Skip to content

Update reference to include migration guide for scim virtual groups #25437

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: production
Choose a base branch
from
Open

Update reference to include migration guide for scim virtual groups #25437

wants to merge 1 commit into from
+50 −0

Conversation

AdamBouhmad
Copy link
Contributor

Summary

Migration guide for customers who want to migrate from our old SCIM implementation using Virtual Groups

Documentation checklist

@AdamBouhmad AdamBouhmad requested review from dcpena and a team as code owners September 26, 2025 00:16
dcpena
dcpena reviewed Sep 26, 2025
View reviewed changes
src/content/docs/fundamentals/reference/migration-guides/scim-virtual-groups-migration.mdx
Cloudflare's first iteration of [SCIM integration](/scim/) introduced a concept called *Virtual Groups*, typically identified by the pattern `CF-<accountID>-<Role Name>` in your IdP. Virtual Groups were an early implementation of group-based access control: they acted as placeholders created automatically by SCIM to map IdP groups to account memberships.

While customers could add or remove members from these groups within their IdP, Virtual Groups had important limitations:
- They could not be renamed or deleted in the IdP
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- They could not be renamed or deleted in the IdP
- They could not be renamed or deleted in the IdP.

src/content/docs/fundamentals/reference/migration-guides/scim-virtual-groups-migration.mdx

While customers could add or remove members from these groups within their IdP, Virtual Groups had important limitations:
- They could not be renamed or deleted in the IdP
- They could not be managed within Cloudflare
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- They could not be managed within Cloudflare
- They could not be managed within Cloudflare.

src/content/docs/fundamentals/reference/migration-guides/scim-virtual-groups-migration.mdx
While customers could add or remove members from these groups within their IdP, Virtual Groups had important limitations:
- They could not be renamed or deleted in the IdP
- They could not be managed within Cloudflare
- Functionally, managing a Virtual Group was equivalent to syncing users and editing each member’s policies individually
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- Functionally, managing a Virtual Group was equivalent to syncing users and editing each member’s policies individually
- Functionally, managing a Virtual Group was equivalent to syncing users and editing each member’s policies individually.

src/content/docs/fundamentals/reference/migration-guides/scim-virtual-groups-migration.mdx
- They could not be managed within Cloudflare
- Functionally, managing a Virtual Group was equivalent to syncing users and editing each member’s policies individually

With the GA of [User Groups](https://developers.cloudflare.com/changelog/2025-06-23-user-groups-ga/), Virtual Groups are now deprecated. Customers should migrate to User Groups, which provide a more flexible and scalable way to assign and manage policies. To maintain SCIM synchronization with the Cloudflare Dashboard, we strongly recommend migrating to **SCIM User Groups**.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
With the GA of [User Groups](https://developers.cloudflare.com/changelog/2025-06-23-user-groups-ga/), Virtual Groups are now deprecated. Customers should migrate to User Groups, which provide a more flexible and scalable way to assign and manage policies. To maintain SCIM synchronization with the Cloudflare Dashboard, we strongly recommend migrating to **SCIM User Groups**.
With the GA of [User Groups](https://developers.cloudflare.com/changelog/2025-06-23-user-groups-ga/), Virtual Groups are now deprecated. Customers should migrate to [User Groups](/fundamentals/manage-members/user-groups/), which provide a more flexible and scalable way to assign and manage policies. To maintain SCIM synchronization with the Cloudflare Dashboard, we strongly recommend migrating to **SCIM User Groups**.

src/content/docs/fundamentals/reference/migration-guides/scim-virtual-groups-migration.mdx

## Migration steps

1. **Create a new SCIM integration** in your IdP using an [Account Owned Token](/scim/authentication/) provisioned in Cloudflare
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
1. **Create a new SCIM integration** in your IdP using an [Account Owned Token](/scim/authentication/) provisioned in Cloudflare
1. **Create a new SCIM integration** in your IdP using an [Account Owned Token](/scim/authentication/) provisioned in Cloudflare.

src/content/docs/fundamentals/reference/migration-guides/scim-virtual-groups-migration.mdx
3. **Sync groups to Cloudflare** and verify they appear in the **User Groups** pane of the Cloudflare Dashboard
4. **Attach permission policies** to the new User Groups so members inherit the correct access upon assignment to the group
5. **Migrate users** into the new groups incrementally, testing synchronization of users & groups into the Cloudflare Dashboard
6. **Clean up legacy resources** by removing SCIM v1 Virtual Groups and IdP mappings that follow the `CF-<accountID>-<Role Name>` pattern
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
6. **Clean up legacy resources** by removing SCIM v1 Virtual Groups and IdP mappings that follow the `CF-<accountID>-<Role Name>` pattern
6. **Clean up legacy resources** by removing SCIM v1 Virtual Groups and IdP mappings that follow the `CF-<accountID>-<Role Name>` pattern.

src/content/docs/fundamentals/reference/migration-guides/scim-virtual-groups-migration.mdx

## More resources

* [User Groups changelog](https://developers.cloudflare.com/changelog/2025-06-02-user-groups-beta/)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* [User Groups changelog](https://developers.cloudflare.com/changelog/2025-06-02-user-groups-beta/)
* [User Groups changelog](/changelog/2025-06-02-user-groups-beta/)

src/content/docs/fundamentals/reference/migration-guides/scim-virtual-groups-migration.mdx
## More resources

* [User Groups changelog](https://developers.cloudflare.com/changelog/2025-06-02-user-groups-beta/)
* [User Groups documentation](https://developers.cloudflare.com/fundamentals/manage-members/user-groups/)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* [User Groups documentation](https://developers.cloudflare.com/fundamentals/manage-members/user-groups/)
* [User Groups documentation](/fundamentals/manage-members/user-groups/)

src/content/docs/fundamentals/reference/migration-guides/scim-virtual-groups-migration.mdx

* [User Groups changelog](https://developers.cloudflare.com/changelog/2025-06-02-user-groups-beta/)
* [User Groups documentation](https://developers.cloudflare.com/fundamentals/manage-members/user-groups/)
* [Create an Account Owned Token](https://developers.cloudflare.com/fundamentals/api/get-started/account-owned-tokens/#create-an-account-owned-token)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* [Create an Account Owned Token](https://developers.cloudflare.com/fundamentals/api/get-started/account-owned-tokens/#create-an-account-owned-token)
* [Create an Account Owned Token](/fundamentals/api/get-started/account-owned-tokens/#create-an-account-owned-token)

src/content/docs/fundamentals/reference/migration-guides/scim-virtual-groups-migration.mdx
* [User Groups changelog](https://developers.cloudflare.com/changelog/2025-06-02-user-groups-beta/)
* [User Groups documentation](https://developers.cloudflare.com/fundamentals/manage-members/user-groups/)
* [Create an Account Owned Token](https://developers.cloudflare.com/fundamentals/api/get-started/account-owned-tokens/#create-an-account-owned-token)
* [SCIM provisioning setup guide](https://developers.cloudflare.com/fundamentals/account/account-security/scim-setup/)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* [SCIM provisioning setup guide](https://developers.cloudflare.com/fundamentals/account/account-security/scim-setup/)
* [SCIM provisioning setup guide](/fundamentals/account/account-security/scim-setup/)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dcpena dcpena dcpena left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@dcpena dcpena

Labels
product:fundamentals September 2025 size/s
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@AdamBouhmad @dcpena