SCIM should own identity-provider driven user and group membership changes, while manual Atlassian cleanup should focus on local product access, local groups, exceptions, evidence, and route-out decisions that SCIM does not resolve by itself.
Why this matters
SCIM is a provisioning control, not a complete cleanup program. It can synchronize users and groups from the identity provider, but admins still need to decide whether local access paths, default groups, stale exceptions, and billable seats are correct.
For the query scim vs manual cleanup Atlassian, the useful answer should help an admin decide what to check now, which rows to hold out, and which proof should survive after the change. That is why this page stays inside a narrow operational boundary instead of becoming a general governance essay.
Working scenario
An organization has SCIM connected to its identity provider, but Jira license spend still rises. Some access comes from synced groups, some from default groups, and some from legacy local groups. The cleanup question is no longer SCIM versus manual; it is which source owns each change.
Use SCIM for authoritative identity changes
When a user or group is controlled by the identity provider, the durable change belongs there. Local edits may be blocked, reversed, or misleading if they do not match the source of truth.
Use manual review for local access paths
Local Atlassian groups, default groups, app access settings, exceptions, and admin decisions still need review. SCIM does not automatically prove that every billable access path is correct.
Separate synced groups from default groups
A synced IdP group and an Atlassian default group can both grant access, but they behave differently. Cleanup must record which one is responsible before any action is assigned.
Record route-outs as first-class outcomes
A routed SCIM case is not a failed cleanup. It is the correct result when the local admin found identity-owned access and handed it to the identity owner with evidence.
Keep billing proof close to the access path
For license cleanup, the useful evidence explains why a user remained billable and what change was approved. SCIM sync state alone usually does not answer that finance question.
Decision table
| Signal | What to verify | Decision or evidence |
|---|---|---|
| User is managed by IdP and group is SCIM-synced | Confirm synced directory, group source, and identity owner. | Route membership changes to the IdP owner and keep route-out evidence. |
| User has local default group access | Check which default group grants product access and why the user entered it. | Review local product-access removal or default-group design. |
| User has both SCIM and local access paths | Identify each path separately and determine which path keeps access or billing active. | Split the case into IdP-owned route-out and local cleanup rows. |
| SCIM user appears inactive | Check identity status, Atlassian access, product access, and local groups. | Do not assume deprovisioning fixed local access; review the billable path. |
| Manual admin wants to override sync | Confirm whether Atlassian allows the edit and whether it will survive the next sync. | Avoid local workaround unless the identity owner approves the boundary exception. |
Common mistakes
Most cleanup errors happen when an admin treats a partial signal as a complete answer. These are the failure modes to watch for on this topic:
- Assuming SCIM automatically removes every wasteful license.
- Making local changes that the next sync reverses.
- Treating default groups and IdP groups as the same control.
- Calling route-outs incomplete instead of recording them as correct ownership handoffs.
- Reporting cleanup success without proving the billable access path changed.
Checklist
- Identify whether each user and group is local or externally managed.
- Trace product access separately from identity provisioning.
- Separate SCIM-owned memberships from default-group access.
- Route identity-owned changes to the IdP owner with evidence.
- Record local actions, route-outs, and exceptions in the same review cycle.
- Do not count savings until product access actually changes.