[scim] Revisiting SCIM roles and entitlements extension draft

Danny Zollner <Danny.Zollner@microsoft.com> Mon, 20 June 2022 04:25 UTC

Return-Path: <Danny.Zollner@microsoft.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E0DEC15D886 for <scim@ietfa.amsl.com>; Sun, 19 Jun 2022 21:25:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.854
X-Spam-Level:
X-Spam-Status: No, score=-2.854 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.745, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CnQNY93NhCHN for <scim@ietfa.amsl.com>; Sun, 19 Jun 2022 21:25:16 -0700 (PDT)
Received: from na01-obe.outbound.protection.outlook.com (mail-centralusazon11021022.outbound.protection.outlook.com [52.101.62.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E3DEC15D87C for <scim@ietf.org>; Sun, 19 Jun 2022 21:25:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RZCGrST5pTJWW9UtllM15KdTpIf0+Gr+QAQ4rgjXnwMHH8QVlhv9EOO33y68TSJIAwt9BeuZ6Ad6w10Mi4oN9gfEN0P1nzZ/5OTf9NOZRBhHCzYW3NTfjCDBtT81Id2RO9rz3IOUmO2jSqn1lS3NKCppn7dM9ktP45zIiOOpWi2DBoesCIwwpyEIlaf59S6mvT2eHzlVH8Fr4gP8HOR2ksyS3rSheuEYqLa9A5Tan1SF5Lc9AnqQij+hbjqtS7QSGXdY1FpYEE+0vOSljOAx+oCfw1aO8PlFxTzutbaQEJcFO6NRDK12Ht6cvQr4gYHbomZW5jPQqYnrnvdgngRPBA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Ci/Njysl/TEzc/TXL+Pw0+LAiw17Ldaxi9YAeVLSvdk=; b=X3X2C+0UFAl6UE3020i3f+td9XXZhJ0CcSy0uVeYr2rNkm7oCPqyrZSEnPbutmAkIoFCRCaby456clPTKFlgKXqs/c+cYNwDkST3rYHv5gEkJH8JWSQDpYjrTuLFs9egSznyttTdN8DwuKohpNPZZyz6KdTcCbyD6ZMxGBr+sCDvsgZj/63cqnO4bO4WUNDu9sg8YRiLcs4IQVCBXVjaTDcfXdQXDfXr1aFPRrDZZM8SXaDDID1HSxoWAAPin5C1bEs7XacilyQlJuk2Rzez+ZZGVTiMiqDE1vs2zO/FWo6Ec7wL5JoN5h8AFvs2TgK5lFZpz7NkYXbQmATHjtw2JA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ci/Njysl/TEzc/TXL+Pw0+LAiw17Ldaxi9YAeVLSvdk=; b=XvKGhyYWRaaxkLHne5NOt64sxDexMbdKGUK+m7z1QhVAq+L9lVZoGNVrlDViqumMMYBMIydb3QnpDUliQuXLhj/XB3KOQ8PQKNXKD+sloCVpwSMWkC07BdsrUwMvs1PDgaKliSV2MSRlQ8346ln5ZO2tEbsNofyjBtG0PJr100M=
Received: from BY5PR00MB0708.namprd00.prod.outlook.com (2603:10b6:a03:204::9) by PH0PR00MB1136.namprd00.prod.outlook.com (2603:10b6:510:9a::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5402.0; Mon, 20 Jun 2022 04:25:12 +0000
Received: from BY5PR00MB0708.namprd00.prod.outlook.com ([fe80::b8dd:7b84:3f57:5a08]) by BY5PR00MB0708.namprd00.prod.outlook.com ([fe80::b8dd:7b84:3f57:5a08%7]) with mapi id 15.20.5405.000; Mon, 20 Jun 2022 04:25:11 +0000
From: Danny Zollner <Danny.Zollner@microsoft.com>
To: "scim@ietf.org" <scim@ietf.org>
Thread-Topic: Revisiting SCIM roles and entitlements extension draft
Thread-Index: AdiEBr2GiFh2IDBDTGKUp9o/9SGzyQ==
Date: Mon, 20 Jun 2022 04:25:11 +0000
Message-ID: <BY5PR00MB0708733ABCEDAE892EF6D7F8FFB09@BY5PR00MB0708.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2022-06-19T18:02:14Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=ae85f4ae-ecf5-4e36-8ee2-e2194cad08c6; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 30717d75-f050-4197-b889-08da5274ddd7
x-ms-traffictypediagnostic: PH0PR00MB1136:EE_
x-microsoft-antispam-prvs: <PH0PR00MB1136226E5C6547BA6A8F7C95FFB09@PH0PR00MB1136.namprd00.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: iVqTIv/EAv9mWm2NDBu1zWIvyhUpTNRlcTfuOVyj2eAqzoTe95DuKbn7SH1J3dut1lbOn9AQfWhbVPipSqgmMRiCUOTY+okgGFnB7Ebeqe33fGqS6k+LZrrLeLB6R04JTLAAyfCBRTVD7FoNNvWXs9WBc2vvbH+m5H7l94r49CFyB16Ms0FE85KGlc7X5osZtyUXCMtaX5TV0loL/KHtHdJvjhKHnjLgeWib+91Z6IMrc0ljORoCfywJ987DsFxj3c/Px/vIor37oa2GLqyFiUoMdWcnKTBWfMKkVO2QarclxYbJpJUR2w2lvhjkVdIty3vZvjNBDBpscTbVsQ0bvQLDeP3nQR0ICDidUbWJ48NXx3+nOeZ07HzhhhHhr32P9S+FtWdKZrTjXlwjtoVm6QfSECkCVqnaMZ7fCvfGPlpnbpLarMVTUB+9pNHJXlGGhmpqrMfIXwhBI9zBZQ0lL+9c3q54KRKbo6bPP2nUeNpaeuuVpM+53TuEnK+E/qXa1ygLAP8T0c1phXzKzVzF9QSCqR7VyzJtRgSOeWojbOCLBq4OPAFObH0felNgL2F9Beav9WTTgXVC2UcdLt8C+kNeuO5Ft7PfffNyOvgcUlylG/w43f30Nl1JOQwUlFQG9LdVAO+VHsallHz4H0eV79LevikmqJdBWEH6tHTz5CET7M87gjZiv8I4I72ZyhD0DR9paVAYfUZ2ZFavWt3tERColjCoVaGQVsJCKiuCy8SwflSjhYagbhbUo8GofiTheKtyJWnwZBGXBInd1UKSGZ914hZIisv2kRKmay5k7HK0po9E1jYyZjfmrOgOkIskY68wBSfVPqfcFeSAdKblNA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR00MB0708.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(346002)(396003)(39860400002)(376002)(366004)(136003)(451199009)(26005)(76116006)(6506007)(2906002)(8936002)(186003)(5660300002)(71200400001)(38070700005)(966005)(478600001)(82960400001)(122000001)(7696005)(82950400001)(64756008)(66946007)(66446008)(66556008)(55016003)(66476007)(6916009)(316002)(8676002)(41300700001)(33656002)(10290500003)(9686003)(52536014)(8990500004)(86362001)(83380400001)(38100700002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?W1jpdbH4Vw9o9VE1GCMozmwY4dWhVb7l9Gfa95EhNAbK4+VHpqEgNMjsl2ym?= =?us-ascii?Q?mNWR4ENf27ZLT5lnr2DAnP6563G+XNXUvGr7xVpbnKidZguSfJ0l+zEZXpiG?= =?us-ascii?Q?cEClFNXPbg7Llr8vCduUh2/lKVDGUfulC8sB7WumEHZRKtwr9tBjz7tQfxwg?= =?us-ascii?Q?KVyxs9avuEU9y+zUJPayuKKdqFv/x2tQAWFgQDXTYv8C5PjlsTHTHX8oyhw4?= =?us-ascii?Q?wPK+4xcUN/AqzIDlo3evgkpb+/UA+Ht5XdC5W+Ji7M6hmiL6M29AFcPi03cj?= =?us-ascii?Q?pwdbQdWG7SXwiYCdX+7DD/baZj3foxo4tVBx2R0wpfK2uPew7jB+xe8FlY/2?= =?us-ascii?Q?ArWfKe7O5HsGbs3zQsVWXS5CaIHWP0ZCiIg1PEryYFLGDwiC4AuTdOcgwAZd?= =?us-ascii?Q?7MiWDRCm13S76xyjHXaBAWD2yksQfF7iVtWOm5dEio5PztjbZcm/susMefKp?= =?us-ascii?Q?A7w/GnEbdDmvvh21WoelJ3wP7CMhHgGVgXecQ4kBDQGkDT4H7G9Ht8PKbmF4?= =?us-ascii?Q?MqV5t+MjQL0EsnOPY6Akt1Gb2o2pSu08s7vxWBpZMiE8IJgPrGG+d7bj8kTU?= =?us-ascii?Q?DpxVP6fnl870ZHn1iPENWsD/UVPnsPt6ouOTUxdE8nix2MyziWJrPlOmAsVw?= =?us-ascii?Q?hX8HGVc3i1WF3xMC2wjeDuC0VhUMsly1oTS/6w1qt/NQMhtDuyQuYZjylpJ7?= =?us-ascii?Q?PXDARA7m/73krFpL4EwYlT881KNencIIQfYJBaPLJAxO2ZtR3bhJxAt+Fu+s?= =?us-ascii?Q?4W2aM++NNNw/KzWdiC1g4fSDNVxzpVy6sL41Wnj9ajely5F4h15EiXNrdJDF?= =?us-ascii?Q?RFrnHRnm1UAmZD3vBKe9RHXlJebf2AWfvCHjS62IHOhR2ZDZoRiA0W5FUCnn?= =?us-ascii?Q?EsOKiA3tkQ+ONvixRteZ5I+P1nHPNyipeDxw+OKU/5iy4Jci5gD8PEmZoOcX?= =?us-ascii?Q?ySYDpnC3/9/UdtOSvb/9TegAOz0Df3SSozZzCN6CqC71CuPQ83qXB/qq1Piu?= =?us-ascii?Q?W/6VxYu0aPFpU86Mgyw4C19QfYtRz9Rh+YYdFa0cNvX8Yl0G4ofFMGVwD7Gm?= =?us-ascii?Q?W4fPyP/gXWoPrzIBrhBiv7LHTJrZtXIWaIMW4o/SoocOwVREgesGqpGkvEE9?= =?us-ascii?Q?lzmgkJxf+Q9g6G5R+KjzIPqq0se2kXs+B0gDbINLqjxUy1D1rBGDJdCwLa74?= =?us-ascii?Q?aZNX0NCHoFAKZluMemgoHjdwxDpJwDAwBI2fYRb0ZqqaAG3iILxe1VFxBsUo?= =?us-ascii?Q?uucNji7pNBpDN7gNHMd35RMxn55QT71fAeOO2f6SfJPtXkhQ5SgBFi81ocGe?= =?us-ascii?Q?ZCCXF9LkJfNslDYztxTjqxQJcK1Q22W4iZwNfh59XP3G01cwNWHUo+KhK5wk?= =?us-ascii?Q?gnTLJUX2Xtz7xweZV/OQMuLI7OKG+yCL0O1mTCxcdYpMqN6TSi06z0MF2Yem?= =?us-ascii?Q?x2TRhvMMvIKjlNLqDqd3o6F6rMuHjT/6C7wIZ2G1AaM8Ml73jFCkEGB6tOZg?= =?us-ascii?Q?3V8OPf3uq9B5QZOMTWL6LfsYdX2YSynanrC0vJzeH8/D/+U3yQluBc8A+oDG?= =?us-ascii?Q?0+Vw3whvF0yUCKkwwJp3hSeR9R8E2nB77wZy344lfAS5BcjvS/IrCVo7RhOL?= =?us-ascii?Q?YtaoGUQxbp7pLYcEH+cpzbpjHrupelQQlEv/I8NDo8eydWi3VMtzkpgTu6Vf?= =?us-ascii?Q?RDEf6VHQa1LcBo0axjuHPn6BoyebDqa2jDoEIemXmPBheIAbr47AiO/U603K?= =?us-ascii?Q?0xtdP7AdPw=3D=3D?=
Content-Type: multipart/alternative; boundary="_000_BY5PR00MB0708733ABCEDAE892EF6D7F8FFB09BY5PR00MB0708namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR00MB0708.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 30717d75-f050-4197-b889-08da5274ddd7
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Jun 2022 04:25:11.6839 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 7T/n+IwkZgd90/YR8GsWUXKWvLJJFGRe+XlTBRghdH3iq4UpgOJXwFOoIpH3mx4QBbJxgzDBphzYhN2dLdlXQw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR00MB1136
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/nqv8pk1rOZ9jlODpt9IFzweARvg>
Subject: [scim] Revisiting SCIM roles and entitlements extension draft
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jun 2022 04:25:21 -0000

Hi SCIM-ers,

Last fall I submitted a draft for an extension to add new /roles and /entitlements resources that can be queried to allow a SCIM client to discover what roles exist on the service provider before trying to apply any values to roles or entitlements for a user. That draft has since expired, but I would like to revisit it and make any necessary revisions ahead of submitting a newer draft and requesting a call for adoption. The expired version of the draft is located here: https://datatracker.ietf.org/doc/draft-zollner-scim-roles-entitlements-extension/

In addition to what is described in the first version of this draft, in order to gauge interest I want to bring up a second concept that could be added to the draft. The new concept is a representation of relationships between roles or entitlements. Many systems have a hierarchy of roles or entitlements. To add on to my draft, I'm considering adding two new multi-valued attributes to both the roles and entitlements resources - "containedBy" and "contains" (names open to change). The goal would be to allow representation of something like:


  *   A SCIM app used as a CRM system has a role structure where the role "Super Administrator" has all privileges
  *   More granular roles exist also - i.e.: "Application Administrator", "Finance Administrator", "Sales and Accounts Administrator".
  *   This structure may nest several levels deep - i.e.: "Finance Admin" may have separate sub-roles underneath such as "Accounts Receivable Administrator", "Accounts Payable Administrator", "Payroll Administrator", etc.

Applying a SCIM/JSON structure to represent that data, we may see something like:

Role 1: Super Administrator

{
"value":"SuperAdmin",
"display":"Super Administrator",
"enabled":true,
"contains":["AppAdmin","FinanceAdmin","SalesAdmin"]
}

Role 2: Finance Admin
{
"value":"FinanceAdmin",
"display":"Finance Administrator",
"enabled":true,
"containedBy":["SuperAdmin"]
"contains":["AccountsReceivableAdmin","AccountPayableAdmin","PayrollAdmin"]
}

Role 3: Payroll Admin
{
"value":"PayrollAdmin",
"display":"Payroll Administrator",
"containedBy":["FinanceAdmin"],
}

If contains and containedBy are left as multi-valued strings, there's then the problem of deciding if you only represent direct or indirect membership in a higher role - i.e.: Payroll Administrator is contained by Finance Administrator directly - but if the goal is to determine what permissions the Super Administrator role has - the indirect values, that is - the nested memberships from the three roles that Super Administrator contains would then need to be unpacked recursively(I think that's the right word) until the bottom of the structure is met.

An alternative approach there could be to add an additional two attributes, and have four multi-valued string attributes - containsDirect, containsIndirect, containedbyDirect, and containedByIndirect. Another approach that I think is the better solution to this problem would be to change contains and containedBy from multi-valued string to multi-valued complex, and to have two sub-attributes on the complex object - value and type(name tbd), with type representing if the value is a direct link - i.e.: Payroll Administrator being contained in Finance Administrator - or if it's an indirect link, i.e.: Payroll Administrator being contained in Super Administrator by way of Finance Administrator.

My questions/requests to the group are:


  *   I would appreciate feedback on the current expired version of the draft
  *   For the new idea that I outlined, is there need for this level of detail being represented as an optional component of the extension?
  *   For the new idea, general feedback - is the current approach best, are one of the others that can handle indirect links better, or is there another approach I haven't written about?
  *   For the new idea, what are thoughts on circular references - i.e.: Payroll Administrator contains Finance Administrator, but Finance Administrator also contains (not is containedBy) Payroll Administrator. Should they be explicitly prohibited, or are there scenarios that should be accommodated that would require circular references?

Thanks,

Danny Zollner