How to Add Multi-value Roles in SCIM Cloud Integration
Oct 2, 2025
API Access Management
Overview
Currently, the Okta SCIM Template has a default roles attribute configured to list roles in an array format [ role1, role2].
This support article will walk through achieving the following:
"urn:ietf:params:scim:schemas:core:2.0:User": {
"roles": [
{
"type": "LICENSED_USER",
"value": "LICENSED_USER"
},
{
"type": "GROUP_ADMIN",
"value": "GROUP_ADMIN"
}
],
},
Applies To
- Setting up multi-value roles in SCIM Cloud Provisioning for the purpose of role-based access in the downstream application.
Solution
- Create a custom claim attribute in Okta User Profile (under Profile Editor > User (default)).
- Create a custom attribute on the SCIM App (under Profile Editor > SCIM App).
- For external user add
roles.^[type=='LICENSED_USER'].value. - For external
namespaceaddurn:ietf:params:scim:schemas:core:2.0:User.
- For external user add
- Map the attribute from the Okta to the SCIM App (under Mappings > Okta User to SCIM App).
- Map the following attribute with the following expression:
(user.smartsheetLicensedUser == true) ? 'LICENSED_USER' :''. - Save mappings.
- Map the following attribute with the following expression:
- Test the attribute is coming through by clicking the Preview tool.
- Set the attribute in the user's profile to True.
- Using the Preview Tool under Mappings - test that the attribute is mapped.
- Test the attribute gets sent downstream to the SCIM App correctly.
Okta Limitation
- Make sure to send both type and value as a response back to Okta. Okta will look for these values, specifically type, as Okta does a look-up on roles based on type in the case of updating/deleting roles.
Related References
