SCIM Roles and Entitlements ExtensionMicrosoftdanny@zollnerd.com
TODO
SCIMInternet-DraftSCIMThe System for Cross-domain Identity Management (SCIM) protocol's schema RFC RFC7643 defines the complex core schema attributes "roles" and "entitlements". For both of these concepts, frequently only a predetermined set of values are accepted by a SCIM service provider. The values that are accepted may vary per customer or tenant based on customizable configuration in the service provider's application or based on other criteria such as what services have been purchased. This document defines an extension to the SCIM 2.0 standard to allow SCIM service providers to represent available data pertaining to roles and entitlements so that SCIM clients can consume this information and provide easier management of role and entitlement assignments.IntroductionThe System for Cross-domain Identity Management (SCIM) protocol's schema RFC RFC7643 defines the complex core schema attributes "roles" and "entitlements". For both of these concepts, frequently only a predetermined set of values are accepted by a SCIM service provider. Available roles and entitlements may change based on a variety of factors, such as what features are enabled or what customizations have been made in a specific instance of a multi-tenant application. The core SCIM 2.0 RFC documents (RFC7642, RFC7643 and RFC 7644) do not provide a method for retrieving the available roles or entitlements as part of the SCIM 2.0 standard.In order to allow for SCIM clients to avoid easily predictable errors when interacting with SCIM service providers, this document aims to provide a method for SCIM service providers to provide data on what roles and/or entitlements are available so that SCIM clients can consume this data to more efficiently manage resources between directories.Conventions and DefinitionsThe key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14 when, and only when, they
appear in all capitals, as shown here.IANA Considerations(To-Do)Roles and EntitlementsThe Roles and Entitlements SCIM Extension consists of two new resource types, /Roles and /Entitlements, as well as accompanying ServiceProviderConfig details to advertise support for this extension.ServiceProviderConfig ExtensionSCIM endpoints that have implemented one or both of the endpoints from this extension MUST advertise which elements are implemented in the ServiceProviderConfig endpoint as defined:Roles Resource SchemaThe /Roles resource type has a schema consisting of most of the attributes defined for the User resource's complex attribute "roles" in RFC7643, as well as an additional "Enabled" attribute so that SCIM service providers can indicate if the role is currently enabled and intended for use in their service.The following singular attributes are defined:Additionally, the following multi-valued attributes are defined:Entitlements Resource SchemaThe /Entitlements resource type has a schema consisting of most of the attributes defined for the User resource's complex attribute "entitlements" in RFC7643, as well as an additional "Enabled" attribute so that SCIM service providers can indicate if the entitlement is currently enabled and intended for use in their service.The following singular attributes are defined:Additionally, the following multi-valued attributes are defined:Author's note: Above descriptions for contains and containedBy need work to make clearer, and probably an explanatory section as well.Sample RequestsRetrieving all rolesRequestResponseRetrieving all entitlementsRequestResponseRoles Schema BNFEntitlements Schema BNFKey words for use in RFCs to Indicate Requirement LevelsIn many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.Ambiguity of Uppercase vs Lowercase in RFC 2119 Key WordsRFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.Change Logv00 - October 2021: Initial posting
v01 - July 2022: Renewed listing
v02 - July 2022: Incorporated new changes - added new attributes "contains", "containedBy", "limitedAssignmentsPermitted", "totalAssignmentsPermitted" and "totalAssignmentsUsed" and expanded example request/responses.AcknowledgmentsTODO acknowledge.