IETF Logo Mail Archive

Re: [scim] Groups Member Type

"Phil Hunt (IDM)" <phil.hunt@oracle.com> Wed, 09 August 2017 16:06 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DF031323CB for <scim@ietfa.amsl.com>; Wed, 9 Aug 2017 09:06:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.219
X-Spam-Level:
X-Spam-Status: No, score=-4.219 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BJ4XaManPW2B for <scim@ietfa.amsl.com>; Wed, 9 Aug 2017 09:06:27 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DFD013240C for <scim@ietf.org>; Wed, 9 Aug 2017 09:06:27 -0700 (PDT)
Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v79G6OOj007156 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 9 Aug 2017 16:06:25 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id v79G6Nwk027268 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 9 Aug 2017 16:06:24 GMT
Received: from abhmp0003.oracle.com (abhmp0003.oracle.com [141.146.116.9]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id v79G6Mi7006387; Wed, 9 Aug 2017 16:06:23 GMT
Received: from [10.0.1.19] (/24.86.190.97) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 09 Aug 2017 09:06:22 -0700
Content-Type: multipart/alternative; boundary="Apple-Mail-4281E78F-46CB-4302-BB98-401C646D28E1"
Mime-Version: 1.0 (1.0)
From: "Phil Hunt (IDM)" <phil.hunt@oracle.com>
X-Mailer: iPhone Mail (14G60)
In-Reply-To: <CY1PR04MB2363D61AB4E1F0C5843904F5E28B0@CY1PR04MB2363.namprd04.prod.outlook.com>
Date: Wed, 09 Aug 2017 09:06:19 -0700
Cc: Shelley <randomshelley@gmail.com>, "scim@ietf.org" <scim@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <BC21670B-1A93-430C-BBF7-0E1B5BE4B570@oracle.com>
References: <CAGUsYPz7_9Tat93aC2t=YAQcHG6dmboYDYij_8sRpKA6CZoWEA@mail.gmail.com> <56C3C758F9D6534CA3778EAA1E0C343753AB2F38@BLUPRD0412MB643.namprd04.prod.outlook.com> <CAGUsYPwUt997zV9sxC4p93Jz=9j+bWeqygyMSkssM1gMZfxhpQ@mail.gmail.com> <56C3C758F9D6534CA3778EAA1E0C343753AC4630@BLUPRD0412MB643.namprd04.prod.outlook.com> <CAGUsYPyV7RjdmbUMcQ5N8NdwGjPzt2xHSANyNJon_uceNjhUgA@mail.gmail.com> <CAGUsYPzYh0zqpEedtAx2rwTKzPYRiURY3DTzJi8jyDUxrifUiw@mail.gmail.com> <CY1PR04MB2363D61AB4E1F0C5843904F5E28B0@CY1PR04MB2363.namprd04.prod.outlook.com>
To: Kelly Grizzle <kelly.grizzle@sailpoint.com>
X-Source-IP: aserv0022.oracle.com [141.146.126.234]
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/vE7tEyFCvMGRCste1HJ2Vb-fOg0>
Subject: Re: [scim] Groups Member Type
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Aug 2017 16:06:32 -0000

I agree the server can decide. 

IMO the server should check referential integrity. By doing so it would likely know the type. The spec is silent (as far as i recall) on whether it expresses it. 

You can also tell via id which is local and $ref path given's scim's strict path rules (look at the parent of the last segment). 

From my recollection some of these items were not that important given scim was provisioning api for apps - apps implementing server side are free to do what they can/want. Now that it is being used as directory, closing some unspecified / loose areas might be better for interop IMO. 

Phil

> On Aug 9, 2017, at 8:32 AM, Kelly Grizzle <kelly.grizzle@sailpoint.com> wrote:
> 
> Given the general desire for SCIM to allow loose reading but strict writing, I would vote for option 1.  If type is not specified in a PUT/POST/PATCH then the server can assume “User”.
>  
> --Kelly
>  
> From: Shelley [mailto:randomshelley@gmail.com] 
> Sent: Wednesday, August 9, 2017 9:02 AM
> To: Kelly Grizzle <kelly.grizzle@sailpoint.com>
> Cc: scim@ietf.org
> Subject: Re: [scim] Groups Member Type
>  
> Resurrecting this old thread, as this question has recently come up during some of our interoperability testing, and there still appears to be some ambiguity in the spec...
> 
> The SCIM 1.1 and 2.0 specifications do not seem to indicate the expected behavior if the type sub-attribute is not provided on a Group resource member. Neither spec seems to explicitly require this attribute, so what is the expected behavior if no type is provided? Is there a default (e.g. "User" or "Group"), must Service Providers search for the member across all resource types, or should it be treated as REQUIRED (e.g. returning a 400 error)?
>  
>  
> On Mon, Feb 25, 2013 at 10:38 AM, Shelley <randomshelley@gmail.com> wrote:
> Thanks, Kelly. Given that the ID may represent either a User or Group and only the combination of "type" and "value" uniquely identify the reference, should the canonical "type" attribute for group members be REQUIRED as well? (Further, the majority of examples throughout the Protocol specification only include a "value" and not "type", so it's ambiguous as to whether these "values" represent Users or Groups.)
> 
> 
> 
> On Mon, Feb 11, 2013 at 4:02 PM, Kelly Grizzle <kelly.grizzle@sailpoint.com> wrote:
> I opened ticket #35 to change this.
>  
> http://trac.tools.ietf.org/wg/scim/trac/ticket/35
>  
> --Kelly
>  
> From: scim-bounces@ietf.org [mailto:scim-bounces@ietf.org] On Behalf Of Shelley
> Sent: Monday, February 11, 2013 11:36 AM
> To: Kelly Grizzle
> Cc: scim@ietf.org
> Subject: Re: [scim] Groups Member Type
>  
> +1 to mark it as "immutable".
> 
> On Mon, Feb 4, 2013 at 8:08 AM, Kelly Grizzle <kelly.grizzle@sailpoint.com> wrote:
> Good point.  It seems like this should say “immutable” rather than “read-only”, since it can be set initially but not updated.  Thoughts from anyone else?  If this seems reasonable I’ll open an issue to get this fixed.
>  
> --Kelly
>  
> From: scim-bounces@ietf.org [mailto:scim-bounces@ietf.org] On Behalf Of Shelley
> Sent: Friday, February 01, 2013 1:37 PM
> To: scim@ietf.org
> Subject: [scim] Groups Member Type
>  
> As indicated in Section 8, the canonical types for Group members are READ-ONLY. As such, how can consumers provide the type (i.e. "User" or "Group")? Is it implied that IDs are unique across both users and groups in order for service providers to fulfill this requirement?
>  
>  
>  
> _______________________________________________
> scim mailing list
> scim@ietf.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_scim&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=nXj1uLbLovxxCW-VPX0d1geWghpaAIZtMXKkPYyACLo&s=rCY_ttBwpsTcGVSsZT2hsLHWPXL17cWyIBS5WDT4oDs&e=

v2.23.0 | Report a Bug | By Email