IETF Logo Mail Archive

Re: [scim] Groups Member Type

"Phil Hunt (IDM)" <phil.hunt@oracle.com> Wed, 09 August 2017 23:14 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D112132026 for <scim@ietfa.amsl.com>; Wed, 9 Aug 2017 16:14:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.219
X-Spam-Level:
X-Spam-Status: No, score=-4.219 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wdNQhZUmZ2Oh for <scim@ietfa.amsl.com>; Wed, 9 Aug 2017 16:14:29 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79A001204DA for <scim@ietf.org>; Wed, 9 Aug 2017 16:14:29 -0700 (PDT)
Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v79NEQno026960 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 9 Aug 2017 23:14:27 GMT
Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id v79NEPDK025835 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 9 Aug 2017 23:14:25 GMT
Received: from abhmp0003.oracle.com (abhmp0003.oracle.com [141.146.116.9]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id v79NEOfe007784; Wed, 9 Aug 2017 23:14:25 GMT
Received: from [25.90.18.53] (/24.114.44.187) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 09 Aug 2017 16:14:23 -0700
Content-Type: multipart/alternative; boundary="Apple-Mail-205EC626-CE59-4B2D-8C62-1F2B13F5BEDF"
Mime-Version: 1.0 (1.0)
From: "Phil Hunt (IDM)" <phil.hunt@oracle.com>
X-Mailer: iPhone Mail (14G60)
In-Reply-To: <CAGUsYPz+0DS9SZkzfPQFZaCeJU==AnGf4O2O-0h3UCCQZgvV-g@mail.gmail.com>
Date: Wed, 09 Aug 2017 16:14:20 -0700
Cc: Kelly Grizzle <kelly.grizzle@sailpoint.com>, "scim@ietf.org" <scim@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <7F30611D-1BCB-4101-B1CF-2391B8F0CD93@oracle.com>
References: <CAGUsYPz7_9Tat93aC2t=YAQcHG6dmboYDYij_8sRpKA6CZoWEA@mail.gmail.com> <56C3C758F9D6534CA3778EAA1E0C343753AB2F38@BLUPRD0412MB643.namprd04.prod.outlook.com> <CAGUsYPwUt997zV9sxC4p93Jz=9j+bWeqygyMSkssM1gMZfxhpQ@mail.gmail.com> <56C3C758F9D6534CA3778EAA1E0C343753AC4630@BLUPRD0412MB643.namprd04.prod.outlook.com> <CAGUsYPyV7RjdmbUMcQ5N8NdwGjPzt2xHSANyNJon_uceNjhUgA@mail.gmail.com> <CAGUsYPzYh0zqpEedtAx2rwTKzPYRiURY3DTzJi8jyDUxrifUiw@mail.gmail.com> <CY1PR04MB2363D61AB4E1F0C5843904F5E28B0@CY1PR04MB2363.namprd04.prod.outlook.com> <BC21670B-1A93-430C-BBF7-0E1B5BE4B570@oracle.com> <CAGUsYPxTc-2Z0ifMNc2iY9xoyRXYLW46nrOtdJFw2VHUboXmcQ@mail.gmail.com> <CY1PR04MB2363D27C3FCAE2AD9AFEDB61E28B0@CY1PR04MB2363.namprd04.prod.outlook.com> <CAGUsYPz+0DS9SZkzfPQFZaCeJU==AnGf4O2O-0h3UCCQZgvV-g@mail.gmail.com>
To: Shelley <randomshelley@gmail.com>
X-Source-IP: userv0021.oracle.com [156.151.31.71]
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/P8P7xQT-ec_kRk0YS4cQ3YW-wtk>
Subject: Re: [scim] Groups Member Type
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Aug 2017 23:14:33 -0000

I don't know. We would have to have enough interest to re-charter. 

Phil

> On Aug 9, 2017, at 2:59 PM, Shelley <randomshelley@gmail.com> wrote:
> 
> Thanks for the feedback. 
> 
>> Now that it is being used as directory, closing some unspecified / loose areas might be better for interop IMO. 
> 
> Is it possible to fold some of these clarifications into the next SCIM RFC?
> 
> 
>> On Wed, Aug 9, 2017 at 4:45 PM, Kelly Grizzle <kelly.grizzle@sailpoint.com> wrote:
>> Your plan sounds good to me, Shelly.  That’s how I would implement it.
>> 
>>  
>> 
>> From: Shelley [mailto:randomshelley@gmail.com] 
>> Sent: Wednesday, August 9, 2017 1:42 PM
>> To: Phil Hunt (IDM) <phil.hunt@oracle.com>
>> Cc: Kelly Grizzle <kelly.grizzle@sailpoint.com>; scim@ietf.org
>> 
>> 
>> Subject: Re: [scim] Groups Member Type
>>  
>> 
>> You can also tell via id which is local and $ref path given's scim's strict path rules (look at the parent of the last segment).
>> 
>> Is the id now required to be globally unique across all resource types? If not, there is no guarantee that an SP can determine the resource type from the id.
>> The $ref is also optional, so this cannot be consistently used to determine the type. Further, I was under the impression that the $ref is primarily used for SPs to communicate the resource location to consumers, rather than vice versa (i.e. it's essentially a read-only attribute).
>> Here is my tentative plan for our SP implementation for evaluating group members:
>> 
>> Treat value as REQUIRED. While the example SCIM schema does not actually require the group member value sub-attribute, this is the most consistent identifier for referring to members.
>> Treat $ref as READ-ONLY (i.e. ignore it completely when processing requests). Using a $ref provided by consumers seems a bit fragile (aside from eliminating the complexity of URI comparison, it's possible that a single resource may have multiple DNS names, which further complicates absolute URI comparisons and integrity), and introduces redundancy (and potential ambiguity) with value/type.
>> Treat type as OPTIONAL. My preference would be to treat this as REQUIRED in order to eliminate any ambiguity, but given that the SCIM specs don't require it, doing this would limit interoperability for consumers that may not be sending it.
>> If type is not provided, assume the default value is "User".
>> Perform referential integrity to ensure that any provided group member resources exist, based on value and type.
>> Examples
>> 
>> Given the existence of the following resources, here are some example requests/responses based on this proposal:
>> 
>> ../Users/abc
>> ../Groups/xyz
>>  
>> 
>> Group Members
>> Response
>> "members": [
>>   {
>>     "value": "abc",
>>     "type": "User"
>>   },
>>   {
>>     "value": "xyz",
>>     "type": "Group"
>>   }
>> ]
>> 2xx - Success
>> "members": [
>>   {
>>     "value": "abc"
>>   },
>>   {
>>     "value": "xyz",
>>     "type": "Group"
>>   }
>> ]
>> "members": [
>>   {
>>     "value": "abc",
>>     "$ref": "anything at all"
>>   },
>>   {
>>     "value": "xyz",
>>     "type": "Group",
>>     "$ref": "anything at all"
>>   }
>> ]
>> "members": [
>>   {
>>     "value": "xyz"
>>   }
>> ]
>> 400 - Missing “Group” "type" on nested group member definition
>> "members": [
>>   {
>>     "value": "xyz"
>>     "$ref": "../Groups/xyz"
>>   }
>> ]
>> "members": [
>>   {
>>     "$ref": "../Users/abc"
>>   }
>> ]
>> 400 - Missing "value" on group member definition
>> "members": [
>>   {
>>     "$ref": "../Groups/xyz"
>>   }
>> ]
>> "members": [
>>   {
>>     "value": "abc",
>>     "type": "Group"
>>   }
>> ]
>> 400 - Wrong "type" provided
>> "members": [
>>   {
>>     "value": "xyz",
>>     "type": "User"
>>   }
>> ]
>> "members": [
>>   {
>>     "value": "abc",
>>     "type": "UnsupportedType"
>>   }
>> ]
>> 400 - Unsupported "type" provided
>> "members": [
>>   {
>>     "value": "no such resource with or without type"
>>   }
>> ]
>> 400 - Member does not exist
>>  
>> 
>>  
>> 
>> On Wed, Aug 9, 2017 at 11:06 AM, Phil Hunt (IDM) <phil.hunt@oracle.com> wrote:
>> 
>> I agree the server can decide. 
>> 
>>  
>> 
>> IMO the server should check referential integrity. By doing so it would likely know the type. The spec is silent (as far as i recall) on whether it expresses it. 
>> 
>>  
>> 
>> You can also tell via id which is local and $ref path given's scim's strict path rules (look at the parent of the last segment). 
>> 
>> From my recollection some of these items were not that important given scim was provisioning api for apps - apps implementing server side are free to do what they can/want. Now that it is being used as directory, closing some unspecified / loose areas might be better for interop IMO. 
>> 
>> 
>> Phil
>> 
>> 
>> On Aug 9, 2017, at 8:32 AM, Kelly Grizzle <kelly.grizzle@sailpoint.com> wrote:
>> 
>> Given the general desire for SCIM to allow loose reading but strict writing, I would vote for option 1.  If type is not specified in a PUT/POST/PATCH then the server can assume “User”.
>> 
>>  
>> 
>> --Kelly
>> 
>>  
>> 
>> From: Shelley [mailto:randomshelley@gmail.com] 
>> Sent: Wednesday, August 9, 2017 9:02 AM
>> To: Kelly Grizzle <kelly.grizzle@sailpoint.com>
>> Cc: scim@ietf.org
>> Subject: Re: [scim] Groups Member Type
>> 
>>  
>> 
>> Resurrecting this old thread, as this question has recently come up during some of our interoperability testing, and there still appears to be some ambiguity in the spec...
>> 
>> 
>> The SCIM 1.1 and 2.0 specifications do not seem to indicate the expected behavior if the type sub-attribute is not provided on a Group resource member. Neither spec seems to explicitly require this attribute, so what is the expected behavior if no type is provided? Is there a default (e.g. "User" or "Group"), must Service Providers search for the member across all resource types, or should it be treated as REQUIRED (e.g. returning a 400 error)?
>> 
>>  
>> 
>>  
>> 
>> On Mon, Feb 25, 2013 at 10:38 AM, Shelley <randomshelley@gmail.com> wrote:
>> 
>> Thanks, Kelly. Given that the ID may represent either a User or Group and only the combination of "type" and "value" uniquely identify the reference, should the canonical "type" attribute for group members be REQUIRED as well? (Further, the majority of examples throughout the Protocol specification only include a "value" and not "type", so it's ambiguous as to whether these "values" represent Users or Groups.)
>> 
>>  
>> 
>> On Mon, Feb 11, 2013 at 4:02 PM, Kelly Grizzle <kelly.grizzle@sailpoint.com> wrote:
>> 
>> I opened ticket #35 to change this.
>> 
>>  
>> 
>> http://trac.tools.ietf.org/wg/scim/trac/ticket/35
>> 
>>  
>> 
>> --Kelly
>> 
>>  
>> 
>> From: scim-bounces@ietf.org [mailto:scim-bounces@ietf.org] On Behalf Of Shelley
>> Sent: Monday, February 11, 2013 11:36 AM
>> To: Kelly Grizzle
>> Cc: scim@ietf.org
>> Subject: Re: [scim] Groups Member Type
>> 
>>  
>> 
>> +1 to mark it as "immutable".
>> 
>> On Mon, Feb 4, 2013 at 8:08 AM, Kelly Grizzle <kelly.grizzle@sailpoint.com> wrote:
>> 
>> Good point.  It seems like this should say “immutable” rather than “read-only”, since it can be set initially but not updated.  Thoughts from anyone else?  If this seems reasonable I’ll open an issue to get this fixed.
>> 
>>  
>> 
>> --Kelly
>> 
>>  
>> 
>> From: scim-bounces@ietf.org [mailto:scim-bounces@ietf.org] On Behalf Of Shelley
>> Sent: Friday, February 01, 2013 1:37 PM
>> To: scim@ietf.org
>> Subject: [scim] Groups Member Type
>> 
>>  
>> 
>> As indicated in Section 8, the canonical types for Group members are READ-ONLY. As such, how can consumers provide the type (i.e. "User" or "Group")? Is it implied that IDs are unique across both users and groups in order for service providers to fulfill this requirement?
>> 
>>  
>> 
>>  
>> 
>>  
>> 
>> _______________________________________________
>> scim mailing list
>> scim@ietf.org
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_scim&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=nXj1uLbLovxxCW-VPX0d1geWghpaAIZtMXKkPYyACLo&s=rCY_ttBwpsTcGVSsZT2hsLHWPXL17cWyIBS5WDT4oDs&e=
>> 
>>  
>> 
> 
> _______________________________________________
> scim mailing list
> scim@ietf.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_scim&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=r2m_MvDPC_E054FW8iS_KN21BYONvlP0VoG5jrqmY1s&s=XfPtR8usf3qjskybyrZ_GpfWNWTn_l3pKiZNBe8O4tU&e=

v2.23.0 | Report a Bug | By Email