It requires an additional CyberArk entitlement in order to manage users and safe (container) permissions through the SCIM API. I can’t remember what the entitlement is called, but I confirmed that a couple of weeks ago with my CyberArk account team. The IdentityNow connector does not require any additional license entitlements.
The “direct connector”, which I believe references this one has been deprecated, and the one you now use is this one that interacts with your SCIM service on your CyberArk Identity tenant