Skip to main content

SCIM Role examples

Operations

List all

List all roles.

GET http://<domain>/webservice/scim2/v1/Role
 
HTTP 200
{
    "totalResults": 3,
    "resources": [
        {
            "approvalEnd": "2019-12-09T12:58:23+01:00",
            "ownedRoles": [
                {
                    "informationSystem": "TEST",
                    "ownerRole": 34,
                    "roleId": 5794,
                    "mandatory": true,
                    "enabled": true,
                    "ownerSystem": "soffid",
                    "system": "soffid",
                    "roleName": "TestRole",
                    "hasDomain": false,
                    "id": 1207155,
                    "ownerRoleName": "SOFFID_ADMIN",
                    "status": {
                        "value": "A"
                    }
                },
                {
                    "informationSystem": "SOFFID",
                    "ownerRole": 34,
                    "roleId": 50247,
                    "mandatory": true,
                    "enabled": true,
                    "ownerSystem": "soffid",
                    "system": "soffid",
                    "roleName": "test2",
                    "hasDomain": false,
                    "id": 2234311,
                    "ownerRoleName": "SOFFID_ADMIN",
                    "status": {
                        "value": "A"
                    }
                }
            ],
            "indirectAssignment": "",
            "description": "SOFFID Administrator",
            "granteeGroups": [],
            "bpmEnforced": false,
            "informationSystemName": "SOFFID",
            "password": false,
            "system": "soffid",
            "ownerRoles": [],
            "meta": {
                "location": "http://<domain>/webservice/scim2/v1/Role/34",
                "resourceType": "Role"
            },
            "domain": {
                "name": "SENSE_DOMINI",
                "description": ""
            },
            "name": "SOFFID_ADMIN",
            "approvalStart": "2019-12-09T12:58:23+01:00",
            "attributes": {},
            "id": 34,
            "enableByDefault": true
        },
        {
            "approvalEnd": "2018-10-23T13:10:12+02:00",
            "ownedRoles": [
                {
                    "informationSystem": "TEST",
                    "ownerRole": 5794,
                    "roleId": 50257,
                    "mandatory": false,
                    "enabled": true,
                    "ownerSystem": "soffid",
                    "system": "soffid",
                    "roleName": "TestRole2",
                    "hasDomain": false,
                    "id": 50262,
                    "ownerRoleName": "TestRole",
                    "status": {
                        "value": "A"
                    }
                },
                {
                    "informationSystem": "SOFFID",
                    "ownerRole": 5794,
                    "roleId": 1207022,
                    "mandatory": false,
                    "enabled": true,
                    "ownerSystem": "soffid",
                    "system": "test1",
                    "roleName": "sudo",
                    "hasDomain": false,
                    "id": 1207161,
                    "ownerRoleName": "TestRole",
                    "status": {
                        "value": "A"
                    }
                }
            ],
            "indirectAssignment": "*",
            "description": "Test Role",
            "granteeGroups": [],
            "bpmEnforced": true,
            "informationSystemName": "TEST",
            "password": false,
            "system": "soffid",
            "ownerRoles": [
                {
                    "informationSystem": "TEST",
                    "ownerRole": 34,
                    "roleId": 5794,
                    "mandatory": true,
                    "enabled": true,
                    "ownerSystem": "soffid",
                    "system": "soffid",
                    "roleName": "TestRole",
                    "hasDomain": false,
                    "id": 1207155,
                    "ownerRoleName": "SOFFID_ADMIN",
                    "status": {
                        "value": "A"
                    }
                },
                {
                    "informationSystem": "TEST",
                    "ownerRole": 1664252,
                    "roleId": 5794,
                    "mandatory": true,
                    "enabled": true,
                    "ownerSystem": "soffid",
                    "system": "soffid",
                    "roleName": "TestRole",
                    "hasDomain": false,
                    "id": 1664260,
                    "ownerRoleName": "Perfil-Gerente",
                    "status": {
                        "value": "A"
                    }
                }
            ],
            "meta": {
                "location": "http://<domain>/webservice/scim2/v1/Role/5794",
                "resourceType": "Role"
            },
            "domain": {
                "name": "SENSE_DOMINI",
                "description": ""
            },
            "name": "TestRole",
            "approvalStart": "2018-10-23T13:10:12+02:00",
            "attributes": {
                "date": [
                    {}
                ],
                "owner": "admin"
            },
            "id": 5794,
            "category": "Test",
            "enableByDefault": true
        },
        {
            "approvalEnd": "2019-09-11T16:37:22+02:00",
            "ownedRoles": [
                {
                    "ownerRolDomainValue": "enterprise",
                    "informationSystem": "LINUX",
                    "ownerRole": 43645,
                    "roleId": 1624329,
                    "mandatory": true,
                    "enabled": true,
                    "ownerSystem": "soffid",
                    "system": "LinuxHost",
                    "roleName": "avahi",
                    "hasDomain": false,
                    "id": 1750928,
                    "ownerRoleName": "SOFFID_OU_MANAGER",
                    "status": {
                        "value": "A"
                    }
                }
            ],
            "indirectAssignment": "",
            "description": "Business unit manager",
            "granteeGroups": [],
            "bpmEnforced": false,
            "informationSystemName": "SOFFID",
            "password": false,
            "system": "soffid",
            "ownerRoles": [],
            "meta": {
                "location": "http://<domain>/webservice/scim2/v1/Role/43645",
                "resourceType": "Role"
            },
            "domain": {
                "name": "GRUPS",
                "description": "Group domain"
            },
            "name": "SOFFID_OU_MANAGER",
            "approvalStart": "2019-09-11T16:37:22+02:00",
            "attributes": {
                "date": [
                    {}
                ]
            },
            "id": 43645,
            "enableByDefault": true
        }
    ]
}

Retrieve by id

Retrieve by its id (primary key). For instance, the admin user listed previously.

GET http://<domain>/webservice/scim2/v1/Role/34
 
HTTP 200
{
    "approvalEnd": "2019-12-09T12:58:23+01:00",
    "ownedRoles": [
        {
            "informationSystem": "TEST",
            "ownerRole": 34,
            "roleId": 5794,
            "mandatory": true,
            "enabled": true,
            "ownerSystem": "soffid",
            "system": "soffid",
            "roleName": "TestRole",
            "hasDomain": false,
            "id": 1207155,
            "ownerRoleName": "SOFFID_ADMIN",
            "status": {
                "value": "A"
            }
        },
        {
            "informationSystem": "SOFFID",
            "ownerRole": 34,
            "roleId": 50247,
            "mandatory": true,
            "enabled": true,
            "ownerSystem": "soffid",
            "system": "soffid",
            "roleName": "test2",
            "hasDomain": false,
            "id": 2234311,
            "ownerRoleName": "SOFFID_ADMIN",
            "status": {
                "value": "A"
            }
        }
    ],
    "indirectAssignment": "",
    "description": "SOFFID Administrator",
    "granteeGroups": [],
    "bpmEnforced": false,
    "informationSystemName": "SOFFID",
    "password": false,
    "system": "soffid",
    "ownerRoles": [],
    "meta": {
        "location": "http://<domain>/webservice/scim2/v1/Role/34",
        "resourceType": "Role"
    },
    "domain": {
        "name": "SENSE_DOMINI",
        "description": ""
    },
    "name": "SOFFID_ADMIN",
    "approvalStart": "2019-12-09T12:58:23+01:00",
    "attributes": {},
    "id": 34,
    "enableByDefault": true
}

List by filter

List all roles with a filter expression. For example, one can search roles for system SOFFID with a name ending with "ADMIN"

GET http://<domain>/webservice/scim2/v1/Role?filter=system eq "soffid" and name ew "ADMIN"
 
HTTP 200
{
    "totalResults": 1,
    "resources": [
        {
            "approvalEnd": "2019-12-09T12:58:23+01:00",
            "ownedRoles": [
                {
                    "informationSystem": "TEST",
                    "ownerRole": 34,
                    "roleId": 5794,
                    "mandatory": true,
                    "enabled": true,
                    "ownerSystem": "soffid",
                    "system": "soffid",
                    "roleName": "TestRole",
                    "hasDomain": false,
                    "id": 1207155,
                    "ownerRoleName": "SOFFID_ADMIN",
                    "status": {
                        "value": "A"
                    }
                },
                {
                    "informationSystem": "SOFFID",
                    "ownerRole": 34,
                    "roleId": 50247,
                    "mandatory": true,
                    "enabled": true,
                    "ownerSystem": "soffid",
                    "system": "soffid",
                    "roleName": "test2",
                    "hasDomain": false,
                    "id": 2234311,
                    "ownerRoleName": "SOFFID_ADMIN",
                    "status": {
                        "value": "A"
                    }
                }
            ],
            "indirectAssignment": "",
            "description": "SOFFID Administrator",
            "granteeGroups": [],
            "bpmEnforced": false,
            "informationSystemName": "SOFFID",
            "password": false,
            "system": "soffid",
            "ownerRoles": [],
            "meta": {
                "location": "http://<domain>/webservice/scim2/v1/Role/34",
                "resourceType": "Role"
            },
            "domain": {
                "name": "SENSE_DOMINI",
                "description": ""
            },
            "name": "SOFFID_ADMIN",
            "approvalStart": "2019-12-09T12:58:23+01:00",
            "attributes": {},
            "id": 34,
            "enableByDefault": true
        }
    ]
}

Create

One may create a role. This role will be used for the following examples.

POST http://<domain>/webservice/scim2/v1/Role
 
Put the user JSON in the body of the request:
{
    "approvalEnd": "2019-12-09T12:58:23+01:00",
    "ownedRoles": [
        {
            "informationSystem": "TEST",
            "roleId": 5794,
            "mandatory": true,
            "enabled": true,
            "ownerSystem": "soffid",
            "system": "soffid",
            "roleName": "TestRole",
            "hasDomain": false,
            "id": 1207155,
            "ownerRoleName": "SOFFID_OU_OWNER"
        },
        {
            "informationSystem": "SOFFID",
            "roleId": 50247,
            "mandatory": true,
            "enabled": true,
            "ownerSystem": "soffid",
            "system": "soffid",
            "roleName": "test2",
            "hasDomain": false,
            "id": 2234311,
            "ownerRoleName": "SOFFID_OU_OWNER"
        }
    ],
    "description": "SOFFID test role",
    "bpmEnforced": false,
    "informationSystemName": "SOFFID",
    "password": false,
    "system": "soffid",
    "ownerRoles": [],
    "domain": {
        "name": "GRUPS",
        "description": ""
    },
    "name": "SOFFID_OU_OWNER"
}
 
HTTP 201
{
    "approvalEnd": "2019-12-12T09:53:05.928+01:00",
    "ownedRoles": [
        {
            "informationSystem": "SOFFID",
            "ownerRole": 2236407,
            "roleId": 50247,
            "mandatory": true,
            "enabled": true,
            "ownerSystem": "soffid",
            "system": "soffid",
            "roleName": "test2",
            "hasDomain": false,
            "id": 2236411,
            "ownerRoleName": "SOFFID_OU_OWNER",
            "status": {
                "value": "A"
            }
        },
        {
            "informationSystem": "TEST",
            "ownerRole": 2236407,
            "roleId": 5794,
            "mandatory": true,
            "enabled": true,
            "ownerSystem": "soffid",
            "system": "soffid",
            "roleName": "TestRole",
            "hasDomain": false,
            "id": 2236408,
            "ownerRoleName": "SOFFID_OU_OWNER",
            "status": {
                "value": "A"
            }
        }
    ],
    "indirectAssignment": "",
    "description": "SOFFID test role",
    "granteeGroups": [],
    "bpmEnforced": false,
    "informationSystemName": "SOFFID",
    "password": false,
    "system": "soffid",
    "ownerRoles": [],
    "meta": {
        "location": "http://<domain>/webservice/scim2/v1/Role/2236407",
        "resourceType": "Role"
    },
    "domain": {
        "name": "GRUPS",
        "description": "Group domain"
    },
    "name": "SOFFID_OU_OWNER",
    "approvalStart": "2019-12-12T09:53:05.928+01:00",
    "attributes": {},
    "id": 2236407,
    "enableByDefault": false
}

Update partial

Update only the attributes with changes, only these attributes will be updated in the role, the rest will maintain the same value.

PATCH http://<domain>/webservice/scim2/v1/Role/2236407
 
Put the user JSON in the body of the request:
{
    "description": "SOFFID test role (modified)"
}
 
HTTP 200
{
    "approvalEnd": "2019-12-12T09:53:05+01:00",
    "ownedRoles": [
        {
            "informationSystem": "SOFFID",
            "ownerRole": 2236407,
            "roleId": 50247,
            "mandatory": true,
            "enabled": true,
            "ownerSystem": "soffid",
            "system": "soffid",
            "roleName": "test2",
            "hasDomain": false,
            "id": 2236411,
            "ownerRoleName": "SOFFID_OU_OWNER",
            "status": {
                "value": "A"
            }
        },
        {
            "informationSystem": "TEST",
            "ownerRole": 2236407,
            "roleId": 5794,
            "mandatory": true,
            "enabled": true,
            "ownerSystem": "soffid",
            "system": "soffid",
            "roleName": "TestRole",
            "hasDomain": false,
            "id": 2236408,
            "ownerRoleName": "SOFFID_OU_OWNER",
            "status": {
                "value": "A"
            }
        }
    ],
    "indirectAssignment": "",
    "description": "SOFFID test role (modified)",
    "granteeGroups": [],
    "bpmEnforced": false,
    "informationSystemName": "SOFFID",
    "password": false,
    "system": "soffid",
    "ownerRoles": [],
    "meta": {
        "location": "http://<domain>/webservice/scim2/v1/Role/2236407",
        "resourceType": "Role"
    },
    "domain": {
        "name": "GRUPS",
        "description": "Group domain"
    },
    "name": "SOFFID_OU_OWNER",
    "approvalStart": "2019-12-12T09:53:05+01:00",
    "attributes": {},
    "id": 2236407,
    "enableByDefault": false
}

Update all

This operation replace all values in the role. For example we will update the information system.

  • Note that the attribute id is required to confirm that the resource "...Role/<id>" is the same that the JSON account.
  • Note that all the attributes not included in the request will be cleared in the role and their data will be lost.
  • Note that not all the attributes are updatable, for example, tag meta, avoid these tags. For more information see Resource data model page
PUT http://<domain>/webservice/scim2/v1/Role/2236407
 
Put the user JSON in the body of the request:
{
    "approvalEnd": "2019-12-12T09:53:05+01:00",
    "ownedRoles": [
        {
            "informationSystem": "SOFFID",
            "ownerRole": 2236407,
            "roleId": 50247,
            "mandatory": true,
            "enabled": true,
            "ownerSystem": "soffid",
            "system": "soffid",
            "roleName": "test2",
            "hasDomain": false,
            "id": 2236411,
            "ownerRoleName": "SOFFID_OU_OWNER",
            "status": {
                "value": "A"
            }
        },
        {
            "informationSystem": "TEST",
            "ownerRole": 2236407,
            "roleId": 5794,
            "mandatory": true,
            "enabled": true,
            "ownerSystem": "soffid",
            "system": "soffid",
            "roleName": "TestRole",
            "hasDomain": false,
            "id": 2236408,
            "ownerRoleName": "SOFFID_OU_OWNER",
            "status": {
                "value": "A"
            }
        }
    ],
    "indirectAssignment": "",
    "description": "SOFFID test role (modified 2)",
    "granteeGroups": [],
    "bpmEnforced": false,
    "informationSystemName": "SOFFID",
    "password": false,
    "system": "soffid",
    "ownerRoles": [],
    "domain": {
        "name": "GRUPS",
        "description": "Group domain"
    },
    "name": "SOFFID_OU_OWNER",
    "approvalStart": "2019-12-12T09:53:05+01:00",
    "attributes": {},
    "id": 2236407,
    "enableByDefault": false
}
HTTP 200
{
    "approvalEnd": "2019-12-12T09:53:05+01:00",
    "ownedRoles": [
        {
            "informationSystem": "SOFFID",
            "ownerRole": 2236407,
            "roleId": 50247,
            "mandatory": true,
            "enabled": true,
            "ownerSystem": "soffid",
            "system": "soffid",
            "roleName": "test2",
            "hasDomain": false,
            "id": 2236411,
            "ownerRoleName": "SOFFID_OU_OWNER",
            "status": {
                "value": "A"
            }
        },
        {
            "informationSystem": "TEST",
            "ownerRole": 2236407,
            "roleId": 5794,
            "mandatory": true,
            "enabled": true,
            "ownerSystem": "soffid",
            "system": "soffid",
            "roleName": "TestRole",
            "hasDomain": false,
            "id": 2236408,
            "ownerRoleName": "SOFFID_OU_OWNER",
            "status": {
                "value": "A"
            }
        }
    ],
    "indirectAssignment": "",
    "description": "SOFFID test role (modified)",
    "granteeGroups": [],
    "bpmEnforced": false,
    "informationSystemName": "SOFFID",
    "password": false,
    "system": "soffid",
    "ownerRoles": [],
    "meta": {
        "location": "http://<domain>/webservice/scim2/v1/Role/2236407",
        "resourceType": "Role"
    },
    "domain": {
        "name": "GRUPS",
        "description": "Group domain"
    },
    "name": "SOFFID_OU_OWNER",
    "approvalStart": "2019-12-12T09:53:05+01:00",
    "attributes": {},
    "id": 2236407,
    "enableByDefault": false
}

Delete

Delete a user and its relations (groups, accounts, attributes, secondary groups, etc).

  • Please note that after this delete action, you will need to create again the user to use it in the next examples.
DELETE http://<domain>/webservice/scim2/v1/Role/2236407
 
HTTP 204

Notes

Notes about role domains

By default, roles have no security domain (sometimes referred to as scope).  When a security domain is assigned to a role, each account-role object is tagged with the proper security domain value. It is allowed to assign one role multiple times to the same user, as long as each assignment is tagged with a different security domain value. For instance, one can create the SOFFID_OU_MANAGER role bound to the GROUPS security domain. Then, you can assign the role SOFFID_OU_MANAGER/Group1 to any user.

Four kind of security domains are available:

  • SENSE_DOMAIN: No security domain applies
  • GROUP: A business unit is bound to each grant of this role
  • APLICATION: A information sysstem is bound to each grant of this role
  • Custom domain: Each application can have its own security domains with arbitrary meanings.

To set or modify the role domain for a role, one can use  the "domain" attribute. This attribute is a complex object composed of a name and a description. Only the name is mandatory.

Notes about role inheritance

Role inheritance is driven by the ownedRoles, ownerRoles and ownedGroups. Each of these attributes is an array of grants. Each grant has the following attributes:

  • ownerRole: id of owner role.
  • ownerSystem: name of owner role's system. 
  • ownerRoleName: name of owner role's name.
  • ownerRolDomainValue: security domain of the owner role. If a user is granted with the owner role, and the ownerRolDomainValue does not match the grant domain, the inheritance rule does not apply.
  • roleId: id of owned role.
  • system: name of owned role's system
  • roleName: name of owned role's name
  • domainValue: security domain of the owned role. 

The role inheritance can vary slightly depending on whether the owned role and the owner role are in the same domain or not:

Resulting domain value
Owner role has no domain
Owner role has a different domain
Same domain
Domain value not specified Blank Blank Owner role domain value
Domain value specified Specified value Specified value Specified value