Re: [scim] [Technical Errata Reported] RFC7643 (6011)

Phil Hunt <phil.hunt@yahoo.com> Tue, 10 March 2020 18:44 UTC

Return-Path: <phil.hunt@yahoo.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21E683A084D for <scim@ietfa.amsl.com>; Tue, 10 Mar 2020 11:44:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.097
X-Spam-Level:
X-Spam-Status: No, score=-1.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MXgmT4uWzhLR for <scim@ietfa.amsl.com>; Tue, 10 Mar 2020 11:44:52 -0700 (PDT)
Received: from sonic301-32.consmr.mail.ne1.yahoo.com (sonic301-32.consmr.mail.ne1.yahoo.com [66.163.184.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38B373A0849 for <scim@ietf.org>; Tue, 10 Mar 2020 11:44:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1583865891; bh=GcqKbb2yxAas4XXq6MaLdOQDwQnURbgYrVb8aDHtLN0=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From:Subject; =?utf-8?q?b?= =?utf-8?q?=3DbFYTHBgySvnBeJQxg8pIH9N+N4hws0yNd9NLLVVcRyayiXLD9TJp/vOEmKJRAQ?= =?utf-8?q?DwTKo1DUTZtRAi0+E4Yyr2fD0BzdmyU8dJ+p6M/gyZXl8eYFYbZlC2vrfb3VxbSpd?= =?utf-8?q?9Edd0drG6Wha47y7dHKVcoZq33d4WOizVwBEaiL/eEvSUxDxxR5KB2PmFNPedET08?= =?utf-8?q?IBhHfEXKifF7ekffsmkrvNWESyUtWmxuEfmd2Z2wm4gGieR79lJIwg1abPicNq/5D?= =?utf-8?q?DDxm0fI9hIvbTXNIsorRdJsZMKsVe3N3P/O7QSzcBDOPibhwYNpfmonLbEXYiP7Mo?= =?utf-8?q?l0N/dYUVUFRiWLR9YOdQ=3D=3D?=
X-YMail-OSG: dWGoVKMVM1ljsxxttyOyZGV01xWm.mdAuuKn0auKQ4MMi0.FTtObdteRnlv5MHN wZ9IeCpJO39yRZTiexuHxPf2PP4BIqQISFQmyWozKmG58BHEJvIbEWomMeEBUzPOsKHU_t9UrvKG FAPwIrGj7G5i4QrSX2Hf1_8Ji0igggMCPv.WVsQpeKn6irFeCjrA5hjcPWaoBZ5S2JEEexgeDUHC 80feJQ7YFVtnwQZPOa62yh_gU9U7oU8RpLCalkLGwUuVMSaJba9mTRP6d7l6z6obMx.ZinGZSCp_ Hw9wd7QLHdmFwHffB0KrJwHOb3TDQWM2rhHahVO0yfxohjoCTmfaYaL5Sf9cFnVbh.FfU0d2QE8J nOyKRJyoWd.a0YW0fimCNl3B9XAJlfyyYv.sTmMKwrmV6k01gUTcmHqTESjUzj8zNMcSH2vPe3ZC 4zlIKXRLcObEhogMi8sVEbcVeeznfuw6wbr8RAqcjcZR1xoHxwr1ZdHmfGz55ZnqYbKgod_CPlDP Qls6.Ygsec6WFwd.JXWWmNFCqKV8OmvqPA74LLQ3w0FC6tDBQCYJW254Wr07VUpY7uWlMdBUkSso iRs7wcWkIyZELfA1xtfSXQGAD7HeTa94ANi4y.u6Zi1Wrgdsc5gMU8T5hctk3H3_2.wO1k4EM1EZ xmXSM1zNwtnTrFlwMXw4Wqkpv3y6qzCF6CW9EokNvpX_YY10I8wvjpIFGjMPv1lhE5afP.5Mud0N isFaIQ4WxrA1hcPxCk2kLEOw0lsYhZs1liGisq8gccYiPGuzeRTCGqL_RHyE5yGF7luj5iLsTVlM QJfx2i8ZVQjWhvKAviw381vBL3N4PWYwdAIBB8ESUCX8Va4I7Qi9rif65PEDOyyzYtWc0aj9p5GA M_Rcod3xbXDRsS2z1hT4z8xrFxrlNfxXND3lrRFRYQ84LbM3OkF3gCDHG2k92s7GTC4P6llfamni CPLAEzkI6iz01zOsvauBR.doArFUGVLEKOtbTXVAtv6mKzryKQlu5BNQ7RfQb4brvvL17Dm7mdpY .t5wteXPZFvuLj2FmhpJiZr.qz2AAgEZhu_s_eUFCVJqFy3AgoAv1mLPAn9HoHUlQsyq6J_tXawW vTxZIoNFl.TAWqtZR.yGrW5Hq2T4hjTr1.AxJfXxCnUguTZ3oAPOLmiulgWB.LBjftYpb5yW4DpT CQIJJt1GfCfw4Jcmx0fkez33STgn3duzG.X6KPyUO0RtXHHztkqowNFJo_.fwomukhK5SEnzA3bu AHPTJMZo2MYn4es6EXLEtHmAS2_5sqOAekS9984Dfd61lnyK_I.BIiPd_dylz5G7kF3htwqYwGBq KdXoaRERKJLpvPfutvz6hdHJFgpf9VddXSjIbSi5PJBT7Dk7ajivvHeY.iUjXchraFSs0mWNIyCK ogUWueY80_2XeUeDjWd8-
Received: from sonic.gate.mail.ne1.yahoo.com by sonic301.consmr.mail.ne1.yahoo.com with HTTP; Tue, 10 Mar 2020 18:44:51 +0000
Received: by smtp418.mail.gq1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 8eb8bb14d529d94059f6209f2dab6717; Tue, 10 Mar 2020 18:44:47 +0000 (UTC)
From: Phil Hunt <phil.hunt@yahoo.com>
Message-Id: <C31B60FF-CE85-43AA-ACF2-D7BD6E0FF9CB@yahoo.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_EBFBD62C-FA93-40E6-99DD-FD3D84E29EC8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Tue, 10 Mar 2020 11:44:45 -0700
In-Reply-To: <CAGUsYPw3OfTg_uRvBAz+rQsy6yTn+Xz4=4dK3fLE5kwJP18uew@mail.gmail.com>
Cc: Adam Roach <adam@nostrum.com>, Alexey Melnikov <aamelnikov@fastmail.fm>, leifj@sunet.se, scim@ietf.org, Kelly Grizzle <kelly.grizzle@sailpoint.com>, Barry Leiba <barryleiba@computer.org>, Morteza Ansari <moransar@cisco.com>, RFC Errata System <rfc-editor@rfc-editor.org>
To: Shelley <randomshelley@gmail.com>
References: <20200309144726.4AE80F40720@rfc-editor.org> <149452C1-607B-4EDB-BF5C-647B662B73B8@yahoo.com> <CAGUsYPw3OfTg_uRvBAz+rQsy6yTn+Xz4=4dK3fLE5kwJP18uew@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/mHRQjtWY9LWXxVSVX-lL2WzD5TU>
Subject: Re: [scim] [Technical Errata Reported] RFC7643 (6011)
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2020 18:44:55 -0000

Shelley,

The display attribute is usually set by the client creating the record. AFAIK most of the time CMV attributes are immutable (at least that was the discussion).

In some cases it may be an attribute asserted only by the service provider but not always.  For this reason, I would not recommend the example show “readOnly” as this may cause a lot of confusion. Instead I would go with “immutable” per the spec default.

From a historical perspective...

I know that as the SCIM 2 protocol evolved (from SCIM 1), we developed the PATCH operation to be able to do discreet manipulation of CMVAs which enabled updating of attributes in a readwrite fashion.

Phil Hunt
phil.hunt@yahoo.com



> On Mar 9, 2020, at 10:21 AM, Shelley <randomshelley@gmail.com> wrote:
> 
> Thanks.
> 
> The use of "readOnly" for the "display" mutability overlaps a bit with a question posted here:
> https://mailarchive.ietf.org/arch/msg/scim/qI6J6ZwnlowstviRBMox41J_yo4/ <https://mailarchive.ietf.org/arch/msg/scim/qI6J6ZwnlowstviRBMox41J_yo4/>
> 
> Apologies for conflating these two issues.
> 
> On Mon, Mar 9, 2020 at 12:04 PM Phil Hunt <phil.hunt@yahoo.com <mailto:phil.hunt@yahoo.com>> wrote:
> VERIFIED
> 
> However, the correction needs a correction.  The display attribute is “immutable” not “readOnly”.
> 
>          {
>            "name": "display",
>            "type": "string",
>            "multiValued": false,
>            "description": "A human-readable name for the group member, primarily used for display purposes.",
>            "required": false,
>            "caseExact": false,
>            "mutability": "readOnly”,
> —>. should be: 
>            "mutability": “immutable”,
> 
>            "returned": "default",
>            "uniqueness": "none"
>          }
> 
> Phil Hunt
> phil.hunt@yahoo.com <mailto:phil.hunt@yahoo.com>
> 
> 
> 
>> On Mar 9, 2020, at 7:47 AM, RFC Errata System <rfc-editor@rfc-editor.org <mailto:rfc-editor@rfc-editor.org>> wrote:
>> 
>> The following errata report has been submitted for RFC7643,
>> "System for Cross-domain Identity Management: Core Schema".
>> 
>> --------------------------------------
>> You may review the report below and at:
>> https://www.rfc-editor.org/errata/eid6011 <https://www.rfc-editor.org/errata/eid6011>
>> 
>> --------------------------------------
>> Type: Technical
>> Reported by: Shelley Baker <randomshelley@gmail.com <mailto:randomshelley@gmail.com>>
>> 
>> Section: 8.7.1
>> 
>> Original Text
>> -------------
>>      {
>>        "name" : "members",
>>        "type" : "complex",
>>        "multiValued" : true,
>>        "description" : "A list of members of the Group.",
>>        "required" : false,
>>        "subAttributes" : [
>>          {
>>            "name" : "value",
>>            "type" : "string",
>>            "multiValued" : false,
>>            "description" : "Identifier of the member of this Group.",
>>            "required" : false,
>>            "caseExact" : false,
>>            "mutability" : "immutable",
>>            "returned" : "default",
>>            "uniqueness" : "none"
>>          },
>>          {
>>            "name" : "$ref",
>>            "type" : "reference",
>>            "referenceTypes" : [
>>              "User",
>>              "Group"
>>            ],
>>            "multiValued" : false,
>>            "description" : "The URI corresponding to a SCIM resource
>> that is a member of this Group.",
>>            "required" : false,
>>            "caseExact" : false,
>>            "mutability" : "immutable",
>>            "returned" : "default",
>>            "uniqueness" : "none"
>>          },
>>          {
>>            "name" : "type",
>>            "type" : "string",
>>            "multiValued" : false,
>>            "description" : "A label indicating the type of resource,
>> e.g., 'User' or 'Group'.",
>>            "required" : false,
>>            "caseExact" : false,
>>            "canonicalValues" : [
>>              "User",
>>              "Group"
>>            ],
>>            "mutability" : "immutable",
>>            "returned" : "default",
>>            "uniqueness" : "none"
>>          }
>>        ],
>>        "mutability" : "readWrite",
>>        "returned" : "default"
>>      }
>> 
>> Corrected Text
>> --------------
>>      {
>>        "name" : "members",
>>        "type" : "complex",
>>        "multiValued" : true,
>>        "description" : "A list of members of the Group.",
>>        "required" : false,
>>        "subAttributes" : [
>>          {
>>            "name" : "value",
>>            "type" : "string",
>>            "multiValued" : false,
>>            "description" : "Identifier of the member of this Group.",
>>            "required" : false,
>>            "caseExact" : false,
>>            "mutability" : "immutable",
>>            "returned" : "default",
>>            "uniqueness" : "none"
>>          },
>>          {
>>            "name" : "$ref",
>>            "type" : "reference",
>>            "referenceTypes" : [
>>              "User",
>>              "Group"
>>            ],
>>            "multiValued" : false,
>>            "description" : "The URI corresponding to a SCIM resource
>> that is a member of this Group.",
>>            "required" : false,
>>            "caseExact" : false,
>>            "mutability" : "immutable",
>>            "returned" : "default",
>>            "uniqueness" : "none"
>>          },
>>          {
>>            "name" : "type",
>>            "type" : "string",
>>            "multiValued" : false,
>>            "description" : "A label indicating the type of resource,
>> e.g., 'User' or 'Group'.",
>>            "required" : false,
>>            "caseExact" : false,
>>            "canonicalValues" : [
>>              "User",
>>              "Group"
>>            ],
>>            "mutability" : "immutable",
>>            "returned" : "default",
>>            "uniqueness" : "none"
>>          },
>>          {
>>            "name": "display",
>>            "type": "string",
>>            "multiValued": false,
>>            "description": "A human-readable name for the group member, primarily used for display purposes.",
>>            "required": false,
>>            "caseExact": false,
>>            "mutability": "readOnly",
>>            "returned": "default",
>>            "uniqueness": "none"
>>          }
>>        ],
>>        "mutability" : "readWrite",
>>        "returned" : "default"
>>      }
>> 
>> Notes
>> -----
>> The group "members" attribute should define a "display" sub-attribute.
>> 
>> * Section 2.4 defines a standard multi-valued read-only attribute of "display".
>> * The Group Representation example in Section 8.4 also includes the "members.display" sub-attribute.
>> * This discussion in the SCIM mailing list [1] also indicates that this should be fixed.
>> 
>> [1] https://mailarchive.ietf.org/arch/msg/scim/EH99Gxn-hDluihMNtWLIekuFCs8/ <https://mailarchive.ietf.org/arch/msg/scim/EH99Gxn-hDluihMNtWLIekuFCs8/>
>> 
>> Instructions:
>> -------------
>> This erratum is currently posted as "Reported". If necessary, please
>> use "Reply All" to discuss whether it should be verified or
>> rejected. When a decision is reached, the verifying party  
>> can log in to change the status and edit the report, if necessary. 
>> 
>> --------------------------------------
>> RFC7643 (draft-ietf-scim-core-schema-22)
>> --------------------------------------
>> Title               : System for Cross-domain Identity Management: Core Schema
>> Publication Date    : September 2015
>> Author(s)           : P. Hunt, Ed., K. Grizzle, E. Wahlstroem, C. Mortimore
>> Category            : PROPOSED STANDARD
>> Source              : System for Cross-domain Identity Management
>> Area                : Applications and Real-Time
>> Stream              : IETF
>> Verifying Party     : IESG
> 
> _______________________________________________
> scim mailing list
> scim@ietf.org
> https://www.ietf.org/mailman/listinfo/scim