Summary and recommendation
Rubrik exposes two distinct API surfaces that must be treated separately.
CDM (on-premises clusters) uses a versioned REST API at `https://{cluster-hostname}/api/v1`;
Rubrik Security Cloud (RSC/SaaS) uses GraphQL exclusively at `https://{rsc-account}.my.rubrik.com/api` - there is no REST user management endpoint for RSC.
Authentication also diverges: CDM accepts Basic Auth or session tokens via `POST /api/v1/session`;
RSC requires OAuth 2.0 `client_credentials` flow using a service account JSON credential file to obtain a Bearer token.
For teams building identity graph integrations or connecting Rubrik into a broader access management pipeline, SCIM 2.0 is available on RSC at `https://{rsc-account}.my.rubrik.com/scim/v2` and supports full user and group lifecycle operations.
SCIM is RSC-only and requires the Enterprise plan;
it is not available on CDM clusters.
An MCP server with 60+ deep IT/identity integrations can surface Rubrik user and role data alongside the rest of your identity graph without requiring custom GraphQL query development per environment.
API quick reference
| Has user API | Yes |
| Auth method | Service Account (OAuth 2.0 client_credentials) for Rubrik Security Cloud; username/password Basic Auth or API token for CDM REST API |
| Base URL | Official docs |
| SCIM available | Yes |
| SCIM plan required | Enterprise |
Authentication
Auth method: Service Account (OAuth 2.0 client_credentials) for Rubrik Security Cloud; username/password Basic Auth or API token for CDM REST API
Setup steps
- For Rubrik Security Cloud (RSC): Navigate to RSC > Settings > Service Accounts, create a service account, download the JSON credentials file containing client_id and client_secret.
- POST to https://{rsc-account}.my.rubrik.com/api/client_token with client_id and client_secret to obtain a Bearer access token.
- For CDM REST API: POST to https://{cluster}/api/v1/session with username/password to obtain a session token, or generate an API token from the CDM UI under User Settings.
- Include the token in subsequent requests as Authorization: Bearer {token}.
Required scopes
| Scope | Description | Required for |
|---|---|---|
| Administrator role | Full access to user management operations including create, update, delete users. | All user CRUD operations on CDM |
| Service Account with Global Admin role | Required for RSC API calls that manage users and roles. | RSC user management via GraphQL or SCIM |
User object / data model
| Field | Type | Description | On create | On update | Notes |
|---|---|---|---|---|---|
| id | string | Unique user identifier (UUID) | system-generated | immutable | |
| username | string | Login username / email address | required | supported | Must be unique within the cluster or RSC account |
| password | string | User password (CDM only) | required for local users | supported | Not returned in GET responses |
| firstName | string | User's first name | optional | supported | |
| lastName | string | User's last name | optional | supported | |
| emailAddress | string | Email address for notifications | optional | supported | |
| roleIds | array[string] | List of role IDs assigned to the user | required | supported | Roles define permissions; at least one role required |
| authDomainId | string | Authentication domain (local, LDAP, SSO) | required | immutable | Use 'local' for local accounts |
| status | string | Account status: active or disabled | defaults to active | supported | |
| totpEnabled | boolean | Whether TOTP MFA is enabled for the user | optional | supported | CDM only |
| isHidden | boolean | Whether user is hidden from UI listings | optional | supported | CDM only |
| lockoutState | string | Account lockout state | n/a | read-only | CDM only |
Core endpoints
List users (CDM)
- Method: GET
- URL:
https://{cluster}/api/v1/principal?auth_domain_id={id}&name={query} - Watch out for: Returns principals (users + groups). Filter by principalType=User to isolate users.
Request example
GET /api/v1/principal?auth_domain_id=local HTTP/1.1
Authorization: Bearer {token}
Response example
{
"hasMore": false,
"total": 2,
"data": [
{"id":"abc-123","username":"admin","authDomainId":"local"}
]
}
Get user by ID (CDM)
- Method: GET
- URL:
https://{cluster}/api/v1/user/{id} - Watch out for: Password field is never returned.
Request example
GET /api/v1/user/abc-123 HTTP/1.1
Authorization: Bearer {token}
Response example
{
"id": "abc-123",
"username": "jdoe",
"emailAddress": "jdoe@example.com",
"authDomainId": "local"
}
Create user (CDM)
- Method: POST
- URL:
https://{cluster}/api/v1/user - Watch out for: authDomainId must match an existing domain; local domain ID varies per cluster.
Request example
POST /api/v1/user HTTP/1.1
Content-Type: application/json
{
"username":"jdoe",
"password":"S3cur3!",
"authDomainId":"local",
"roleIds":["role-uuid"]
}
Response example
{
"id": "new-uuid",
"username": "jdoe",
"authDomainId": "local"
}
Update user (CDM)
- Method: PATCH
- URL:
https://{cluster}/api/v1/user/{id} - Watch out for: Cannot change authDomainId after creation.
Request example
PATCH /api/v1/user/abc-123 HTTP/1.1
Content-Type: application/json
{
"emailAddress": "newemail@example.com"
}
Response example
{
"id": "abc-123",
"username": "jdoe",
"emailAddress": "newemail@example.com"
}
Delete user (CDM)
- Method: DELETE
- URL:
https://{cluster}/api/v1/user/{id} - Watch out for: Cannot delete the last administrator account.
Request example
DELETE /api/v1/user/abc-123 HTTP/1.1
Authorization: Bearer {token}
Response example
HTTP 204 No Content
List roles (CDM)
- Method: GET
- URL:
https://{cluster}/api/v1/role - Watch out for: Role IDs are required when creating or updating users.
Request example
GET /api/v1/role HTTP/1.1
Authorization: Bearer {token}
Response example
{
"data": [
{"roleId":"role-uuid","name":"Administrator","description":"Full access"}
]
}
Assign role to user (CDM)
- Method: POST
- URL:
https://{cluster}/api/v1/authorization/role/{roleId}/principals - Watch out for: Role assignment is separate from user creation on some CDM versions.
Request example
POST /api/v1/authorization/role/role-uuid/principals HTTP/1.1
Content-Type: application/json
{
"principals": ["user-uuid"]
}
Response example
HTTP 204 No Content
Get current user session (CDM)
- Method: GET
- URL:
https://{cluster}/api/v1/session - Watch out for: CDM session tokens expire; default expiration is configurable in cluster settings.
Request example
GET /api/v1/session HTTP/1.1
Authorization: Bearer {token}
Response example
{
"id": "session-uuid",
"userId": "user-uuid",
"expiration": "2024-12-31T23:59:59Z"
}
Rate limits, pagination, and events
Rate limits: Rubrik does not publicly document specific rate limit thresholds in official docs. CDM REST API enforces concurrent session limits per node.
Rate-limit headers: No
Retry-After header: No
Rate-limit notes: No explicit rate limit values or headers documented publicly. Rubrik recommends limiting concurrent API calls to avoid cluster performance impact.
Pagination method: cursor
Default page size: 50
Max page size: 1000
Pagination pointer: after (cursor-based for RSC GraphQL); limit + offset for CDM REST v1
Webhooks available: No
Webhook notes: Rubrik does not expose native outbound webhooks for user management events in publicly documented APIs. RSC supports event-based notifications via Radar and Sonar alerts but not user lifecycle webhooks.
Alternative event strategy: Poll the /api/v1/user or RSC GraphQL endpoints periodically, or use SCIM provisioning from an IdP for automated lifecycle management.
SCIM API status
SCIM available: Yes
SCIM version: 2.0
Plan required: Enterprise
Endpoint: https://{rsc-account}.my.rubrik.com/scim/v2
Supported operations: GET /Users, GET /Users/{id}, POST /Users, PUT /Users/{id}, PATCH /Users/{id}, DELETE /Users/{id}, GET /Groups, POST /Groups, PATCH /Groups/{id}, DELETE /Groups/{id}
Limitations:
- SCIM is available only on Rubrik Security Cloud (RSC/SaaS); not available on CDM on-premises clusters.
- Requires Enterprise plan.
- SCIM token is generated within RSC Settings and must be provided as Bearer token to the IdP connector.
- Group push maps to RSC roles; role names must match exactly.
- IdP-managed users cannot be modified directly in RSC UI once SCIM is active.
Common scenarios
Three automation scenarios cover the majority of production use cases:
Provision a local CDM user with a role: GET /api/v1/role to resolve the target roleId, GET /api/v1/auth_domain to capture the local authDomainId, then POST /api/v1/user with username, password, authDomainId, and roleIds.
Role IDs and authDomainId are cluster-specific UUIDs - never hardcode them across environments;
always look them up dynamically.
Enable SCIM from an IdP to RSC: Generate a SCIM token in RSC Settings > Users > SCIM, configure the IdP connector with the base URL and Bearer token, then map IdP groups to RSC role names.
Role name matching is exact and case-sensitive;
mismatches silently fail to assign roles without surfacing an error.
Deactivate a CDM user without deletion: GET /api/v1/principal?name={username} to resolve the UUID, then PATCH /api/v1/user/{id} with {"status": "disabled"}.
Full removal uses DELETE /api/v1/user/{id}, but note that active sessions persist until their configured TTL expires - force invalidation via DELETE /api/v1/session/{sessionId} if immediate revocation is required.
Provision a new local user with a specific role on CDM
- GET /api/v1/role to retrieve available roles and capture the target roleId.
- GET /api/v1/auth_domain to retrieve the local authDomainId.
- POST /api/v1/user with username, password, authDomainId, and roleIds array.
- Verify creation with GET /api/v1/user/{newUserId}.
Watch out for: Role IDs and authDomainId are cluster-specific; do not hardcode across environments.
Enable SCIM provisioning from an IdP to Rubrik Security Cloud
- Log in to RSC as Global Admin, navigate to Settings > Users > SCIM.
- Generate a SCIM token and copy the SCIM base URL (https://{account}.my.rubrik.com/scim/v2).
- In the IdP (e.g., Okta), add a SCIM 2.0 app, enter the base URL and Bearer token.
- Map IdP groups to RSC roles ensuring group names match RSC role names exactly.
- Assign users/groups in the IdP and verify provisioning via GET /scim/v2/Users.
Watch out for: RSC role names must match IdP group names exactly; mismatches silently fail to assign roles.
Deactivate a user account on CDM
- GET /api/v1/principal?name={username} to resolve the user's UUID.
- PATCH /api/v1/user/{id} with body {"status": "disabled"} to deactivate without deleting.
- Optionally DELETE /api/v1/user/{id} for full removal.
- Note: active sessions persist until TTL expiry; force session invalidation if required via DELETE /api/v1/session/{sessionId}.
Watch out for: Disabling does not immediately terminate active sessions on CDM.
Why building this yourself is a trap
The most common integration failure is conflating the CDM and RSC API surfaces. CDM REST endpoints do not exist on RSC; RSC requires GraphQL mutations (createUser, deleteUser) or SCIM - attempting REST calls against RSC will fail silently or return unexpected errors.
Two additional traps affect production reliability. First, CDM session tokens have a configurable idle timeout; long-running automation that does not proactively refresh tokens will encounter mid-run authentication failures.
Second, the /api/v1/principal list endpoint returns both users and groups - omitting a principalType=User filter will cause automation to process groups as user objects, producing incorrect identity graph state.
On the SCIM side: rotating the SCIM token in RSC requires an immediate update to the IdP connector. Any lag between rotation and connector update breaks provisioning for all users in the pipeline, with no queuing or retry mechanism documented in public sources.
Rubrik does not publish explicit rate limit thresholds or expose rate limit headers, so concurrent API call volume should be kept conservative to avoid cluster performance impact.
Automate Rubrik workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
