> For the complete documentation index, see [llms.txt](https://api.qvalia.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://api.qvalia.io/api-documentation/apis/scim/user.md).

# User

HTTP methods with User resource(s)

## Get Service Provider Configuration

> This endpoint returns the Service Provider Configuration, which contains the service provider's supported features.

```json
{"openapi":"3.0.2","info":{"title":"Qvalia SCIM API","version":"1.0.0"},"tags":[{"name":"User","description":"HTTP methods with User resource(s)"}],"servers":[{"url":"https://api-qa.qvalia.com"},{"url":"https://api.qvalia.com"}],"security":[{"api_key":[]},{"jwt":[]}],"components":{"securitySchemes":{"api_key":{"type":"apiKey","name":"Authorization","in":"header"},"jwt":{"type":"http","scheme":"bearer","bearerFormat":"JWT","description":"JWT-based authentication. The Authorization header must be set as:\nAuthorization: Bearer <token>\n"}},"schemas":{"Error":{"type":"object","properties":{"status":{"type":"string"},"type":{"type":"string"},"data":{"type":"string"},"metadata":{"type":"object","properties":{}}}}}},"paths":{"/scim/v2/{accountRegNo}/ServiceProviderConfig":{"get":{"tags":["User"],"summary":"Get Service Provider Configuration","description":"This endpoint returns the Service Provider Configuration, which contains the service provider's supported features.","operationId":"getServiceProviderConfig","responses":{"200":{"description":"Success - Service Provider Configuration found","content":{"application/scim+json":{"schema":{"properties":{"authenticationSchemes":{"type":"array","items":{"properties":{"jwt":{"type":"object","properties":{"type":{"type":"string"},"name":{"type":"string"},"description":{"type":"string"},"documentationUrl":{"type":"string"}}},"api_key":{"type":"object","properties":{"type":{"type":"string"},"name":{"type":"string"},"description":{"type":"string"},"documentationUrl":{"type":"string"}}}}}},"filter":{"type":"object","properties":{"supported":{"type":"boolean","default":false}}},"patch":{"type":"object","properties":{"supported":{"type":"boolean","default":false}}},"sort":{"type":"object","properties":{"supported":{"type":"boolean","default":false}}},"bulk":{"type":"object","properties":{"supported":{"type":"boolean","default":false}}},"etag":{"type":"object","properties":{"supported":{"type":"boolean","default":false}}},"changePassword":{"type":"object","description":"Change password is supported through PUT operation on User resource","properties":{"supported":{"type":"boolean","default":true}}},"schemas":{"type":"array","items":{"type":"string","enum":["urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"]}}}}}}},"500":{"description":"Internal server error - Implementers provide a descriptive debugging advice","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/Error"}}}}}}}}}
```

## Get filtered or all Users

> This endpoint returns all or filtered Users. Utilize the query parameters to configure filtering, sorting, pagination and in-/excluded attribues.

```json
{"openapi":"3.0.2","info":{"title":"Qvalia SCIM API","version":"1.0.0"},"tags":[{"name":"User","description":"HTTP methods with User resource(s)"}],"servers":[{"url":"https://api-qa.qvalia.com"},{"url":"https://api.qvalia.com"}],"security":[{"api_key":[]},{"jwt":[]}],"components":{"securitySchemes":{"api_key":{"type":"apiKey","name":"Authorization","in":"header"},"jwt":{"type":"http","scheme":"bearer","bearerFormat":"JWT","description":"JWT-based authentication. The Authorization header must be set as:\nAuthorization: Bearer <token>\n"}},"schemas":{"UserListResponse":{"allOf":[{"$ref":"#/components/schemas/ListResponse"}],"properties":{"Resource":{"type":"array","items":{"$ref":"#/components/schemas/User"}}},"required":["Resource"]},"ListResponse":{"description":"The ListResponse specifies control attribute for big collections returned. The attributes thus cover information about the pagination. The assigned Resource object contains the queried resources.","type":"object","properties":{"totalResults":{"type":"integer","format":"int32","description":"Non-negative integer. Specifies the total number of results matching the client query, e.g., 1000."},"startIndex":{"type":"integer","format":"int32","description":"The 1-based index of the first result in the current set of query results, e.g., 1."},"itemsPerPage":{"type":"integer","format":"int32","description":"Non-negative integer. Specifies the number of query results returned in a query response page, e.g., 10."}},"required":["totalResults","startIndex","itemsPerPage"]},"User":{"allOf":[{"$ref":"#/components/schemas/Resource"}],"description":"SCIM provides a resource type for \\\"User\\\" resources.  The core schema for \\\"User\\\" is identified using the following schema URI \\\"urn:ietf:params:scim:schemas:core:2.0:User\\\".  The following attributes are defined in addition to the core schema attributes","properties":{"userName":{"description":"A service provider's unique identifier for the user, typically used by the user to directly authenticate to the service provider. Often displayed to the user as their unique identifier within the system (as opposed to \\\"id\\\" or \\\"externalId\\\", which are generally opaque and not user-friendly identifiers).  Each User MUST include a non-empty userName value.  This identifier MUST be unique across the service provider's entire set of Users.  This attribute is REQUIRED and is case insensitive.","type":"string"},"name":{"description":"The components of the user's name.  Qvalia only allows the full formatted name once!","type":"array","items":{"properties":{"formatted":{"description":"The full name, including all middle names, titles, and suffixes as appropriate, formatted for display (e.g., \\\"Jane Doe\\\").","type":"string"}}}},"title":{"description":"The user's title, such as \\\"IT Architect\\\".","type":"string"},"userType":{"description":"Used to identify the permission in Qvalia account.","type":"string","pattern":"^[viewer|user|admin]$","enum":["viewer","user","admin"]},"preferredLanguage":{"description":"Indicates the user's preferred written or spoken languages and is generally used for selecting a localized user interface.  The value indicates the set of natural languages that are preferred. The format of the value is the same as the HTTP Accept-Language header field (not including \\\"Accept-Language:\\\") and is specified in Section 5.3.5 of [RFC7231].  The intent of this value is to enable cloud applications to perform matching of language tags [RFC4647] to the user's language preferences, regardless of what may be indicated by a user agent (which might be shared), or in an interaction that does not involve a user (such as in a delegated OAuth 2.0 [RFC6749] style interaction) where normal HTTP Accept-Language header negotiation cannot take place.","type":"string","enum":["en","sv","fi"]},"active":{"description":"A Boolean value indicating the user's administrative status. The definitive meaning of this attribute is determined by the service provider. As a typical example, a value of true implies that the user is able to log in, while a value of false implies that the user's account has been suspended.","type":"boolean"},"password":{"writeOnly":true,"description":"This attribute is intended to be used as a means to set, replace, or compare (i.e., filter for equality) a password.  The cleartext value or the hashed value of a password SHALL NOT be returnable by a service provider.  If a service provider holds the value locally, the value SHOULD be hashed.  When a password is set or changed by the client, the cleartext password SHOULD be processed by the service provider as follows\n<ul>\n  <li>Prepare the cleartext value for international language comparison.  See Section 7.8 of [RFC7644].</li>\n  <li>Validate the value against server password policy.  Note, The definition and enforcement of password policy are beyond the scope of this document.</li>\n  <li>Ensure that the value is encrypted (e.g., hashed).  See Section 9.2 of [RFC7643] for acceptable hashing and encryption handling when storing or persisting for provisioning workflow reasons.</li>\n</ul>\nA service provider that immediately passes the cleartext value on to another system or programming interface MUST pass the value directly over a secured connection (e.g., Transport Layer Security (TLS)).  If the value needs to be temporarily persisted for a period of time (e.g., because of a workflow) before provisioning, then the value MUST be protected by some method, such as encryption.\nTesting for an equality match MAY be supported if there is an existing stored hashed value.  When testing for equality, the service provider\n<ul>\n    <li>Prepares the filter value for international language comparison.  See Section 7.8 of [RFC7644].</li>\n    <li>Generates the salted hash of the filter value and tests for a match with the locally held value.</li>\n</ul>\nThe mutability of the password attribute is \\\"writeOnly\\\", indicating that the value MUST NOT be returned by a service provider in any form (the attribute characteristic \\\"returned\\\" is \\\"never\\\").\n","type":"string","format":"password"},"emails":{"description":"Email addresses for the User.  The value SHOULD be specified according to [RFC5321].  Service providers SHOULD canonicalize the value according to [RFC5321], e.g., \\\"user@company.com\\\" instead of \\\"user@COMPANY.COM\\\".  Qvalia only allows one email!","type":"array","items":{"properties":{"value":{"description":"should return canonicalized representation of the email value","type":"string","format":"email"}},"required":["value"]}},"phoneNumbers":{"description":"Phone numbers for the user.  The value SHOULD be specified according to the format defined in [RFC3966], e.g., 'tel:+1-201-555-0123'.  Service providers SHOULD canonicalize the value according to [RFC3966] format, when appropriate.  The \\\"display\\\" sub-attribute MAY be used to return the canonicalized representation of the phone number value.  Qvalia only allows one phone number!","type":"array","items":{"properties":{"value":{"description":"should return canonicalized representation of the phone value","type":"string","format":"string"}}}}},"required":["userName"]},"Resource":{"type":"object","description":"The resource is the base class to represent the entities of this RBAC REST API. It holds the attributes necessary for all actual resources (User, Group, Role, etc.).","properties":{"schemas":{"description":"The schema(s) involved in the SCIM resource.","type":"array","items":{"type":"string"}},"id":{"type":"string","format":"email","description":"A unique identifier for a SCIM resource as defined by the service provider.  Each representation of the resource MUST include a non-empty \\\"id\\\" value.  This identifier MUST be unique across the SCIM service provider's entire set of resources.  It MUST be a stable, non-reassignable identifier that does not change when the same resource is returned in subsequent requests.  The value of the \\\"id\\\" attribute is always issued by the service provider and MUST NOT be specified by the client.  The string \\\"bulkId\\\" is a reserved keyword and MUST NOT be used within any unique identifier value.  The attribute characteristics are \\\"caseExact\\\" as \\\"true\\\", a mutability of \\\"readOnly\\\", and a \\\"returned\\\" characteristic of \\\"always\\\".  See [Section 9 RFC7643](https://www.rfc-editor.org/rfc/rfc7643.html#section-9) for additional considerations regarding privacy."}},"required":["id","schemas"]},"Error":{"type":"object","properties":{"status":{"type":"string"},"type":{"type":"string"},"data":{"type":"string"},"metadata":{"type":"object","properties":{}}}}}},"paths":{"/scim/v2/{accountRegNo}/Users":{"get":{"tags":["User"],"summary":"Get filtered or all Users","description":"This endpoint returns all or filtered Users. Utilize the query parameters to configure filtering, sorting, pagination and in-/excluded attribues.","operationId":"getUsers","parameters":[{"in":"query","name":"sortOrder","schema":{"type":"string","default":"ascending","enum":["ascending","descending"]},"description":"The order in which the \\\"sortBy\\\" parameter is applied. Allowed values are \\\"ascending\\\" and \\\"descending\\\".  If a value for \\\"sortBy\\\" is provided and no \\\"sortOrder\\\" is specified, \\\"sortOrder\\\" SHALL default to ascending.  String type attributes are case insensitive by default, unless the attribute type is defined as a case-exact string.  \\\"sortOrder\\\" MUST sort according to the attribute type; i.e., for case-insensitive attributes, sort the result using case-insensitive Unicode alphabetic sort order with no specific locale implied, and for case-exact attribute types, sort the result using case-sensitive Unicode alphabetic sort order."},{"in":"query","name":"cursor","schema":{"type":"integer","default":1},"description":"The 1-based index of the first query result. A value less than 1 SHALL be interpreted as 1."},{"in":"query","name":"count","schema":{"type":"integer","default":1000},"description":"Non-negative integer. Specifies the desired maximum number of query results per page, e.g., 10. A negative value SHALL be interpreted as \\\"0\\\". A value of \\\"0\\\" indicates that no resource results are to be returned except for \\\"totalResults\\\"."}],"responses":{"200":{"description":"Success - list of all Users","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/UserListResponse"}}}},"400":{"description":"Bad request - See scimType for further information","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"401":{"description":"Unauthorized - Authentication failed try again with a valid authentication","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"403":{"description":"Forbidden - Authentication was successful but the user is not authorized","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"404":{"description":"Not found - No resource with provided Id","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"500":{"description":"Internal server error - Implementers provide a descriptive debugging advice","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/Error"}}}}}}}}}
```

## Create new user resource

> Creates a new User. Some attributes might be immutable, thus make sure these are set correctly for creation. Unset required attributes might lead to assertions or insertion of default values. Readonly attributes are ignored. The query parameters attribues and excludedAttributes refer to the response upon success. The id attributes is set by the Service Provider to ensure uniqueness.

```json
{"openapi":"3.0.2","info":{"title":"Qvalia SCIM API","version":"1.0.0"},"tags":[{"name":"User","description":"HTTP methods with User resource(s)"}],"servers":[{"url":"https://api-qa.qvalia.com"},{"url":"https://api.qvalia.com"}],"security":[{"api_key":[]},{"jwt":[]}],"components":{"securitySchemes":{"api_key":{"type":"apiKey","name":"Authorization","in":"header"},"jwt":{"type":"http","scheme":"bearer","bearerFormat":"JWT","description":"JWT-based authentication. The Authorization header must be set as:\nAuthorization: Bearer <token>\n"}},"schemas":{"User":{"allOf":[{"$ref":"#/components/schemas/Resource"}],"description":"SCIM provides a resource type for \\\"User\\\" resources.  The core schema for \\\"User\\\" is identified using the following schema URI \\\"urn:ietf:params:scim:schemas:core:2.0:User\\\".  The following attributes are defined in addition to the core schema attributes","properties":{"userName":{"description":"A service provider's unique identifier for the user, typically used by the user to directly authenticate to the service provider. Often displayed to the user as their unique identifier within the system (as opposed to \\\"id\\\" or \\\"externalId\\\", which are generally opaque and not user-friendly identifiers).  Each User MUST include a non-empty userName value.  This identifier MUST be unique across the service provider's entire set of Users.  This attribute is REQUIRED and is case insensitive.","type":"string"},"name":{"description":"The components of the user's name.  Qvalia only allows the full formatted name once!","type":"array","items":{"properties":{"formatted":{"description":"The full name, including all middle names, titles, and suffixes as appropriate, formatted for display (e.g., \\\"Jane Doe\\\").","type":"string"}}}},"title":{"description":"The user's title, such as \\\"IT Architect\\\".","type":"string"},"userType":{"description":"Used to identify the permission in Qvalia account.","type":"string","pattern":"^[viewer|user|admin]$","enum":["viewer","user","admin"]},"preferredLanguage":{"description":"Indicates the user's preferred written or spoken languages and is generally used for selecting a localized user interface.  The value indicates the set of natural languages that are preferred. The format of the value is the same as the HTTP Accept-Language header field (not including \\\"Accept-Language:\\\") and is specified in Section 5.3.5 of [RFC7231].  The intent of this value is to enable cloud applications to perform matching of language tags [RFC4647] to the user's language preferences, regardless of what may be indicated by a user agent (which might be shared), or in an interaction that does not involve a user (such as in a delegated OAuth 2.0 [RFC6749] style interaction) where normal HTTP Accept-Language header negotiation cannot take place.","type":"string","enum":["en","sv","fi"]},"active":{"description":"A Boolean value indicating the user's administrative status. The definitive meaning of this attribute is determined by the service provider. As a typical example, a value of true implies that the user is able to log in, while a value of false implies that the user's account has been suspended.","type":"boolean"},"password":{"writeOnly":true,"description":"This attribute is intended to be used as a means to set, replace, or compare (i.e., filter for equality) a password.  The cleartext value or the hashed value of a password SHALL NOT be returnable by a service provider.  If a service provider holds the value locally, the value SHOULD be hashed.  When a password is set or changed by the client, the cleartext password SHOULD be processed by the service provider as follows\n<ul>\n  <li>Prepare the cleartext value for international language comparison.  See Section 7.8 of [RFC7644].</li>\n  <li>Validate the value against server password policy.  Note, The definition and enforcement of password policy are beyond the scope of this document.</li>\n  <li>Ensure that the value is encrypted (e.g., hashed).  See Section 9.2 of [RFC7643] for acceptable hashing and encryption handling when storing or persisting for provisioning workflow reasons.</li>\n</ul>\nA service provider that immediately passes the cleartext value on to another system or programming interface MUST pass the value directly over a secured connection (e.g., Transport Layer Security (TLS)).  If the value needs to be temporarily persisted for a period of time (e.g., because of a workflow) before provisioning, then the value MUST be protected by some method, such as encryption.\nTesting for an equality match MAY be supported if there is an existing stored hashed value.  When testing for equality, the service provider\n<ul>\n    <li>Prepares the filter value for international language comparison.  See Section 7.8 of [RFC7644].</li>\n    <li>Generates the salted hash of the filter value and tests for a match with the locally held value.</li>\n</ul>\nThe mutability of the password attribute is \\\"writeOnly\\\", indicating that the value MUST NOT be returned by a service provider in any form (the attribute characteristic \\\"returned\\\" is \\\"never\\\").\n","type":"string","format":"password"},"emails":{"description":"Email addresses for the User.  The value SHOULD be specified according to [RFC5321].  Service providers SHOULD canonicalize the value according to [RFC5321], e.g., \\\"user@company.com\\\" instead of \\\"user@COMPANY.COM\\\".  Qvalia only allows one email!","type":"array","items":{"properties":{"value":{"description":"should return canonicalized representation of the email value","type":"string","format":"email"}},"required":["value"]}},"phoneNumbers":{"description":"Phone numbers for the user.  The value SHOULD be specified according to the format defined in [RFC3966], e.g., 'tel:+1-201-555-0123'.  Service providers SHOULD canonicalize the value according to [RFC3966] format, when appropriate.  The \\\"display\\\" sub-attribute MAY be used to return the canonicalized representation of the phone number value.  Qvalia only allows one phone number!","type":"array","items":{"properties":{"value":{"description":"should return canonicalized representation of the phone value","type":"string","format":"string"}}}}},"required":["userName"]},"Resource":{"type":"object","description":"The resource is the base class to represent the entities of this RBAC REST API. It holds the attributes necessary for all actual resources (User, Group, Role, etc.).","properties":{"schemas":{"description":"The schema(s) involved in the SCIM resource.","type":"array","items":{"type":"string"}},"id":{"type":"string","format":"email","description":"A unique identifier for a SCIM resource as defined by the service provider.  Each representation of the resource MUST include a non-empty \\\"id\\\" value.  This identifier MUST be unique across the SCIM service provider's entire set of resources.  It MUST be a stable, non-reassignable identifier that does not change when the same resource is returned in subsequent requests.  The value of the \\\"id\\\" attribute is always issued by the service provider and MUST NOT be specified by the client.  The string \\\"bulkId\\\" is a reserved keyword and MUST NOT be used within any unique identifier value.  The attribute characteristics are \\\"caseExact\\\" as \\\"true\\\", a mutability of \\\"readOnly\\\", and a \\\"returned\\\" characteristic of \\\"always\\\".  See [Section 9 RFC7643](https://www.rfc-editor.org/rfc/rfc7643.html#section-9) for additional considerations regarding privacy."}},"required":["id","schemas"]},"Error":{"type":"object","properties":{"status":{"type":"string"},"type":{"type":"string"},"data":{"type":"string"},"metadata":{"type":"object","properties":{}}}}}},"paths":{"/scim/v2/{accountRegNo}/Users":{"post":{"tags":["User"],"summary":"Create new user resource","description":"Creates a new User. Some attributes might be immutable, thus make sure these are set correctly for creation. Unset required attributes might lead to assertions or insertion of default values. Readonly attributes are ignored. The query parameters attribues and excludedAttributes refer to the response upon success. The id attributes is set by the Service Provider to ensure uniqueness.","operationId":"createUser","requestBody":{"description":"Content to create new user resource","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/User"}}}},"responses":{"201":{"description":"Success - User created","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/User"}}}},"400":{"description":"Bad request - See scimType for further information","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"401":{"description":"Unauthorized - Authentication failed try again with a valid authentication","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"403":{"description":"Forbidden - Authentication was successful but the user is not authorized","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"404":{"description":"Not found - No resource with provided Id","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"409":{"description":"Conflict - Outdated version number or refusal of Service Provider to create a duplicate","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"500":{"description":"Internal server error - Implementers provide a descriptive debugging advice","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/Error"}}}}}}}}}
```

## Get user by Id

> Finds a single User by its id attribute. Returned attributes might be specified or restricted with the query parameter attributes or excludedAttributes. Some attributes might not be readable according their schema definition.

```json
{"openapi":"3.0.2","info":{"title":"Qvalia SCIM API","version":"1.0.0"},"tags":[{"name":"User","description":"HTTP methods with User resource(s)"}],"servers":[{"url":"https://api-qa.qvalia.com"},{"url":"https://api.qvalia.com"}],"security":[{"api_key":[]},{"jwt":[]}],"components":{"securitySchemes":{"api_key":{"type":"apiKey","name":"Authorization","in":"header"},"jwt":{"type":"http","scheme":"bearer","bearerFormat":"JWT","description":"JWT-based authentication. The Authorization header must be set as:\nAuthorization: Bearer <token>\n"}},"schemas":{"User":{"allOf":[{"$ref":"#/components/schemas/Resource"}],"description":"SCIM provides a resource type for \\\"User\\\" resources.  The core schema for \\\"User\\\" is identified using the following schema URI \\\"urn:ietf:params:scim:schemas:core:2.0:User\\\".  The following attributes are defined in addition to the core schema attributes","properties":{"userName":{"description":"A service provider's unique identifier for the user, typically used by the user to directly authenticate to the service provider. Often displayed to the user as their unique identifier within the system (as opposed to \\\"id\\\" or \\\"externalId\\\", which are generally opaque and not user-friendly identifiers).  Each User MUST include a non-empty userName value.  This identifier MUST be unique across the service provider's entire set of Users.  This attribute is REQUIRED and is case insensitive.","type":"string"},"name":{"description":"The components of the user's name.  Qvalia only allows the full formatted name once!","type":"array","items":{"properties":{"formatted":{"description":"The full name, including all middle names, titles, and suffixes as appropriate, formatted for display (e.g., \\\"Jane Doe\\\").","type":"string"}}}},"title":{"description":"The user's title, such as \\\"IT Architect\\\".","type":"string"},"userType":{"description":"Used to identify the permission in Qvalia account.","type":"string","pattern":"^[viewer|user|admin]$","enum":["viewer","user","admin"]},"preferredLanguage":{"description":"Indicates the user's preferred written or spoken languages and is generally used for selecting a localized user interface.  The value indicates the set of natural languages that are preferred. The format of the value is the same as the HTTP Accept-Language header field (not including \\\"Accept-Language:\\\") and is specified in Section 5.3.5 of [RFC7231].  The intent of this value is to enable cloud applications to perform matching of language tags [RFC4647] to the user's language preferences, regardless of what may be indicated by a user agent (which might be shared), or in an interaction that does not involve a user (such as in a delegated OAuth 2.0 [RFC6749] style interaction) where normal HTTP Accept-Language header negotiation cannot take place.","type":"string","enum":["en","sv","fi"]},"active":{"description":"A Boolean value indicating the user's administrative status. The definitive meaning of this attribute is determined by the service provider. As a typical example, a value of true implies that the user is able to log in, while a value of false implies that the user's account has been suspended.","type":"boolean"},"password":{"writeOnly":true,"description":"This attribute is intended to be used as a means to set, replace, or compare (i.e., filter for equality) a password.  The cleartext value or the hashed value of a password SHALL NOT be returnable by a service provider.  If a service provider holds the value locally, the value SHOULD be hashed.  When a password is set or changed by the client, the cleartext password SHOULD be processed by the service provider as follows\n<ul>\n  <li>Prepare the cleartext value for international language comparison.  See Section 7.8 of [RFC7644].</li>\n  <li>Validate the value against server password policy.  Note, The definition and enforcement of password policy are beyond the scope of this document.</li>\n  <li>Ensure that the value is encrypted (e.g., hashed).  See Section 9.2 of [RFC7643] for acceptable hashing and encryption handling when storing or persisting for provisioning workflow reasons.</li>\n</ul>\nA service provider that immediately passes the cleartext value on to another system or programming interface MUST pass the value directly over a secured connection (e.g., Transport Layer Security (TLS)).  If the value needs to be temporarily persisted for a period of time (e.g., because of a workflow) before provisioning, then the value MUST be protected by some method, such as encryption.\nTesting for an equality match MAY be supported if there is an existing stored hashed value.  When testing for equality, the service provider\n<ul>\n    <li>Prepares the filter value for international language comparison.  See Section 7.8 of [RFC7644].</li>\n    <li>Generates the salted hash of the filter value and tests for a match with the locally held value.</li>\n</ul>\nThe mutability of the password attribute is \\\"writeOnly\\\", indicating that the value MUST NOT be returned by a service provider in any form (the attribute characteristic \\\"returned\\\" is \\\"never\\\").\n","type":"string","format":"password"},"emails":{"description":"Email addresses for the User.  The value SHOULD be specified according to [RFC5321].  Service providers SHOULD canonicalize the value according to [RFC5321], e.g., \\\"user@company.com\\\" instead of \\\"user@COMPANY.COM\\\".  Qvalia only allows one email!","type":"array","items":{"properties":{"value":{"description":"should return canonicalized representation of the email value","type":"string","format":"email"}},"required":["value"]}},"phoneNumbers":{"description":"Phone numbers for the user.  The value SHOULD be specified according to the format defined in [RFC3966], e.g., 'tel:+1-201-555-0123'.  Service providers SHOULD canonicalize the value according to [RFC3966] format, when appropriate.  The \\\"display\\\" sub-attribute MAY be used to return the canonicalized representation of the phone number value.  Qvalia only allows one phone number!","type":"array","items":{"properties":{"value":{"description":"should return canonicalized representation of the phone value","type":"string","format":"string"}}}}},"required":["userName"]},"Resource":{"type":"object","description":"The resource is the base class to represent the entities of this RBAC REST API. It holds the attributes necessary for all actual resources (User, Group, Role, etc.).","properties":{"schemas":{"description":"The schema(s) involved in the SCIM resource.","type":"array","items":{"type":"string"}},"id":{"type":"string","format":"email","description":"A unique identifier for a SCIM resource as defined by the service provider.  Each representation of the resource MUST include a non-empty \\\"id\\\" value.  This identifier MUST be unique across the SCIM service provider's entire set of resources.  It MUST be a stable, non-reassignable identifier that does not change when the same resource is returned in subsequent requests.  The value of the \\\"id\\\" attribute is always issued by the service provider and MUST NOT be specified by the client.  The string \\\"bulkId\\\" is a reserved keyword and MUST NOT be used within any unique identifier value.  The attribute characteristics are \\\"caseExact\\\" as \\\"true\\\", a mutability of \\\"readOnly\\\", and a \\\"returned\\\" characteristic of \\\"always\\\".  See [Section 9 RFC7643](https://www.rfc-editor.org/rfc/rfc7643.html#section-9) for additional considerations regarding privacy."}},"required":["id","schemas"]},"Error":{"type":"object","properties":{"status":{"type":"string"},"type":{"type":"string"},"data":{"type":"string"},"metadata":{"type":"object","properties":{}}}}}},"paths":{"/scim/v2/{accountRegNo}/Users/{id}":{"get":{"tags":["User"],"summary":"Get user by Id","description":"Finds a single User by its id attribute. Returned attributes might be specified or restricted with the query parameter attributes or excludedAttributes. Some attributes might not be readable according their schema definition.","operationId":"getUserById","parameters":[{"name":"id","in":"path","description":"Reference to the resouce which should be queried","required":true,"schema":{"type":"string","format":"uuid"}},{"in":"query","name":"attributes","schema":{"type":"string"},"description":"A multi-valued list of strings indicating the names of resource attributes to return in the response, overriding the set of attributes that would be returned by default.  Attribute names MUST be in standard attribute notation (see [Section 3.10 of RFC7644](https://www.rfc-editor.org/rfc/rfc7644#section-3.10)) form. See [Section 3.9 of RFC7644](https://www.rfc-editor.org/rfc/rfc7644#section-3.9) for additional retrieval query parameters."},{"in":"query","name":"excludedAttributes","schema":{"type":"string"},"description":"A multi-valued list of strings indicating the names of resource attributes to be removed from the default set of attributes to return.  This parameter SHALL have no effect on attributes whose schema \\\"returned\\\" setting is \\\"always\\\" (see Sections [2.2](https://www.rfc-editor.org/rfc/rfc7644#section-2.2) and [7](https://www.rfc-editor.org/rfc/rfc7644#section-7) of RFC7644).  Attribute names MUST be in standard attribute notation ([Section 3.10 of RFC7644](https://www.rfc-editor.org/rfc/rfc7644#section-3.10)) form.  See [Section 3.9 of RFC7644](https://www.rfc-editor.org/rfc/rfc7644#section-3.9) for additional retrieval query parameters."}],"responses":{"200":{"description":"Success - User found","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/User"}}}},"400":{"description":"Bad request - See scimType for further information","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"401":{"description":"Unauthorized - Authentication failed try again with a valid authentication","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"403":{"description":"Forbidden - Authentication was successful but the user is not authorized","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"404":{"description":"Not found - No resource with provided Id","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"500":{"description":"Internal server error - Implementers provide a descriptive debugging advice","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/Error"}}}}}}}}}
```

## Update user by Id

> Updates a present User. Unset required attributes might lead to assertions or insertion of default values. Readonly attributes are ignored. The query parameters attribues and excludedAttributes refer to the response upon success.

```json
{"openapi":"3.0.2","info":{"title":"Qvalia SCIM API","version":"1.0.0"},"tags":[{"name":"User","description":"HTTP methods with User resource(s)"}],"servers":[{"url":"https://api-qa.qvalia.com"},{"url":"https://api.qvalia.com"}],"security":[{"api_key":[]},{"jwt":[]}],"components":{"securitySchemes":{"api_key":{"type":"apiKey","name":"Authorization","in":"header"},"jwt":{"type":"http","scheme":"bearer","bearerFormat":"JWT","description":"JWT-based authentication. The Authorization header must be set as:\nAuthorization: Bearer <token>\n"}},"schemas":{"User":{"allOf":[{"$ref":"#/components/schemas/Resource"}],"description":"SCIM provides a resource type for \\\"User\\\" resources.  The core schema for \\\"User\\\" is identified using the following schema URI \\\"urn:ietf:params:scim:schemas:core:2.0:User\\\".  The following attributes are defined in addition to the core schema attributes","properties":{"userName":{"description":"A service provider's unique identifier for the user, typically used by the user to directly authenticate to the service provider. Often displayed to the user as their unique identifier within the system (as opposed to \\\"id\\\" or \\\"externalId\\\", which are generally opaque and not user-friendly identifiers).  Each User MUST include a non-empty userName value.  This identifier MUST be unique across the service provider's entire set of Users.  This attribute is REQUIRED and is case insensitive.","type":"string"},"name":{"description":"The components of the user's name.  Qvalia only allows the full formatted name once!","type":"array","items":{"properties":{"formatted":{"description":"The full name, including all middle names, titles, and suffixes as appropriate, formatted for display (e.g., \\\"Jane Doe\\\").","type":"string"}}}},"title":{"description":"The user's title, such as \\\"IT Architect\\\".","type":"string"},"userType":{"description":"Used to identify the permission in Qvalia account.","type":"string","pattern":"^[viewer|user|admin]$","enum":["viewer","user","admin"]},"preferredLanguage":{"description":"Indicates the user's preferred written or spoken languages and is generally used for selecting a localized user interface.  The value indicates the set of natural languages that are preferred. The format of the value is the same as the HTTP Accept-Language header field (not including \\\"Accept-Language:\\\") and is specified in Section 5.3.5 of [RFC7231].  The intent of this value is to enable cloud applications to perform matching of language tags [RFC4647] to the user's language preferences, regardless of what may be indicated by a user agent (which might be shared), or in an interaction that does not involve a user (such as in a delegated OAuth 2.0 [RFC6749] style interaction) where normal HTTP Accept-Language header negotiation cannot take place.","type":"string","enum":["en","sv","fi"]},"active":{"description":"A Boolean value indicating the user's administrative status. The definitive meaning of this attribute is determined by the service provider. As a typical example, a value of true implies that the user is able to log in, while a value of false implies that the user's account has been suspended.","type":"boolean"},"password":{"writeOnly":true,"description":"This attribute is intended to be used as a means to set, replace, or compare (i.e., filter for equality) a password.  The cleartext value or the hashed value of a password SHALL NOT be returnable by a service provider.  If a service provider holds the value locally, the value SHOULD be hashed.  When a password is set or changed by the client, the cleartext password SHOULD be processed by the service provider as follows\n<ul>\n  <li>Prepare the cleartext value for international language comparison.  See Section 7.8 of [RFC7644].</li>\n  <li>Validate the value against server password policy.  Note, The definition and enforcement of password policy are beyond the scope of this document.</li>\n  <li>Ensure that the value is encrypted (e.g., hashed).  See Section 9.2 of [RFC7643] for acceptable hashing and encryption handling when storing or persisting for provisioning workflow reasons.</li>\n</ul>\nA service provider that immediately passes the cleartext value on to another system or programming interface MUST pass the value directly over a secured connection (e.g., Transport Layer Security (TLS)).  If the value needs to be temporarily persisted for a period of time (e.g., because of a workflow) before provisioning, then the value MUST be protected by some method, such as encryption.\nTesting for an equality match MAY be supported if there is an existing stored hashed value.  When testing for equality, the service provider\n<ul>\n    <li>Prepares the filter value for international language comparison.  See Section 7.8 of [RFC7644].</li>\n    <li>Generates the salted hash of the filter value and tests for a match with the locally held value.</li>\n</ul>\nThe mutability of the password attribute is \\\"writeOnly\\\", indicating that the value MUST NOT be returned by a service provider in any form (the attribute characteristic \\\"returned\\\" is \\\"never\\\").\n","type":"string","format":"password"},"emails":{"description":"Email addresses for the User.  The value SHOULD be specified according to [RFC5321].  Service providers SHOULD canonicalize the value according to [RFC5321], e.g., \\\"user@company.com\\\" instead of \\\"user@COMPANY.COM\\\".  Qvalia only allows one email!","type":"array","items":{"properties":{"value":{"description":"should return canonicalized representation of the email value","type":"string","format":"email"}},"required":["value"]}},"phoneNumbers":{"description":"Phone numbers for the user.  The value SHOULD be specified according to the format defined in [RFC3966], e.g., 'tel:+1-201-555-0123'.  Service providers SHOULD canonicalize the value according to [RFC3966] format, when appropriate.  The \\\"display\\\" sub-attribute MAY be used to return the canonicalized representation of the phone number value.  Qvalia only allows one phone number!","type":"array","items":{"properties":{"value":{"description":"should return canonicalized representation of the phone value","type":"string","format":"string"}}}}},"required":["userName"]},"Resource":{"type":"object","description":"The resource is the base class to represent the entities of this RBAC REST API. It holds the attributes necessary for all actual resources (User, Group, Role, etc.).","properties":{"schemas":{"description":"The schema(s) involved in the SCIM resource.","type":"array","items":{"type":"string"}},"id":{"type":"string","format":"email","description":"A unique identifier for a SCIM resource as defined by the service provider.  Each representation of the resource MUST include a non-empty \\\"id\\\" value.  This identifier MUST be unique across the SCIM service provider's entire set of resources.  It MUST be a stable, non-reassignable identifier that does not change when the same resource is returned in subsequent requests.  The value of the \\\"id\\\" attribute is always issued by the service provider and MUST NOT be specified by the client.  The string \\\"bulkId\\\" is a reserved keyword and MUST NOT be used within any unique identifier value.  The attribute characteristics are \\\"caseExact\\\" as \\\"true\\\", a mutability of \\\"readOnly\\\", and a \\\"returned\\\" characteristic of \\\"always\\\".  See [Section 9 RFC7643](https://www.rfc-editor.org/rfc/rfc7643.html#section-9) for additional considerations regarding privacy."}},"required":["id","schemas"]},"Error":{"type":"object","properties":{"status":{"type":"string"},"type":{"type":"string"},"data":{"type":"string"},"metadata":{"type":"object","properties":{}}}}}},"paths":{"/scim/v2/{accountRegNo}/Users/{id}":{"put":{"tags":["User"],"summary":"Update user by Id","description":"Updates a present User. Unset required attributes might lead to assertions or insertion of default values. Readonly attributes are ignored. The query parameters attribues and excludedAttributes refer to the response upon success.","operationId":"updateUserById","parameters":[{"name":"id","in":"path","description":"Reference to the resouce which requires an update","required":true,"schema":{"type":"string","format":"uuid"}},{"in":"query","name":"attributes","schema":{"type":"string"},"description":"A multi-valued list of strings indicating the names of resource attributes to return in the response, overriding the set of attributes that would be returned by default.  Attribute names MUST be in standard attribute notation (see [Section 3.10 of RFC7644](https://www.rfc-editor.org/rfc/rfc7644#section-3.10)) form. See [Section 3.9 of RFC7644](https://www.rfc-editor.org/rfc/rfc7644#section-3.9) for additional retrieval query parameters."},{"in":"query","name":"excludedAttributes","schema":{"type":"string"},"description":"A multi-valued list of strings indicating the names of resource attributes to be removed from the default set of attributes to return.  This parameter SHALL have no effect on attributes whose schema \\\"returned\\\" setting is \\\"always\\\" (see Sections [2.2](https://www.rfc-editor.org/rfc/rfc7644#section-2.2) and [7](https://www.rfc-editor.org/rfc/rfc7644#section-7) of RFC7644).  Attribute names MUST be in standard attribute notation ([Section 3.10 of RFC7644](https://www.rfc-editor.org/rfc/rfc7644#section-3.10)) form.  See [Section 3.9 of RFC7644](https://www.rfc-editor.org/rfc/rfc7644#section-3.9) for additional retrieval query parameters."}],"requestBody":{"description":"Content for updating an existent user by Id","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/User"}}}},"responses":{"200":{"description":"Success - User updated","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/User"}}}},"400":{"description":"Bad request - See scimType for further information","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"401":{"description":"Unauthorized - Authentication failed try again with a valid authentication","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"403":{"description":"Forbidden - Authentication was successful but the user is not authorized","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"404":{"description":"Not found - No resource with provided Id","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"409":{"description":"Conflict - Outdated version number or refusal of Service Provider to create a duplicate","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"500":{"description":"Internal server error - Implementers provide a descriptive debugging advice","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/Error"}}}}}}}}}
```

## Delete user by Id

> Deletes a present User. For subsequent requests on that resource and after successful deletion, a HTTP status code 404 is returned.

```json
{"openapi":"3.0.2","info":{"title":"Qvalia SCIM API","version":"1.0.0"},"tags":[{"name":"User","description":"HTTP methods with User resource(s)"}],"servers":[{"url":"https://api-qa.qvalia.com"},{"url":"https://api.qvalia.com"}],"security":[{"api_key":[]},{"jwt":[]}],"components":{"securitySchemes":{"api_key":{"type":"apiKey","name":"Authorization","in":"header"},"jwt":{"type":"http","scheme":"bearer","bearerFormat":"JWT","description":"JWT-based authentication. The Authorization header must be set as:\nAuthorization: Bearer <token>\n"}},"schemas":{"Error":{"type":"object","properties":{"status":{"type":"string"},"type":{"type":"string"},"data":{"type":"string"},"metadata":{"type":"object","properties":{}}}}}},"paths":{"/scim/v2/{accountRegNo}/Users/{id}":{"delete":{"tags":["User"],"summary":"Delete user by Id","description":"Deletes a present User. For subsequent requests on that resource and after successful deletion, a HTTP status code 404 is returned.","operationId":"deleteUserByID","parameters":[{"name":"id","in":"path","description":"Reference to the resouce which should be deleted","required":true,"schema":{"type":"string","format":"uuid"}}],"responses":{"204":{"description":"Success - User deleted"},"400":{"description":"Bad request - See scimType for further information","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"401":{"description":"Unauthorized - Authentication failed try again with a valid authentication","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"403":{"description":"Forbidden - Authentication was successful but the user is not authorized","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"404":{"description":"Not found - No resource with provided Id","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"409":{"description":"Conflict - Outdated version number or refusal of Service Provider to create a duplicate","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"412":{"description":"Precondition failed - Failed to update. Resource has changed on the server.","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"500":{"description":"Internal server error - Implementers provide a descriptive debugging advice","content":{"application/scim+json":{"schema":{"$ref":"#/components/schemas/Error"}}}}}}}}}
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://api.qvalia.io/api-documentation/apis/scim/user.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.