Internet-Draft | SCIM Roles and Entitlements Extension | July 2022 |
Zollner | Expires 29 January 2023 | [Page] |
The System for Cross-domain Identity Management standard's schema RFC [RFC7643], as well as custom schemas, may have attribute values that have a finite set of acceptable values. These acceptable values are frequently tied to a value on another resource. For instance, an organization may only allow values in the Enterprise User schema's costCenter attribute that are valid identifiers of cost centers defined in another location. This draft aims to provide a way for a SCIM client to determine if an attribute in a schema is limited to a specific set of values, and where those values may be located on another SCIM resource type.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 29 January 2023.¶
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The System for Cross-domain Identity Management standard's schema RFC [RFC7643], as well as custom schemas, may have attribute values that have a finite set of acceptable values. These acceptable values are frequently tied to a value on another resource. For instance, an organization may only allow values in the Enterprise User schema's costCenter attribute that are valid identifiers of existing cost centers defined in another location. This draft aims to provide a way for a SCIM client to determine if an attribute in a schema is limited to a specific set of values, and where those values may be located on another SCIM resource type.¶
The mechanism that this draft proposes is an extension to the schema of [RFC7643]'s "attributes" attribute in the schema definition. This extension will define three new sub-attributes of the "attributes" attribute. These attributes will indicate if the attribute is constrained by a referential relationship, and if it is what resource type and attribute is the value linked to.¶
This problem that this aims to solve is a problem of discovery and efficiency. Without a standardized way to determine when an attribute is constrained by the existence of and linked to the values of another resource's attribute, a SCIM client cannot know which values will be accepted and which will fail. This leads to failed requests due to invalid values being provided for attributes in requests, and reduces efficiency and success rate of requests being made.¶
SCIM Service Providers that have implemented this extension must advertise its availability via the following serviceProviderConfig attribute:¶
This extension implements the following new sub-attributes of the "attributes" attribute in urn:ietf:params:scim:schemas:core:2.0:Schema as defined in [RFC7643]. These attributes are:¶
A complex type that indicates if the value of the attribute is constrained by values present on a SCIM resource type. REQUIRED.¶
A boolean type that indicates if the attribute's allowed values are constrained by those present on a SCIM resource type.¶
A reference type that contains the URI of the SCIM schema attribute that the attribute is constrained against. REQUIRED if required is true.¶
A reference type that contains the relative URI of the root resource type that is referenced. REQUIRED if required is true.¶
The following example shows a section of the core user schema adapted to support the referential value location attributes in this extension for the user resource's "manager" attribute.¶
{ "name" : "manager", "type" : "complex", "multiValued" : false, "description" : "The User's manager. A complex type that optionally allows service providers to represent organizational hierarchy by referencing the 'id' attribute of another User.", "required" : false, "subAttributes" : [ { "name" : "value", "type" : "string", "multiValued" : false, "description" : "The id of the SCIM resource representing the User's manager. REQUIRED.", "required" : false, "caseExact" : false, "mutability" : "readWrite", "returned" : "default", "uniqueness" : "none" "referentialValue" : { "required" : true, "referentialValueURI" : "urn:ietf:params:scim:schemas:core:2.0:User:id", "referentialValueResourceType" : "Users/" } } ...¶
In the above example, the extension indicates that the value of the user resource's "manager" attribute is constrained by the id value of the core schema's User resource located at <baseUrl>/Users.¶
A request of GET <baseUrl>/Users would return a list of results containing all visible cost centers. The id value of any of the users returned should be valid for the value of the user resource's "manager" attribute.¶
The following example shows a section of the Enterprise User schema adapted to support the referential value location attributes in this extension for the user resource's enterprise costCenter attribute.¶
{ "name" : "costCenter", "type" : "string", "multiValued" : false, "description" : "Identifies the name of a cost center.", "required" : false, "caseExact" : false, "mutability" : "readWrite", "returned" : "default", "uniqueness" : "none", "referentialValue" : { "required" : true, "referentialValueURI" : "urn:foo:bar:schema:corporate: costCenter.displayName", "referentialValueURI" : "costCenters/" } }, ...¶
In the above example, the extension indicates that the value of urn:ietf:params:scim:schemas:enterprise:2.0:User:costCenter is constrained by the displayName value of a custom resource located at <baseUrl>/costCenters.¶
A request of GET <baseUrl>/costCenters would return a list of results containing all visible cost centers. The displayName values of any of the cost centers returned by the request should be valid for the value of the user resource's urn:ietf:params:Scim:schemas:enterprise:2.0:User:costCenter attribute.¶
v00 - July 2022: Initial version¶
TO-DO¶