IETF Logo Mail Archive

[scim] Does SCIM have an access rights model?

Rolf Brugger <rolf.brugger@switch.ch> Mon, 27 March 2017 14:16 UTC

Return-Path: <rolf.brugger@switch.ch>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0142F1296A1 for <scim@ietfa.amsl.com>; Mon, 27 Mar 2017 07:16:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.002
X-Spam-Level:
X-Spam-Status: No, score=-5.002 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YAiTm88rPr0G for <scim@ietfa.amsl.com>; Mon, 27 Mar 2017 07:16:00 -0700 (PDT)
Received: from iberico.switch.ch (iberico.switch.ch [IPv6:2001:620:0:1002::27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25DCC129534 for <scim@ietf.org>; Mon, 27 Mar 2017 07:15:59 -0700 (PDT)
Received: from albris.switch.ch (albris.switch.ch [IPv6:2001:620:0:1001::8]) by iberico.switch.ch (8.14.4/8.14.4/Debian-4+deb7u1) with ESMTP id v2REFvhm023305 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <scim@ietf.org>; Mon, 27 Mar 2017 16:15:58 +0200
Received: from macrb.switch.ch ([130.59.17.20]) by albris.switch.ch with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.72) (envelope-from <rolf.brugger@switch.ch>) id 1csVR7-0006Vi-6W for scim@ietf.org; Mon, 27 Mar 2017 16:15:57 +0200
To: "scim@ietf.org" <scim@ietf.org>
From: Rolf Brugger <rolf.brugger@switch.ch>
Message-ID: <5dd746c7-647b-ad0f-a8cf-ad9c3ca8df7c@switch.ch>
Date: Mon, 27 Mar 2017 16:15:56 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-SWITCHham-Score:
X-CanIt-Geo: ip=2001:620:0:1001::8; country=CH; region=Zurich; city=Zurich; latitude=47.3720; longitude=8.5413; http://maps.google.com/maps?q=47.3720,8.5413&z=6
X-CanItPRO-Stream: switch-ch:outbound (inherits from switch-ch:default, base:default)
X-Canit-Stats-ID: Bayes signature not available
X-Scanned-By: CanIt (www . roaringpenguin . com)
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/3NcE12kEjmJ8cuouC-jwGBOfV6U>
Subject: [scim] Does SCIM have an access rights model?
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Mar 2017 14:16:02 -0000

Hi all,

I'm new to this list, and I hope my question is relevant to this community.

In our particular use case we have one SCIM server and multiple SCIM 
clients. All clients are allowed to query all identities and all 
attributes.

However, not all clients have the same permissions to update/write 
attributes. For example, some clients may only modify group memberships 
of identities, while other clients have the exclusive permission to 
modify name and email of identities.

Is there a model in SCIM or some kind of best practice in existing 
implementations how to model client read/write permissions for attributes?

best regards

Rolf

-- 
SWITCH
Rolf Brugger, Trust & Identity
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
direct +41 44 268 15 89
rolf.brugger@switch.ch, https://www.switch.ch

v2.23.0 | Report a Bug | By Email