Airtable - Add or Remove User from Group

Airtable - Add or Remove User from Group adds or removes users from an Airtable Enterprise group for:

• Assets returned by the selected query or assets selected on the relevant asset page.

General Settings

• Use stored credentials from Airtable Enterprise adapter - Select this option to use the Airtable Enterprise connected adapter credentials. When you select this option, the Select Adapter Connection dropdown is available, and you can choose which adapter connection to use for this Enforcement Action.

  This enforcement action follows a three-tier credential resolution logic:

  • When enabled - Uses the stored credentials from the selected adapter connection.
  • When disabled and no credentials inserted - Uses the leading asset client credentials.
  • When disabled and credentials inserted - Uses only the manually inserted credentials.

📘

Note

To use this option, you must successfully configure an Airtable Enterprise adapter connection.

Required Fields

These fields must be configured to run the Enforcement Set.

• Group IDs (comma separated) - The IDs of the Airtable groups to add the user to or remove them from.

• Add/Remove assignment - Select Add to add the user to the specified groups, or Remove to remove the user from the specified groups.

• Compute Node - The Axonius node to use when connecting to the specified host. For more details, see Working with Axonius Compute Nodes.

💡

Connection and Credentials

When Use stored credentials from the adapter is toggled off, some of the connection fields below are required to create the connection, while other fields are optional.

• Host Name or IP Address - The hostname or IP address of the Airtable server.

• API Token - A personal access token with the enterprise.scim.usersAndGroups:manage scope, associated with an Enterprise admin account.

• Enterprise Account ID - The ID of the Airtable Enterprise account.

• Verify SSL (optional) - Select whether to verify the SSL certificate of the server against the CA database inside of Axonius. For more details, see SSL Trust & CA Settings.

• HTTPS Proxy (optional) - Connect the adapter to a proxy instead of directly connecting it to the domain.

• HTTPS Proxy User Name (optional) - The user name to use when connecting to the server using the HTTPS Proxy.

• HTTPS Proxy Password (optional) - The password to use when connecting to the server using the HTTPS Proxy.

• Gateway Name - Select the Gateway through which to connect to perform the action.

APIs

Axonius uses the Airtable Enterprise SCIM v2 API. The following endpoint is called:

• PATCH https://airtable.com/scim/v2/Groups/{group_id} - Adds or removes a user from a specified group by updating the group's members list using a SCIM PatchOp operation.

Required Permissions

The stored credentials, or those provided in Connection and Credentials, must have the following permissions:

• enterprise.scim.usersAndGroups:manage scope - Required to manage group membership through the Airtable SCIM API.
• Enterprise Admin role - The personal access token must belong to an Enterprise admin. Admins of multiple enterprises must use a service account token.
• Authentication method - Personal access token (Bearer token).
• Billing plan - Available on Business, Enterprise Scale, and legacy Enterprise (pre-2023.08) plans only.

Recommended Role: Enterprise Admin with a dedicated service account personal access token.

Note: The user must have a user_remote_id value populated in Axonius — users without this field cannot be assigned to or removed from groups. To create a personal access token, navigate to https://airtable.com/create/tokens as an Enterprise admin. Create a new token, add the enterprise.scim.usersAndGroups:manage scope, and copy the resulting token into the API Token field of the Airtable Enterprise adapter connection. To verify correct configuration, confirm a 200 OK response from GET https://airtable.com/scim/v2/Groups.

References:

• Airtable SCIM API - Patch Group
• Airtable API Scopes
• Creating Personal Access Tokens