[scim] New Draft: SCIM RoleAssignment for Scoped Role Bindings
Prithvi Krishna <prithvikrishnab4u@gmail.com> Wed, 05 November 2025 06:09 UTC
Return-Path: <prithvikrishnab4u@gmail.com>
X-Original-To: scim@mail2.ietf.org
Delivered-To: scim@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 7766A833A878 for <scim@mail2.ietf.org>; Tue, 4 Nov 2025 22:09:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iplVmmOFu-4i for <scim@mail2.ietf.org>; Tue, 4 Nov 2025 22:09:12 -0800 (PST)
Received: from mail-lf1-x12e.google.com (mail-lf1-x12e.google.com [IPv6:2a00:1450:4864:20::12e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 0EEA4833A871 for <scim@ietf.org>; Tue, 4 Nov 2025 22:09:12 -0800 (PST)
Received: by mail-lf1-x12e.google.com with SMTP id 2adb3069b0e04-59431f57bf6so2438305e87.3 for <scim@ietf.org>; Tue, 04 Nov 2025 22:09:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1762322950; x=1762927750; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=IDtxlybo6e7Ntv8LVuKJ3tPtXc+ERNy03mdCTI1rPgE=; b=MQFHawBwAeITWye1I8NakE4V2U+3fkQIQFzVJrGy/5+Wcl7Fn2qz8k9EcaNuOZu0jp /M0dIgNIJpEss2VMRAkt+wuKPfI5xiZlNd2QwS0ElwtbY7/2zJCeI4OqP1r/4IYMcyKx iWhiShk53LHF2ZD/5JOyyLvLJKBZa+uYk2m1vKZgD/hPDZZPcQLQjyhCYAfrdC8wDiep sn/172pyqJ5GjmjLsL2/cVCe1CYIYrrH3+rind96uL9SULoerzdmfarK8Sz5z4+oxuzQ nrnIAYtZ7KpMc3ndf0qMcIS9V3LvodHvrYyDshGbFprXy35vMfju1OfRCwi3RhfyYhY4 pibQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762322950; x=1762927750; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=IDtxlybo6e7Ntv8LVuKJ3tPtXc+ERNy03mdCTI1rPgE=; b=UqarKeE134eU73LJo8wH5kpr/3D625mwhCJhE1ywuMWSBrSTbtA249zTyd0vBMO6LZ 7yRykQ/TPVOA6J6gVBYQ/l7mvv6D1jc3rp3GMqVqKDHeXodfpOPBo7BKR4s5sbPcsuvG nl1oz6FcT3WDIfVJOaT4jxqzsOUKI7oySkHvTsTHHc+MA889GhXOsP1e7mZJunpdeJ8G EuvKk+x7LEBafEeygLkR63pH7RUUv8ECW7LNmvOl6LAcJZcB5xe501LyiVSeTr6Zjl7C /rHTcza+CAos4jGvLS1MM52TEjTuQI7XFBCSOOhzqVaK8G6IzkhjqMDgN0led5OuhWEW MGiA==
X-Gm-Message-State: AOJu0YzWQ5Fda5BSAF0zbRx37Qgj08seWwqdg7nYNw35w04KPGwkgaYX JE8MfvJZctF9rVx0a/uX+AapeHY7hMXis7hp1DbsvkFD3alW5VTpRl/5Pv1PnBDxa9t1IfxjK8U nn5MFlAAoAGFj8nLLJYs6A3AaX8YKIaOpefeKDmoPxQ==
X-Gm-Gg: ASbGncs+x+jWrKFbv5+Js+LNbQzPCEn4ToXQ2PVwcM37yZR1m1aMGnmf1+rRtPRHWhx zAYEAYZM3SIToVEb/Y8FF8J22ganmgqkQVqGURbM4+Az4h59sA0qeK7JVaqNo9fCL49v8/g8l/z YZp72rc4DLGGItGDCf5Ai7GopCzJ/XEDyom+ckeNb0oKYUgRrYjepqakwvryIZO87N8bx2Fk3Ve qSmw7EpOiCcYV1M43LBPAfGImBW03bv1rBQSLBuXC+MIiATiCb9Cn3VYLw=
X-Google-Smtp-Source: AGHT+IHFOwtbVa8CSfj9zSix8sL90q8nOD2YZiQjAbIJXoSpp/YExIBGVWUKqutJ3htqXiVohsTQMcCtiwy8G1m9pro=
X-Received: by 2002:ac2:4e0b:0:b0:57e:b20e:f38a with SMTP id 2adb3069b0e04-5943d7e3ce0mr551086e87.56.1762322949945; Tue, 04 Nov 2025 22:09:09 -0800 (PST)
MIME-Version: 1.0
From: Prithvi Krishna <prithvikrishnab4u@gmail.com>
Date: Tue, 04 Nov 2025 22:08:58 -0800
X-Gm-Features: AWmQ_bl0LSj9fVpC45DhEPbmL-3WCF5_jxWUJDwQQx6SC0lU6DUlOLDD53ZKCQA
Message-ID: <CAEmhqz4mfXNJzLOZ7bAk4XUfO632K9erfh8WR3B0Sae85Q_pHg@mail.gmail.com>
To: SCIM WG <scim@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006940530642d2c927"
Message-ID-Hash: O6S74PFWFAMQXPBOC32VHW7E4ZRCNBA3
X-Message-ID-Hash: O6S74PFWFAMQXPBOC32VHW7E4ZRCNBA3
X-MailFrom: prithvikrishnab4u@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-scim.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [scim] New Draft: SCIM RoleAssignment for Scoped Role Bindings
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/TTjXUA5MfsnquVGxxOXJSfyAyDs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Owner: <mailto:scim-owner@ietf.org>
List-Post: <mailto:scim@ietf.org>
List-Subscribe: <mailto:scim-join@ietf.org>
List-Unsubscribe: <mailto:scim-leave@ietf.org>
Hello SCIM Working Group, I'd like to share a new Internet-Draft addressing scoped role bindings in SCIM: SCIM RoleAssignment Draft Specification v0.2 <https://datatracker.ietf.org/doc/draft-poreddy-scim-role-assignment/> *Problem:* SCIM 2.0 has no standard way to assign roles within specific scopes (projects, tenants, organizations). This forces workarounds like group sprawl or non-standard encodings, as seen in GitLab, Tanium, and Azure implementations. *Solution:* A new RoleAssignment resource that explicitly links subject (User/Group), scope, and role, with support for temporal validity, audit trails, and governance metadata. *Note:* This is version -02, incorporating detailed feedback from Dr. Matthias Winter on -01, including complete JSON Schema definitions, soft deletion architecture, design rationale, and enhanced conformance requirements. Best regards, Prithvi Poreddy prithvikrishnab4u@gmail.com
- [scim] New Draft: SCIM RoleAssignment for Scoped … Prithvi Krishna