Tugboat Logic SCIM guide

Vanta supports SCIM 2.0 for automated user provisioning, but only on Enterprise plans starting at $49,000-$80,000+ per year. While SCIM works well with major identity providers (Okta, Entra ID, Google Workspace), it comes with significant operational constraints: once enabled, SCIM becomes the sole source of truth for user management, and any personnel not provisioned via SCIM are converted to manual entries that must be managed separately. For compliance platforms like Vanta, this creates a particularly thorny problem. Organizations need comprehensive user coverage to demonstrate access controls for audits, but the Enterprise pricing threshold means smaller companies often rely on manual provisioning or JIT (which only creates accounts when users first log in). This gaps in user lifecycle management create compliance blind spots and administrative overhead that defeats the purpose of using an automated compliance platform.

Amplitude supports SCIM provisioning, but only on Growth plans (starting around $36K/year) or Enterprise plans with custom pricing. While Amplitude's SCIM implementation covers the core functionality—creating, updating, and deactivating users—it requires SCIM to be specifically enabled for your organization, and regenerating the SCIM key immediately invalidates existing integrations without warning. For product teams on Plus plans ($49/month), upgrading to Growth just to unlock SCIM means jumping from under $600/year to $36,000+/year—a 60x increase. That's often more than the entire analytics budget for smaller product teams. The gap becomes particularly problematic for cross-functional product teams where analysts, PMs, and engineers need varying levels of access to user behavior data, but manual provisioning creates security risks around sensitive analytics permissions.

Bill.com offers inconsistent SCIM provisioning support that varies dramatically by identity provider. While Okta users can access SCIM provisioning through the OIN integration, Bill.com doesn't publish native SCIM documentation, and other IdPs like Entra ID are limited to SAML SSO only. This fragmented approach means your provisioning capabilities depend entirely on your IdP choice rather than Bill.com's platform features. For finance teams managing sensitive AP/AR workflows where user access directly impacts invoice approvals and payment processing, this inconsistency creates operational gaps—especially when onboarding new controllers, AP clerks, or accountants requires manual role assignment tied to spending limits and approval hierarchies. The real problem is that Bill.com gates all SSO functionality behind Enterprise plans with custom pricing (typically 2-3x their Corporate plan at $79/user/month), yet still provides no clear path to automated provisioning for most customers. Since financial systems require precise role-based access controls for SOX compliance and segregation of duties, manual user management creates both security risks and administrative overhead. When employees change departments or leave the company, orphaned accounts in payment systems pose significant financial and compliance risks that manual processes often miss.