google · elminster-aom · Dec 4, 2025 · Dec 4, 2025 · Dec 4, 2025 · Dec 8, 2025
diff --git a/github/enterprise_scim.go b/github/enterprise_scim.go
@@ -162,6 +162,9 @@ type SCIMEnterpriseAttributeOperation struct {
 
 // ListProvisionedSCIMGroups lists provisioned SCIM groups in an enterprise.
 //
+// You can improve query search time by using the `excludedAttributes` query
+// parameter with a value of `members` to exclude members from the response.
+//
 // GitHub API docs: https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/scim#list-provisioned-scim-groups-for-an-enterprise
 //
 //meta:operation GET /scim/v2/enterprises/{enterprise}/Groups
@@ -189,6 +192,10 @@ func (s *EnterpriseService) ListProvisionedSCIMGroups(ctx context.Context, enter
 
 // ListProvisionedSCIMUsers lists provisioned SCIM enterprise users.
 //
+// When members are part of the group provisioning payload, they're designated
+// as external group members. Providers are responsible for maintaining a
+// mapping between the `externalId` and `id` for each user.
+//
 // GitHub API docs: https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/scim#list-scim-provisioned-identities-for-an-enterprise
 //
 //meta:operation GET /scim/v2/enterprises/{enterprise}/Users
@@ -216,6 +223,14 @@ func (s *EnterpriseService) ListProvisionedSCIMUsers(ctx context.Context, enterp
 
 // UpdateSCIMGroupAttribute updates a provisioned group’s individual attributes.
 //
+// The `attribute` parameter must include at least one of the following
+// Operations: `add`, `remove`, or `replace`.
+//
+// The update function can also be used to add group memberships.
+//
+// You can submit group memberships individually or in batches for improved
+// efficiency.
+//
 // GitHub API docs: https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/scim#update-an-attribute-for-a-scim-enterprise-group
 //
 //meta:operation PATCH /scim/v2/enterprises/{enterprise}/Groups/{scim_group_id}
@@ -238,6 +253,16 @@ func (s *EnterpriseService) UpdateSCIMGroupAttribute(ctx context.Context, enterp
 
 // UpdateSCIMUserAttribute updates a provisioned user's individual attributes.
 //
+// The `attribute` parameter must include at least one of the following
+// Operations: `add`, `remove`, or `replace`.
+//
+// Note: Complex SCIM path selectors that include filters are not supported.
+// For example, a path selector defined as `"path": "emails[type eq \"work\"]"`
+// will be ineffective.
+//
+// Warning: Setting `active: false` will suspend a user, and their handle and
+// email will be obfuscated.
+//
 // GitHub API docs: https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/scim#update-an-attribute-for-a-scim-enterprise-user
 //
 //meta:operation PATCH /scim/v2/enterprises/{enterprise}/Users/{scim_user_id}
@@ -257,3 +282,39 @@ func (s *EnterpriseService) UpdateSCIMUserAttribute(ctx context.Context, enterpr
 
 	return user, resp, nil
 }
+
+// DeleteSCIMGroup deletes a SCIM group from an enterprise.
+//
+// GitHub API docs: https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/scim#delete-a-scim-group-from-an-enterprise
+//
+//meta:operation DELETE /scim/v2/enterprises/{enterprise}/Groups/{scim_group_id}
+func (s *EnterpriseService) DeleteSCIMGroup(ctx context.Context, enterprise, scimGroupID string) (*Response, error) {
+	u := fmt.Sprintf("scim/v2/enterprises/%v/Groups/%v", enterprise, scimGroupID)
+	req, err := s.client.NewRequest("DELETE", u, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	return s.client.Do(ctx, req, nil)
+}
+
+// DeleteSCIMUser deletes a SCIM user from an enterprise.
+//
+// Suspends a SCIM user permanently from an enterprise. This action will:
+// remove all the user's data, anonymize their login, email, and display name,
+// erase all external identity SCIM attributes, delete the user's emails,
+// avatar, PATs, SSH keys, OAuth authorizations, GPG keys, and SAML mappings.
+// This action is irreversible.
+//
+// GitHub API docs: https://docs.github.com/enterprise-cloud@latest/rest/enterprise-admin/scim#delete-a-scim-user-from-an-enterprise
+//
+//meta:operation DELETE /scim/v2/enterprises/{enterprise}/Users/{scim_user_id}
+func (s *EnterpriseService) DeleteSCIMUser(ctx context.Context, enterprise, scimUserID string) (*Response, error) {
+	u := fmt.Sprintf("scim/v2/enterprises/%v/Users/%v", enterprise, scimUserID)
+	req, err := s.client.NewRequest("DELETE", u, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	return s.client.Do(ctx, req, nil)
+}
diff --git a/github/enterprise_scim_test.go b/github/enterprise_scim_test.go
@@ -660,3 +660,57 @@ func TestEnterpriseService_UpdateSCIMUserAttribute(t *testing.T) {
 		return resp, err
 	})
 }
+
+func TestEnterpriseService_DeleteSCIMGroup(t *testing.T) {
+	t.Parallel()
+	client, mux, _ := setup(t)
+
+	mux.HandleFunc("/scim/v2/enterprises/ee/Groups/abcd", func(w http.ResponseWriter, r *http.Request) {
+		testMethod(t, r, "DELETE")
+		testHeader(t, r, "Accept", mediaTypeV3)
+		w.WriteHeader(http.StatusNoContent)
+	})
+
+	ctx := t.Context()
+	_, err := client.Enterprise.DeleteSCIMGroup(ctx, "ee", "abcd")
+	if err != nil {
+		t.Fatalf("Enterprise.DeleteSCIMGroup returned unexpected error: %v", err)
+	}
+
+	const methodName = "DeleteSCIMGroup"
+	testBadOptions(t, methodName, func() (err error) {
+		_, err = client.Enterprise.DeleteSCIMGroup(ctx, "\n", "\n")
+		return err
+	})
+
+	testNewRequestAndDoFailure(t, methodName, client, func() (*Response, error) {
+		return client.Enterprise.DeleteSCIMGroup(ctx, "ee", "abcd")
+	})
+}
+
+func TestEnterpriseService_DeleteSCIMUser(t *testing.T) {
+	t.Parallel()
+	client, mux, _ := setup(t)
+
+	mux.HandleFunc("/scim/v2/enterprises/ee/Users/7fce", func(w http.ResponseWriter, r *http.Request) {
+		testMethod(t, r, "DELETE")
+		testHeader(t, r, "Accept", mediaTypeV3)
+		w.WriteHeader(http.StatusNoContent)
+	})
+
+	ctx := t.Context()
+	_, err := client.Enterprise.DeleteSCIMUser(ctx, "ee", "7fce")
+	if err != nil {
+		t.Fatalf("Enterprise.DeleteSCIMUser returned unexpected error: %v", err)
+	}
+
+	const methodName = "DeleteSCIMUser"
+	testBadOptions(t, methodName, func() (err error) {
+		_, err = client.Enterprise.DeleteSCIMUser(ctx, "\n", "\n")
+		return err
+	})
+
+	testNewRequestAndDoFailure(t, methodName, client, func() (*Response, error) {
+		return client.Enterprise.DeleteSCIMUser(ctx, "ee", "7fce")
+	})
+}