IETF Logo Mail Archive

Re: [scim] Groups Member Type

"Phil Hunt (IDM)" <phil.hunt@oracle.com> Wed, 09 August 2017 19:18 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4B701324AB for <scim@ietfa.amsl.com>; Wed, 9 Aug 2017 12:18:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.209
X-Spam-Level:
X-Spam-Status: No, score=-4.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QE7KNc0uEgWL for <scim@ietfa.amsl.com>; Wed, 9 Aug 2017 12:18:30 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCC321324A3 for <scim@ietf.org>; Wed, 9 Aug 2017 12:18:00 -0700 (PDT)
Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v79JHwXu008601 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 9 Aug 2017 19:17:58 GMT
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id v79JHwY3013342 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 9 Aug 2017 19:17:58 GMT
Received: from abhmp0013.oracle.com (abhmp0013.oracle.com [141.146.116.19]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id v79JHvWj013433; Wed, 9 Aug 2017 19:17:57 GMT
Received: from [10.0.1.19] (/24.86.190.97) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 09 Aug 2017 12:17:57 -0700
Content-Type: multipart/alternative; boundary="Apple-Mail-6A3BEB81-DF80-4B81-8726-94B53D6D4B2F"
Mime-Version: 1.0 (1.0)
From: "Phil Hunt (IDM)" <phil.hunt@oracle.com>
X-Mailer: iPhone Mail (14G60)
In-Reply-To: <CAGUsYPxTc-2Z0ifMNc2iY9xoyRXYLW46nrOtdJFw2VHUboXmcQ@mail.gmail.com>
Date: Wed, 09 Aug 2017 12:17:55 -0700
Cc: "scim@ietf.org" <scim@ietf.org>, Kelly Grizzle <kelly.grizzle@sailpoint.com>
Content-Transfer-Encoding: 7bit
Message-Id: <5F234BB3-842D-4BF6-8896-0F583F85F64C@oracle.com>
References: <CAGUsYPz7_9Tat93aC2t=YAQcHG6dmboYDYij_8sRpKA6CZoWEA@mail.gmail.com> <56C3C758F9D6534CA3778EAA1E0C343753AB2F38@BLUPRD0412MB643.namprd04.prod.outlook.com> <CAGUsYPwUt997zV9sxC4p93Jz=9j+bWeqygyMSkssM1gMZfxhpQ@mail.gmail.com> <56C3C758F9D6534CA3778EAA1E0C343753AC4630@BLUPRD0412MB643.namprd04.prod.outlook.com> <CAGUsYPyV7RjdmbUMcQ5N8NdwGjPzt2xHSANyNJon_uceNjhUgA@mail.gmail.com> <CAGUsYPzYh0zqpEedtAx2rwTKzPYRiURY3DTzJi8jyDUxrifUiw@mail.gmail.com> <CY1PR04MB2363D61AB4E1F0C5843904F5E28B0@CY1PR04MB2363.namprd04.prod.outlook.com> <BC21670B-1A93-430C-BBF7-0E1B5BE4B570@oracle.com> <CAGUsYPxTc-2Z0ifMNc2iY9xoyRXYLW46nrOtdJFw2VHUboXmcQ@mail.gmail.com>
To: Shelley <randomshelley@gmail.com>
X-Source-IP: aserv0021.oracle.com [141.146.126.233]
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/-elLRKcoRdqN-U9M7BvbpVRoA4E>
Subject: Re: [scim] Groups Member Type
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Aug 2017 19:18:36 -0000

Shelley,

Yes..

From the defn of id:
> A unique identifier for a SCIM resource as defined by the service provider. Each representation of the resource MUST include a non-empty "id" value. This identifier MUST be unique across the SCIM service provider's entire set of resources. It MUST be a stable, non-reassignable identifier that does not change when the same resource is returned in subsequent requests. The value of the "id" attribute is always issued by the service provider and MUST NOT be specified by the client...

Phil

On Aug 9, 2017, at 11:41 AM, Shelley <randomshelley@gmail.com> wrote:

>> You can also tell via id which is local and $ref path given's scim's strict path rules (look at the parent of the last segment). 
> Is the id now required to be globally unique across all resource types? If not, there is no guarantee that an SP can determine the resource type from the id.
> The $ref is also optional, so this cannot be consistently used to determine the type. Further, I was under the impression that the $ref is primarily used for SPs to communicate the resource location to consumers, rather than vice versa (i.e. it's essentially a read-only attribute).
> Here is my tentative plan for our SP implementation for evaluating group members:
> 
> Treat value as REQUIRED. While the example SCIM schema does not actually require the group member value sub-attribute, this is the most consistent identifier for referring to members.
> Treat $ref as READ-ONLY (i.e. ignore it completely when processing requests). Using a $ref provided by consumers seems a bit fragile (aside from eliminating the complexity of URI comparison, it's possible that a single resource may have multiple DNS names, which further complicates absolute URI comparisons and integrity), and introduces redundancy (and potential ambiguity) with value/type.
> Treat type as OPTIONAL. My preference would be to treat this as REQUIRED in order to eliminate any ambiguity, but given that the SCIM specs don't require it, doing this would limit interoperability for consumers that may not be sending it.
> If type is not provided, assume the default value is "User".
> Perform referential integrity to ensure that any provided group member resources exist, based on value and type.
> Examples
> 
> Given the existence of the following resources, here are some example requests/responses based on this proposal:
> 
> ../Users/abc
> ../Groups/xyz
> 
> Group Members
> Response
> "members": [
>   {
>     "value": "abc",
>     "type": "User"
>   },
>   {
>     "value": "xyz",
>     "type": "Group"
>   }
> ]
> 2xx - Success
> "members": [
>   {
>     "value": "abc"
>   },
>   {
>     "value": "xyz",
>     "type": "Group"
>   }
> ]
> "members": [
>   {
>     "value": "abc",
>     "$ref": "anything at all"
>   },
>   {
>     "value": "xyz",
>     "type": "Group",
>     "$ref": "anything at all"
>   }
> ]
> "members": [
>   {
>     "value": "xyz"
>   }
> ]
> 400 - Missing “Group” "type" on nested group member definition
> "members": [
>   {
>     "value": "xyz"
>     "$ref": "../Groups/xyz"
>   }
> ]
> "members": [
>   {
>     "$ref": "../Users/abc"
>   }
> ]
> 400 - Missing "value" on group member definition
> "members": [
>   {
>     "$ref": "../Groups/xyz"
>   }
> ]
> "members": [
>   {
>     "value": "abc",
>     "type": "Group"
>   }
> ]
> 400 - Wrong "type" provided
> "members": [
>   {
>     "value": "xyz",
>     "type": "User"
>   }
> ]
> "members": [
>   {
>     "value": "abc",
>     "type": "UnsupportedType"
>   }
> ]
> 400 - Unsupported "type" provided
> "members": [
>   {
>     "value": "no such resource with or without type"
>   }
> ]
> 400 - Member does not exist
> 
> 
>> On Wed, Aug 9, 2017 at 11:06 AM, Phil Hunt (IDM) <phil.hunt@oracle.com> wrote:
>> I agree the server can decide. 
>> 
>> IMO the server should check referential integrity. By doing so it would likely know the type. The spec is silent (as far as i recall) on whether it expresses it. 
>> 
>> You can also tell via id which is local and $ref path given's scim's strict path rules (look at the parent of the last segment). 
>> 
>> From my recollection some of these items were not that important given scim was provisioning api for apps - apps implementing server side are free to do what they can/want. Now that it is being used as directory, closing some unspecified / loose areas might be better for interop IMO. 
>> 
>> Phil
>> 
>>> On Aug 9, 2017, at 8:32 AM, Kelly Grizzle <kelly.grizzle@sailpoint.com> wrote:
>>> 
>>> Given the general desire for SCIM to allow loose reading but strict writing, I would vote for option 1.  If type is not specified in a PUT/POST/PATCH then the server can assume “User”.
>>> 
>>>  
>>> 
>>> --Kelly
>>> 
>>>  
>>> 
>>> From: Shelley [mailto:randomshelley@gmail.com] 
>>> Sent: Wednesday, August 9, 2017 9:02 AM
>>> To: Kelly Grizzle <kelly.grizzle@sailpoint.com>
>>> Cc: scim@ietf.org
>>> Subject: Re: [scim] Groups Member Type
>>> 
>>>  
>>> 
>>> Resurrecting this old thread, as this question has recently come up during some of our interoperability testing, and there still appears to be some ambiguity in the spec...
>>> 
>>> 
>>> The SCIM 1.1 and 2.0 specifications do not seem to indicate the expected behavior if the type sub-attribute is not provided on a Group resource member. Neither spec seems to explicitly require this attribute, so what is the expected behavior if no type is provided? Is there a default (e.g. "User" or "Group"), must Service Providers search for the member across all resource types, or should it be treated as REQUIRED (e.g. returning a 400 error)?
>>> 
>>>  
>>> 
>>>  
>>> 
>>> On Mon, Feb 25, 2013 at 10:38 AM, Shelley <randomshelley@gmail.com> wrote:
>>> 
>>> Thanks, Kelly. Given that the ID may represent either a User or Group and only the combination of "type" and "value" uniquely identify the reference, should the canonical "type" attribute for group members be REQUIRED as well? (Further, the majority of examples throughout the Protocol specification only include a "value" and not "type", so it's ambiguous as to whether these "values" represent Users or Groups.)
>>> 
>>> 
>>> 
>>> 
>>> On Mon, Feb 11, 2013 at 4:02 PM, Kelly Grizzle <kelly.grizzle@sailpoint.com> wrote:
>>> 
>>> I opened ticket #35 to change this.
>>> 
>>>  
>>> 
>>> http://trac.tools.ietf.org/wg/scim/trac/ticket/35
>>> 
>>>  
>>> 
>>> --Kelly
>>> 
>>>  
>>> 
>>> From: scim-bounces@ietf.org [mailto:scim-bounces@ietf.org] On Behalf Of Shelley
>>> Sent: Monday, February 11, 2013 11:36 AM
>>> To: Kelly Grizzle
>>> Cc: scim@ietf.org
>>> Subject: Re: [scim] Groups Member Type
>>> 
>>>  
>>> 
>>> +1 to mark it as "immutable".
>>> 
>>> On Mon, Feb 4, 2013 at 8:08 AM, Kelly Grizzle <kelly.grizzle@sailpoint.com> wrote:
>>> 
>>> Good point.  It seems like this should say “immutable” rather than “read-only”, since it can be set initially but not updated.  Thoughts from anyone else?  If this seems reasonable I’ll open an issue to get this fixed.
>>> 
>>>  
>>> 
>>> --Kelly
>>> 
>>>  
>>> 
>>> From: scim-bounces@ietf.org [mailto:scim-bounces@ietf.org] On Behalf Of Shelley
>>> Sent: Friday, February 01, 2013 1:37 PM
>>> To: scim@ietf.org
>>> Subject: [scim] Groups Member Type
>>> 
>>>  
>>> 
>>> As indicated in Section 8, the canonical types for Group members are READ-ONLY. As such, how can consumers provide the type (i.e. "User" or "Group")? Is it implied that IDs are unique across both users and groups in order for service providers to fulfill this requirement?
>>> 
>>>  
>>> 
>>>  
>>> 
>>>  
>>> 
>>> _______________________________________________
>>> scim mailing list
>>> scim@ietf.org
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_scim&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=nXj1uLbLovxxCW-VPX0d1geWghpaAIZtMXKkPYyACLo&s=rCY_ttBwpsTcGVSsZT2hsLHWPXL17cWyIBS5WDT4oDs&e= 
> 
> _______________________________________________
> scim mailing list
> scim@ietf.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_scim&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=wp8wcoem5mojtpf1ZRHs5MIsgJ3x1z1mF4KRgHjkL6c&s=byhGtJG7J3hI2TFkSQI2fne2B4UrhBY1oHZDWyUvuyw&e=

v2.23.0 | Report a Bug | By Email