# SCIM Role examples ## Operations This page shows the operations that can be performed for the role object ### List all ##### Request ```MarkDown GET https:///soffid/webservice/scim2/v1/Role ``` ##### Response 200 OK ```JSON { "schemas": [ "urn:ietf:params:scim:api:messages:2.0:ListResponse" ], "totalResults": 4, "startIndex": 1, "Resources": [ { "approvalEnd": "2021-02-26 13:19:36", "ownedRoles": [ { "informationSystem": "Operation/Business process/ad", "ownerRole": 63, "ownerRoleDescription": "SOFFID Administrator", "roleId": 393195, "mandatory": true, "enabled": true, "ownerSystem": "soffid", "system": "ad", "meta": { "location": "http://soffid.pat.lab:8080/webservice/scim2/v1/RoleGrant/1563461", "resourceType": "RoleGrant" }, "schemas": [ "urn:soffid:com.soffid.iam.api.RoleGrant" ], "roleName": "AD role", "hasDomain": false, "id": 1563461, "ownerRoleName": "SOFFID_ADMIN", "roleDescription": "AD role", "status": "A" }, { "informationSystem": "Operation/Business 2/SOFFID", "ownerRole": 63, "ownerRoleDescription": "SOFFID Administrator", "roleId": 393447, "mandatory": true, "enabled": true, "ownerSystem": "soffid", "system": "ad", "meta": { "location": "http://soffid.pat.lab:8080/soffid/webservice/scim2/v1/RoleGrant/501188", "resourceType": "RoleGrant" }, "schemas": [ "urn:soffid:com.soffid.iam.api.RoleGrant" ], "roleName": "accounting_mgr", "hasDomain": false, "id": 501188, "ownerRoleName": "SOFFID_ADMIN", "roleDescription": "Accounting Manager", "status": "A" }, { "informationSystem": "Operation/Business process/ad", "ownerRole": 63, "ownerRoleDescription": "SOFFID Administrator", "roleId": 391535, "mandatory": true, "enabled": true, "ownerSystem": "soffid", "system": "ad", "meta": { "location": "http://soffid.pat.lab:8080/soffid/webservice/scim2/v1/RoleGrant/503759", "resourceType": "RoleGrant" }, "schemas": [ "urn:soffid:com.soffid.iam.api.RoleGrant" ], "roleName": "g100", "hasDomain": false, "id": 503759, "ownerRoleName": "SOFFID_ADMIN", "roleDescription": "Desarrollo Circuito", "status": "A" }, { "informationSystem": "Operation/Business process/ad", "ownerRole": 63, "ownerRoleDescription": "SOFFID Administrator", "roleId": 391480, "mandatory": false, "enabled": true, "ownerSystem": "soffid", "system": "ad", "meta": { "location": "http://soffid.pat.lab:8080/soffid/webservice/scim2/v1/RoleGrant/501481", "resourceType": "RoleGrant" }, "schemas": [ "urn:soffid:com.soffid.iam.api.RoleGrant" ], "roleName": "Group Policy Creator Owners", "hasDomain": false, "id": 501481, "ownerRoleName": "SOFFID_ADMIN", "roleDescription": "Members in this group can modify group policy for the domain", "status": "A" } ], "description": "SOFFID Administrator", "granteeGroups": [ { "system": "soffid", "informationSystem": "Operation/Business 2/SOFFID", "roleId": 63, "meta": { "location": "http://soffid.pat.lab:8080/soffid/webservice/scim2/v1/RoleGrant/503848", "resourceType": "RoleGrant" }, "schemas": [ "urn:soffid:com.soffid.iam.api.RoleGrant" ], "roleName": "SOFFID_ADMIN", "ownerGroup": "admingroup", "hasDomain": false, "id": 503848, "roleDescription": "SOFFID Administrator", "mandatory": true, "enabled": true } ], "informationSystemName": "Operation/Business 2/SOFFID", "password": false, "system": "soffid", "ownerGroups": [ { "organizational": false, "meta": { "location": "http://soffid.pat.lab:8080/soffid/webservice/scim2/v1/Group/91", "resourceType": "Group" }, "quota": "0", "schemas": [ "urn:soffid:com.soffid.iam.api.Group" ], "name": "admingroup", "obsolete": false, "description": "Enterprise Administrators Group", "parentGroup": "enterprise", "attributes": {}, "id": 91 } ], "ownerRoles": [ { "informationSystem": "Operation/Business 2/SOFFID", "ownerRole": 392727, "ownerRoleDescription": "Business Services", "roleId": 63, "mandatory": true, "enabled": true, "ownerSystem": "ad", "system": "soffid", "meta": { "location": "http://soffid.pat.lab:8080/soffid/webservice/scim2/v1/RoleGrant/501606", "resourceType": "RoleGrant" }, "schemas": [ "urn:soffid:com.soffid.iam.api.RoleGrant" ], "roleName": "SOFFID_ADMIN", "hasDomain": false, "id": 501606, "ownerRoleName": "share-15000", "roleDescription": "SOFFID Administrator", "status": "A" } ], "bpmEnabled": true, "meta": { "location": "http://soffid.pat.lab:8080/soffid/webservice/scim2/v1/Role/63", "resourceType": "Role" }, "schemas": [ "urn:soffid:com.soffid.iam.api.Role" ], "name": "SOFFID_ADMIN", "approvalStart": "2021-02-26 13:19:36", "attributes": {}, "id": 63, "enableByDefault": true }, { "ownedRoles": [], "description": "Soffid vault owner", "granteeGroups": [], "informationSystemName": "Operation/Business 2/SOFFID", "password": false, "system": "soffid", "ownerGroups": [], "ownerRoles": [], "bpmEnabled": true, "meta": { "location": "http://soffid.pat.lab:8080/soffid/webservice/scim2/v1/Role/790961", "resourceType": "Role" }, "schemas": [ "urn:soffid:com.soffid.iam.api.Role" ], "name": "SOFFID_OWNER", "attributes": {}, "id": 790961, "enableByDefault": false }, ............. ] } ``` ### List by filter List all roles with a filter expression.

It is allowed to use pagination and sort the information, for more information visit the [Sorting](https://bookstack.soffid.com/link/116#bkmrk-sorting) and [Pagination](https://bookstack.soffid.com/link/116#bkmrk-pagination) information.

##### Request ```MarkDown GET https:///soffid/webservice/scim2/v1/Role?filter=ownerRoles.name eq SOFFID_ADMIN ``` ##### Response 200 OK ```JSON { "schemas": [ "urn:ietf:params:scim:api:messages:2.0:ListResponse" ], "totalResults": 4, "startIndex": 1, "Resources": [ { "ownedRoles": [], "description": "Accounting Manager", "granteeGroups": [], "informationSystemName": "Operation/Business 2/SOFFID", "password": false, "system": "ad", "ownerGroups": [], "ownerRoles": [ { "informationSystem": "Operation/Business 2/SOFFID", "ownerRole": 63, "ownerRoleDescription": "SOFFID Administrator", "roleId": 393447, "mandatory": true, "enabled": true, "ownerSystem": "soffid", "system": "ad", "meta": { "location": "http://soffid.pat.lab:8080/soffid/webservice/scim2/v1/RoleGrant/501188", "resourceType": "RoleGrant" }, "schemas": [ "urn:soffid:com.soffid.iam.api.RoleGrant" ], "roleName": "accounting_mgr", "hasDomain": false, "id": 501188, "ownerRoleName": "SOFFID_ADMIN", "roleDescription": "Accounting Manager", "status": "A" } ], "bpmEnabled": true, "meta": { "location": "http://soffid.pat.lab:8080/soffid/webservice/scim2/v1/Role/393447", "resourceType": "Role" }, "schemas": [ "urn:soffid:com.soffid.iam.api.Role" ], "name": "accounting_mgr", "attributes": {}, "id": 393447, "enableByDefault": false }, { "ownedRoles": [], "description": "Members in this group can modify group policy for the domain", "granteeGroups": [], "informationSystemName": "Operation/Business process/ad", "password": false, "system": "ad", "ownerGroups": [], "ownerRoles": [ { "informationSystem": "Operation/Business process/ad", "ownerRole": 63, "ownerRoleDescription": "SOFFID Administrator", "roleId": 391480, "mandatory": false, "enabled": true, "ownerSystem": "soffid", "system": "ad", "meta": { "location": "http://soffid.pat.lab:8080/soffid/webservice/scim2/v1/RoleGrant/501481", "resourceType": "RoleGrant" }, "schemas": [ "urn:soffid:com.soffid.iam.api.RoleGrant" ], "roleName": "Group Policy Creator Owners", "hasDomain": false, "id": 501481, "ownerRoleName": "SOFFID_ADMIN", "roleDescription": "Members in this group can modify group policy for the domain", "status": "A" } ], "bpmEnabled": false, "meta": { "location": "http://soffid.pat.lab:8080/soffid/webservice/scim2/v1/Role/391480", "resourceType": "Role" }, "schemas": [ "urn:soffid:com.soffid.iam.api.Role" ], "name": "Group Policy Creator Owners", "attributes": {}, "id": 391480, "enableByDefault": false }, ............. ] } ``` ### Query by id Query a role by its id (primary key). ##### Request ```MarkDown GET https:///soffid/webservice/scim2/v1/Role/393195 ``` ##### Response 200 OK ```JSON { "approvalEnd": "2021-02-04 15:39:05", "ownedRoles": [], "description": "AD role", "granteeGroups": [], "informationSystemName": "Operation/Business process/ad", "password": false, "system": "ad", "ownerGroups": [], "ownerRoles": [ { "informationSystem": "Operation/Business process/ad", "ownerRole": 63, "ownerRoleDescription": "SOFFID Administrator", "roleId": 393195, "mandatory": true, "enabled": true, "ownerSystem": "soffid", "system": "ad", "meta": { "location": "http://soffid.pat.lab:8080/soffid/webservice/scim2/v1/RoleGrant/1563461", "resourceType": "RoleGrant" }, "schemas": [ "urn:soffid:com.soffid.iam.api.RoleGrant" ], "roleName": "AD role", "hasDomain": false, "id": 1563461, "ownerRoleName": "SOFFID_ADMIN", "roleDescription": "AD role", "status": "A" } ], "bpmEnabled": true, "meta": { "location": "http://soffid.pat.lab:8080/soffid/webservice/scim2/v1/Role/393195", "resourceType": "Role" }, "schemas": [ "urn:soffid:com.soffid.iam.api.Role" ], "name": "AD role", "approvalStart": "2021-02-04 15:39:05", "attributes": {}, "id": 393195, "enableByDefault": false } ``` ### Create #### Request ```XML POST https:///soffid/webservice/scim2/v1/Role ``` **JSON** ```JSON { "schemas": [ "urn:soffid:com.soffid.iam.api.Role" ], "name": "App Billing Role", "description": "Role Admin for Billing application", "informationSystemName": "Operation/Business 2/App Billing", "system": "test", "password": false, "bpmEnabled": false, "enableByDefault": false, "granteeGroups": [], "ownedRoles": [], "ownerGroups": [], "ownerRoles": [] } ``` ##### Response 201 Created ```JSON { "ownedRoles": [], "description": "Role Admin for Billing application", "granteeGroups": [], "informationSystemName": "Operation/Business 2/App Billing", "password": false, "system": "test", "ownerGroups": [], "ownerRoles": [], "bpmEnabled": false, "meta": { "location": "http://soffid.pat.lab:8080/soffid/webservice/scim2/v1/Role/1976590", "resourceType": "Role" }, "schemas": [ "urn:soffid:com.soffid.iam.api.Role" ], "name": "App Billing Role", "attributes": {}, "id": 1976590, "enableByDefault": false } ``` ### Update partial Only attributes with changes will be updated, the other will maintain the same value. ##### Request ``` PATCH https:///soffid/webservice/scim2/v1/Role/1976590 ``` **JSON** ```JSON { "schemas": [ "urn:soffid:com.soffid.iam.api.Role" ], "Operations": [ { "op": "replace", "path": "system", "value": "soffid" } ] } ``` ##### Response 200 OK ```JSON { "ownedRoles": [], "description": "Role Admin for Billing application", "granteeGroups": [], "informationSystemName": "Operation/Business 2/App Billing", "password": false, "system": "soffid", "ownerGroups": [], "ownerRoles": [], "bpmEnabled": false, "meta": { "location": "http://soffid.pat.lab:8080/soffid/webservice/scim2/v1/Role/1976590", "resourceType": "Role" }, "schemas": [ "urn:soffid:com.soffid.iam.api.Role" ], "name": "App Billing Role", "attributes": {}, "id": 1976590, "enableByDefault": false } ``` ### Update all This operation replaces all values in the role. - Note that the attribute id is required to confirm that the resource "...Role/<id>" is the same that the JSON role. - Note that all the attributes not included in the request will be cleared in the role and their data will be lost. - Note that not all the attributes are updatable, for example, tag meta, avoid these tags. For more information visit [Resource data model page](https://bookstack.soffid.com/books/scim/chapter/resource-data-model-schema) ##### Request ```XML PUT https:///soffid/webservice/scim2/v1/Role/1976590 ``` **JSON** ```JSON { "schemas": [ "urn:soffid:com.soffid.iam.api.Role" ], "id": 1976590, "name": "App Billing", "description": "Role Admin for Billing application", "informationSystemName": "Operation/Business 2/App Billing", "system": "test", "password": false, "bpmEnabled": false, "enableByDefault": false, "granteeGroups": [], "ownedRoles": [], "ownerGroups": [], "ownerRoles": [] } ``` ##### Response 200 OK ```JSON { "ownedRoles": [], "description": "Role Admin for Billing application", "granteeGroups": [], "informationSystemName": "Operation/Business 2/App Billing", "password": false, "system": "test", "ownerGroups": [], "ownerRoles": [], "bpmEnabled": false, "meta": { "location": "http://soffid.pat.lab:8080/soffid/webservice/scim2/v1/Role/1976590", "resourceType": "Role" }, "schemas": [ "urn:soffid:com.soffid.iam.api.Role" ], "name": "App Billing", "attributes": {}, "id": 1976590, "enableByDefault": false } ``` ### Delete

Please note after this delete, the role has to be created again to use it in the next examples.

##### Request ```MarkDown DELETE https:///soffid/webservice/scim2/v1/Role/1976590 ``` ##### Response 204 No Content ``` 204 No Content ``` ### Error response

For more information about error response visit [https://bookstack.soffid.com/link/116#bkmrk-error-response](https://bookstack.soffid.com/link/116#bkmrk-error-response)

## Notes ### Note: use of roles with domain values In case of granting roles with domain values, the optional attribute domain value contains the value for that domain. Here is a sample account with permissions for the role SOFFID\_OU\_DOMAIN and domains D2 and enterprise: ```JSON { "grantedRoles": [], "roles": [ { "informationSystemName": "SOFFID", "roleName": "SOFFID_OU_MANAGER", "id": 2236442, "roleDescription": "Business unit manager", "domainValue": "D2" }, { "informationSystemName": "SOFFID", "roleName": "SOFFID_OU_MANAGER", "id": 2236447, "roleDescription": "Business unit manager", "domainValue": "enterprise" } ], "description": "faith - faith MUYOYO", "type": { "value": "U" }, "lastUpdated": "2019-07-16T10:35:01+02:00", "ownerGroups": [], "inheritNewPermissions": false, "disabled": false, "id": 1727122, "grantedGroups": [], "managerGroups": [], "passwordPolicy": "I", "managerRoles": [], "created": "2019-07-16T10:26:16+02:00", "system": "soffid", "ownerRoles": [], "meta": { "location": "http://bubu-thinkpad:8080/soffid/webservice/scim/Account/1727122", "resourceType": "Account" }, "name": "faith", "managerUsers": [], "attributes": {}, "grantedUsers": [], "ownerUsers": [ { "lastName": "Smith", "createdByUser": "csv", "mailServer": "null", "nationalID": "", "multiSession": false, "modifiedByUser": "admin", "id": 1727113, "homeServer": "null", "primaryGroupDescription": "Entrprise", "primaryGroup": "enterprise", "comments": "Loaded from CSV file on Mon Aug 05 22:00:00 CEST 2019", "profileServer": "null", "active": true, "fullName": "faith MUYOYO", "userName": "faith", "mailAlias": "", "firstName": "faith", "createdDate": "2019-07-16T10:26:16+02:00", "phoneNumber": "", "modifiedDate": "2019-12-12T17:06:42+01:00", "userType": "I" } ] } ``` ### Notes about role domains By default, roles have no security domain (sometimes referred to as scope). When a security domain is assigned to a role, each account-role object is tagged with the proper security domain value. It is allowed to assign one role multiple times to the same user, as long as each assignment is tagged with a different security domain value. For instance, one can create the SOFFID\_OU\_MANAGER role bound to the GROUPS security domain. Then, you can assign the role SOFFID\_OU\_MANAGER/Group1 to any user. Four kind of security domains are available: - SENSE\_DOMAIN: No security domain applies - GROUP: A business unit is bound to each grant of this role - APLICATION: A information sysstem is bound to each grant of this role - Custom domain: Each application can have its own security domains with arbitrary meanings. To set or modify the role domain for a role, one can use the "domain" attribute. This attribute is a complex object composed of a name and a description. Only the name is mandatory. ### Notes about role inheritance Role inheritance is driven by the ownedRoles, ownerRoles and ownedGroups. Each of these attributes is an array of grants. Each grant has the following attributes: - ownerRole: id of owner role. - ownerSystem: name of owner role's system. - ownerRoleName: name of owner role's name. - ownerRolDomainValue: security domain of the owner role. If a user is granted with the owner role, and the ownerRolDomainValue does not match the grant domain, the inheritance rule does not apply. - roleId: id of owned role. - system: name of owned role's system - roleName: name of owned role's name - domainValue: security domain of the owned role. The role inheritance can vary slightly depending on whether the owned role and the owner role are in the same domain or not:
**Resulting domain value**
**Owner role has no domain**
**Owner role has a different domain**
**Same domain**
Domain value not specifiedBlankBlankOwner role domain value
Domain value specifiedSpecified valueSpecified valueSpecified value
###