Expanded documentation of how SCIM treats retired / inactive users

Hi forum

I have a customer running the SCIM integration, and they are asking for some more information on the specifics of how SCIM handles retired users, and users who just had their user plan revoked.

I explored the SuperOffice documentation regarding SCIM (System for Cross-domain Identity Management), but I couldn't find specific details on when a user synced from Azure AD to SuperOffice via SCIM is marked as retired/deleted, or when their license is simply removed without the user being set to retired (By being removed from the userplan AD group, but staying in the group specifying role and group).

Unfortunately, the specific scenarios i am looking for does not seem to be covered in the documentation.

Example ruleset for my SCIM configuration:

License groups in AD:

• so_salesprem //Provides access to Sales Premium
• so_marketing //Provides access to Marketing
• so_serviceprem //Provides access to Service Premium
• so_salespremservicepremmarketing //Provides access to the full plan

Role groups in AD:

• so_role_0 //Sets the user up with role 0
• so_role_1 //Sets the user up with role 1

Primary groups in AD:

• so_group_management //For the users in the management
• so_group_sales //For the users in the sales department
• so_group_marketing //For the users in the marketing department

A typical user will therefore be assigned three groups in AD, depending on what we would like them to end up with in SuperOffice

The SCIM configuration will then have the following rules:

In AD Group so_role_0:

• Primary group - Always: Fallback group

In AD Group so_role_1:

• Primary group - Always: Fallback group

NOT In AD Group so_salesprem:

• Plan - Always: Not selected

NOT In AD Group so_marketing:

• Plan - Always: Not selected

NOT In AD Group so_serviceprem:

• Plan - Always: Not selected

NOT In AD Group so_salespremservicepremmarketing:

• Plan - Always: Not selected

In AD Group so_role_0:

• Primary group - Always: Fallback group

In AD Group so_role_1:

• Primary group - Always: Fallback group

The above rules are their to provide default settings, if the AD user does not meet any other rules, like those defined below:

In AD Group so_salesprem:

• Plan - Always: Sales Premium

In AD Group so_marketing:

• Plan - Always: Marketing

In AD Group so_serviceprem:

• Plan - Always: Service Premium

In AD Group so_salespremservicepremmarketing:

• Plan - Always: Sales Premium - Service Premium - Marketing

In AD Group so_group_management:

• Primary group - Always: Management

In AD Group so_group_sales:

• Primary group - Always: Sales department

In AD Group so_group_marketing:

• Primary group - Always: Marketing

My tests are the following:

• For a user that is decommisioned/retired in AD, the following happens:
  • User is marked as retired, and license is revoked.
  • This is what i expect: User is marked as retired, and license is revoked and made available for other users.
• For a user that is NOT decommisioned/retired in AD, but having their license group removed, keeping the two others, the following happens:
  • User is ALSO marked as retired, and license is revoked and made available for other users.
  • This is what i expect: License is revoked, and made available for other users

Is this the correct behaviour? How would i setup SCIM rules to make sure a user is not marked as retired just because of loosing it's license plan?