Staying InvolvedIt takes about 40 minutes once the user is deleted from from the IDP. Are there any other options for disabling a SCIM user?
My thought was to create a WAN firewall rule to deny the user access until the scim update happens.
Currently user are setup for split tunneling so I wouldnt need an Internet FW rule but if split tunneling was not in place then I would create a rule here as well.
Staying InvolvedI tried this morning to disable a scim user and its still greyed out. I hover over it and it says "only system usres can disable scim users"
Making ConnectionsIf you have to block access for a user immediately, you also can do a "Revoke Session" over Cato Portal plus disable the account on IdP side. It takes 1-2min until Cato User session is not active anymore.
Staying InvolvedYes, I am aware of Revoke Session. But wouldnt that just be temporary? Wouldn't the user just be able to re-connect?
Making ConnectionsYes that's correct. User can directly re-connect as long its still enabled on IdP. But for urgent cases, normally you reset password, revoke sessions there or disable user also on IdP.
Staying InvolvedI thought about reset password, but I would think user would just create a new one.
Staying InvolvedIf the IDP is M365 and you are using an enterprise app for SCIM provisioning you can do a provision on demand for that user to avoid the 40 minute SCIM cycle.
But - look at the March 23 product updates - this may give you what you are looking for March 23 2026 updates
March-23-2026
Expanded Control for SCIM Users and Directories: Manage SCIM-synced users and directories directly from the Cato Management Application (CMA) for greater administrative control and lifecycle management.
Disable and delete active SCIM users, and delete SCIM directories
User and group deletions sync with the SCIM application
Filter users and groups based on deleted SCIM directories
Staying InvolvedYes i saw that update. I will check it out once its enabled.
