IETF Logo Mail Archive

Re: [scim] Request for Input

Samuel Erdtman <samuel@erdtman.se> Sun, 31 March 2013 18:47 UTC

Return-Path: <samuel@erdtman.se>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98D2421F8518 for <scim@ietfa.amsl.com>; Sun, 31 Mar 2013 11:47:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.3
X-Spam-Level:
X-Spam-Status: No, score=0.3 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jwaRe2ybAwbY for <scim@ietfa.amsl.com>; Sun, 31 Mar 2013 11:47:44 -0700 (PDT)
Received: from mail-ea0-x22b.google.com (mail-ea0-x22b.google.com [IPv6:2a00:1450:4013:c01::22b]) by ietfa.amsl.com (Postfix) with ESMTP id CFCF721F8498 for <scim@ietf.org>; Sun, 31 Mar 2013 11:47:40 -0700 (PDT)
Received: by mail-ea0-f171.google.com with SMTP id b15so814599eae.2 for <scim@ietf.org>; Sun, 31 Mar 2013 11:47:39 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:references:from:mime-version:in-reply-to:date:message-id :subject:to:cc:content-type:x-gm-message-state; bh=a5blhIbMm4UlCw+oLsKD2h0S7j/QioysGVdMgl+2jiI=; b=hECE8Medgnjx1dGmQc+tGnNNLG7WzYXYvhhKgwK8blg4+Xn67MnM/App4BrQiCVHPf 8sya/c73TEkEvNNpfww6pjgRPbefWxldi9S1nP1N3ueediD4A8+Nyr4/uhUsg0K9lo7F Kxc92xmRi5j+sLb4AA/EC6J311KcbyrdJblKHrlz2OFa/wvxlpO8S1PnqvDavlTuQeeV 2vHQPSYpgjsOhZsxmMuPCaaogf3GwgXFRzeqYJ5BaJVe6jVWoHqqzz+6luwW3kuOaHaq lllRCMjzaRHDm42Z5lzHIh4r4YxNAqK7VssbjpVneNoPOJxKu8hJdtDzlOwpS2YSOqX3 5Rcg==
X-Received: by 10.14.175.71 with SMTP id y47mr29805127eel.18.1364755659382; Sun, 31 Mar 2013 11:47:39 -0700 (PDT)
References: <CAPx6tN5PwV=hwifdCj3JiOKLsYCQZdewHOh7voau7OLSm3FWvg@mail.gmail.com> <AAE9F872-F35E-4A73-8674-4A7AF6C0537B@oracle.com> <56C3C758F9D6534CA3778EAA1E0C34375C3ADF35@BLUPRD0412MB643.namprd04.prod.outlook.com> <E963C9E3-BC9D-4E54-A409-ABC0B1FC7D9E@nexussafe.com>
From: Samuel Erdtman <samuel@erdtman.se>
Mime-Version: 1.0 (1.0)
In-Reply-To: <E963C9E3-BC9D-4E54-A409-ABC0B1FC7D9E@nexussafe.com>
Date: Sun, 31 Mar 2013 20:47:37 +0200
Message-ID: <-2041779814984196830@unknownmsgid>
To: Erik Wahlström <erik.wahlstrom@nexussafe.com>
Content-Type: multipart/alternative; boundary="047d7b603e96489dd204d93cf018"
X-Gm-Message-State: ALoCoQkM+Q4FW8RQu+1U5W1CC1zaPIBs6rJpxLIRoeRR2aBTL/+lRc6LY8+p6ngec4K5B4/evN/+
Cc: "scim@ietf.org" <scim@ietf.org>, Phil Hunt <phil.hunt@oracle.com>, Alexandre Santos <asantos@pingidentity.com>, Kelly Grizzle <kelly.grizzle@sailpoint.com>
Subject: Re: [scim] Request for Input
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/scim>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Mar 2013 18:47:45 -0000

I would vote for the simplest solution that solves the problem, I think
Kelly raises a point that makes PUT and DELETE harder to get as clean as in
the examples I.e. there is no single unique id for most multivalued
attributes, the value attribute could be the same for several attributes
e.g. Same phone number could be used for both mobile and work then it is
the combination value and type that makes it unique. (With the current
discussion on not requiring global unique id's for the combined set group
and user will have the same problem if not required unique)

The solution might be to something like this:
PUT /Groups/<group-Id>/<attribute>/
e.g.
PUT /Groups/<group-Id>/members/

DELETE /Groups/<group-Id>/<attribute>/<type>/<value>
e.g.
DELETE /Groups/<group-Id>/members/User/<value>

We could also allow replace in one operation by doing put to a uniquely
identified attribute:
PUT /Groups/<group-Id>/<attribute>/<type>/<value>
e.g.
PUT /Groups/<group-Id>/members/User/<value>

In case we go for a solution like this I think that we also should simplify
or remove PATCH operation. We could do singe attribute delete, add and
update like this:
PUT /Groups/<group-Id>/<attribute> (add or update attribute)
PUT /Groups/<group-Id>/<attribute> (remove attribute)
This has the disadvantage towards patch that you can only handle one
attribute at the time or the full resource object.

Finally I would like to remind everyone that we have had the discussion of
adding an "unique" identifier to the attributes in a multivalued attribute
and the strongest argument against was that it is not possible when putting
SCIM on top of an existing data source.


Sent from my iPhone

On 28 mar 2013, at 18:54, "Erik Wahlström" <erik.wahlstrom@nexussafe.com>
wrote:

 +1
Rather make patch mandatory before adding functionality to PUT and
DELETE. Just for simplicity.
/ Erik

 On Mar 28, 2013, at 2:10 PM, Kelly Grizzle wrote:

  PATCH was added specifically to address the “changing membership of a
large group” use case.  The POST/DELETE to the members endpoint was
considered when looking into PATCH, but unfortunately this does not work in
the general case.  Specifically, this only works if the list elements have
a unique identifier, so it fell apart when trying to apply this to
adding/removing addresses (which do not have a unique identifier).

 I’m not convinced that we need to add another mechanism to solve this use
case, but I do agree that PATCH could be simplified.

 --Kelly

  *From:* scim-bounces@ietf.org
[mailto:scim-bounces@ietf.org<scim-bounces@ietf.org>
] *On Behalf Of *Phil Hunt
*Sent:* Wednesday, March 27, 2013 7:02 PM
*To:* Alexandre Santos
*Cc:* scim@ietf.org
*Subject:* Re: [scim] Request for Input

 I think this may fit in with our discussion of adjusting PATCH to work
better with multi-value and complex attributes (ticket 18).

  So far, we've been avoiding extended paths that go within the Resource
entity (e.g. to address specific attributes).

  If you were to do the item below, I think you would have to add the
attribute name to the path at the very least.

  PUT /Groups/<groupid>/members/Users/<userid>

  Still I think that may have problems if the member is actual a URL rather
then a simple UUID.

     Phil

  @independentid
  www.independentid.com

phil.hunt@oracle.com




  On 2013-03-27, at 4:01 PM, Alexandre Santos wrote:


  For groups with many users (>10k) it becomes problematic to do POSTs or
PUTs. The only alternative would be PATCH. However PATCH is not mandatory.

  For this reason we would like to request your input for the following
proposal: allow membership changes via PUT and DELETE.

  For this the PUT and DELETE commands would be in the format:
  PUT /Groups/<groupId>/user/<userId> - to add a user to a group
  DELETE /Groups/<groupId>/user/<userId> - to remove the user from the group

 Thank you,

  *Alexandre Santos*  | Sr. Development Engineer
*Ping**Identity*  |   www.pingidentity.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- -
*O:* 604.697.7056
*Email:* asantos@pingidentity.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- -
   *Connect with Ping*
Twitter: @pingidentity
LinkedIn Group: Ping's Identity Cloud
Facebook.com/pingidentitypage
   **
      _______________________________________________
scim mailing list
scim@ietf.org
https://www.ietf.org/mailman/listinfo/scim

 _______________________________________________
scim mailing list
scim@ietf.org
https://www.ietf.org/mailman/listinfo/scim


 _______________________________________________
scim mailing list
scim@ietf.org
https://www.ietf.org/mailman/listinfo/scim

v2.23.0 | Report a Bug | By Email