Re: [scim] Does SCIM have an access rights model?
Rolf Brugger <rolf.brugger@switch.ch> Mon, 27 March 2017 15:50 UTC
Return-Path: <rolf.brugger@switch.ch>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5ECDB12945E for <scim@ietfa.amsl.com>; Mon, 27 Mar 2017 08:50:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f-n_qCGM-FgN for <scim@ietfa.amsl.com>; Mon, 27 Mar 2017 08:50:14 -0700 (PDT)
Received: from teruel.switch.ch (teruel.switch.ch [IPv6:2001:620:0:3002::92]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3028129456 for <scim@ietf.org>; Mon, 27 Mar 2017 08:50:13 -0700 (PDT)
Received: from albris.switch.ch (albris.switch.ch [IPv6:2001:620:0:1001::8]) by teruel.switch.ch (8.14.4/8.14.4/Debian-4+deb7u1) with ESMTP id v2RFo9WW032555 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <scim@ietf.org>; Mon, 27 Mar 2017 17:50:11 +0200
Received: from macrb.switch.ch ([130.59.17.20]) by albris.switch.ch with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.72) (envelope-from <rolf.brugger@switch.ch>) id 1csWuH-0007Zj-P9 for scim@ietf.org; Mon, 27 Mar 2017 17:50:09 +0200
To: scim@ietf.org
References: <5dd746c7-647b-ad0f-a8cf-ad9c3ca8df7c@switch.ch> <5675DA25-C333-45E0-A5BB-AD88B20BFF83@oracle.com>
From: Rolf Brugger <rolf.brugger@switch.ch>
Message-ID: <e89ef324-b861-708a-85d3-6a1529675be4@switch.ch>
Date: Mon, 27 Mar 2017 17:50:09 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <5675DA25-C333-45E0-A5BB-AD88B20BFF83@oracle.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-SWITCHham-Score:
X-CanIt-Geo: ip=2001:620:0:1001::8; country=CH; region=Zurich; city=Zurich; latitude=47.3720; longitude=8.5413; http://maps.google.com/maps?q=47.3720,8.5413&z=6
X-CanItPRO-Stream: switch-ch:outbound (inherits from switch-ch:default, base:default)
X-Canit-Stats-ID: Bayes signature not available
X-Scanned-By: CanIt (www . roaringpenguin . com)
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/trnilIqVBwGR6wWnC-vIlFAUrxI>
Subject: Re: [scim] Does SCIM have an access rights model?
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Mar 2017 15:50:16 -0000
Hi Phil, It does make sense to me that a model to manage access rights for SCIM clients to a SCIM server is out of scope - mostly because it very context dependent. In our use case we have to limit access rights of SCIM clients, and I just wanted to make sure that we are not re-inventing the wheel. So thank you your answer. That was very helpful! cheers Rolf On 27/03/17 16:55, Phil Hunt (IDM) wrote: > Rolf > > Thanks for your question. > > At the moment SCIM is a provisioning protocol and access rules are up > to the service provider. Eg What makes sense for a directory may not > make sense for a crm system. > > Regardless, the consequences to the client are still the same-success > or unauthorized. :) > > For historical context a similar discussion happened in LDAP. While > requirements had consensus no interoperable model was defined. > > With all that said, I think it may be useful to have discussions > about lan oauth scope standard that could enable clients to request > certain rights. Eg ability to query as a directory. Ability to do > self updates etc. > > This became more apparent when we wrote the oidc scim profile as > clients wanted an access token with user self service rights instead > of read only access at the oidc userinfo endpoint. > > Phil > >> On Mar 27, 2017, at 9:15 AM, Rolf Brugger <rolf.brugger@switch.ch> >> wrote: >> >> Hi all, >> >> I'm new to this list, and I hope my question is relevant to this >> community. >> >> In our particular use case we have one SCIM server and multiple >> SCIM clients. All clients are allowed to query all identities and >> all attributes. >> >> However, not all clients have the same permissions to update/write >> attributes. For example, some clients may only modify group >> memberships of identities, while other clients have the exclusive >> permission to modify name and email of identities. >> >> Is there a model in SCIM or some kind of best practice in existing >> implementations how to model client read/write permissions for >> attributes? >> >> best regards >> >> Rolf >> >> -- SWITCH Rolf Brugger, Trust & Identity Werdstrasse 2, P.O. Box, >> 8021 Zurich, Switzerland direct +41 44 268 15 89 >> rolf.brugger@switch.ch, >> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.switch.ch&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=WmnYxVYjsRE1_cESvAJdAHdRQ3MCyAZb2HHTClsca_U&s=AN-ijCyAYZPgh5_id4zq-F0lgoKH7iHfL1Hyxn5H5Wg&e= >> _______________________________________________ scim mailing list >> scim@ietf.org >> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_scim&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=WmnYxVYjsRE1_cESvAJdAHdRQ3MCyAZb2HHTClsca_U&s=18i8xxKNQ5Kt6BoRZ2uBLo4GL-gB9ZWkzfQhwK8z6uA&e= > >> > _______________________________________________ scim mailing list > scim@ietf.org https://www.ietf.org/mailman/listinfo/scim > -- SWITCH Rolf Brugger, Trust & Identity Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland direct +41 44 268 15 89 rolf.brugger@switch.ch, https://www.switch.ch
- [scim] Does SCIM have an access rights model? Rolf Brugger
- Re: [scim] Does SCIM have an access rights model? Phil Hunt (IDM)
- Re: [scim] Does SCIM have an access rights model? Rolf Brugger
- Re: [scim] Does SCIM have an access rights model? Phil Hunt