phoneNumbers,emails |
Note: There are some special syntax for "phoneNumbers" to allow filtering using the type, such as GET /v2.0/Users?filter=phoneNumbers.work eq "{value}"&attributes=phoneNumbers.work |
For tenants that support large groups, additional feature are available. They are:
- Search for users in a specific group by using the "memberOf" SCIM attribute. For example. GET /v2.0/Users?filter=userName sw "patel" and memberOf eq "{group ID}" |
- Restrict HelpDesk administrators to manage specific groups of users by using Admin Roles. |
To check whether the tenant supports large groups, run the GET /v2.0/SCIM/capabilities API.