Re: [scim] Does SCIM have an access rights model?

"Phil Hunt (IDM)" <phil.hunt@oracle.com> Mon, 27 March 2017 14:55 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92DA4120725 for <scim@ietfa.amsl.com>; Mon, 27 Mar 2017 07:55:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.997
X-Spam-Level:
X-Spam-Status: No, score=-6.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-2.796, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OqaaLqpZrSOI for <scim@ietfa.amsl.com>; Mon, 27 Mar 2017 07:55:36 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7D87128954 for <scim@ietf.org>; Mon, 27 Mar 2017 07:55:36 -0700 (PDT)
Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v2REtYQT010877 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 27 Mar 2017 14:55:34 GMT
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id v2REtXTC030852 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 27 Mar 2017 14:55:33 GMT
Received: from abhmp0009.oracle.com (abhmp0009.oracle.com [141.146.116.15]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id v2REtXVI011480; Mon, 27 Mar 2017 14:55:33 GMT
Received: from [31.133.146.196] (/31.133.146.196) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 27 Mar 2017 07:55:33 -0700
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: "Phil Hunt (IDM)" <phil.hunt@oracle.com>
X-Mailer: iPhone Mail (14D27)
In-Reply-To: <5dd746c7-647b-ad0f-a8cf-ad9c3ca8df7c@switch.ch>
Date: Mon, 27 Mar 2017 09:55:32 -0500
Cc: "scim@ietf.org" <scim@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <5675DA25-C333-45E0-A5BB-AD88B20BFF83@oracle.com>
References: <5dd746c7-647b-ad0f-a8cf-ad9c3ca8df7c@switch.ch>
To: Rolf Brugger <rolf.brugger@switch.ch>
X-Source-IP: userv0021.oracle.com [156.151.31.71]
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/8D5upxp7xDfTPNMjgp6Ipd9n4kE>
Subject: Re: [scim] Does SCIM have an access rights model?
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Mar 2017 14:55:39 -0000

Rolf

Thanks for your question. 

At the moment SCIM is a provisioning protocol and access rules are up to the service provider. Eg What makes sense for a directory may not make sense for a crm system. 

Regardless, the consequences to the client are still the same-success or unauthorized. :) 

For historical context a similar discussion happened in LDAP. While requirements had consensus no interoperable model was defined. 

With all that said, I think it may be useful to have discussions about lan oauth scope standard that could enable clients to request certain rights. Eg ability to query as a directory. Ability to do self updates etc. 

This became more apparent when we wrote the oidc scim profile as clients wanted an access token with user self service rights instead of read only access at the oidc userinfo endpoint. 

Phil

> On Mar 27, 2017, at 9:15 AM, Rolf Brugger <rolf.brugger@switch.ch> wrote:
> 
> Hi all,
> 
> I'm new to this list, and I hope my question is relevant to this community.
> 
> In our particular use case we have one SCIM server and multiple SCIM clients. All clients are allowed to query all identities and all attributes.
> 
> However, not all clients have the same permissions to update/write attributes. For example, some clients may only modify group memberships of identities, while other clients have the exclusive permission to modify name and email of identities.
> 
> Is there a model in SCIM or some kind of best practice in existing implementations how to model client read/write permissions for attributes?
> 
> best regards
> 
> Rolf
> 
> -- 
> SWITCH
> Rolf Brugger, Trust & Identity
> Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
> direct +41 44 268 15 89
> rolf.brugger@switch.ch, https://urldefense.proofpoint.com/v2/url?u=https-3A__www.switch.ch&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=WmnYxVYjsRE1_cESvAJdAHdRQ3MCyAZb2HHTClsca_U&s=AN-ijCyAYZPgh5_id4zq-F0lgoKH7iHfL1Hyxn5H5Wg&e= 
> _______________________________________________
> scim mailing list
> scim@ietf.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_scim&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=WmnYxVYjsRE1_cESvAJdAHdRQ3MCyAZb2HHTClsca_U&s=18i8xxKNQ5Kt6BoRZ2uBLo4GL-gB9ZWkzfQhwK8z6uA&e=