--- title: SCIM policy request attributes description: The following tables describe policy request attributes and their functions. component: pingauthorize version: 11.0 page_id: pingauthorize:pingauthorize_server_administration_guide:paz_scim_policy_request_attrs canonical_url: https://docs.pingidentity.com/pingauthorize/11.0/pingauthorize_server_administration_guide/paz_scim_policy_request_attrs.html revdate: July 21, 2025 --- # SCIM policy request attributes The following tables describe policy request attributes and their functions. The following table identifies the attributes associated with a policy request that the System for Cross-domain Identity Management (SCIM) service generates. | Policy request attribute | Description | Type | | ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | | `action` | Identifies the SCIM request as one of the following types:- `create` - `modify` - `retrieve` - `delete` - `search` - `search-request` | String | | `attributes` | Additional attributes that do not correspond to a specific entity type in the PingAuthorize Trust Framework. For more information, see the following table. | Object | | `domain` | Unused. | String | | `identityProvider` | Name of the access token validator that evaluates the bearer token used in an incoming request. | String | | `service` | Identifies the SCIM service and resource type using a value of the form `SCIM2.`.For example, for a request using the "Users" resource type, the service value would be `SCIM2.Users`. | String | The following table identifies the additional attributes that are included in `attributes`. | Attribute | Description | Type | | ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | | `HttpRequest.AccessToken` | Parsed access token. For more information, see the following table. | Object | | `HttpRequest.ClientCertificate` | Properties of the client certificate, if one is used. | Object | | `HttpRequest.CorrelationId` | A unique value that identifies the request and response, if available. | String | | `HttpRequest.IPAddress` | The client IP address. | String | | `HttpRequest.QueryParameters` | Request URI query parameters. | Object | | `HttpRequest.RequestBody` | The request body, if available. This attribute is available for POST, PUT, and PATCH requests. | Object | | `HttpRequest.RequestHeaders` | The HTTP request headers. | Object | | `HttpRequest.RequestURI` | The request URI. | String | | `HttpRequest.ResourcePath` | Uniquely identifies the SCIM resource that is being requested, in the format `/`, as the following example shows:`Users/0450b8db-f055-35d8-8e2f-0f203a291cd1` | String | | `HttpRequest.ResponseBody` | The response body, if available. This attribute is provided only for outbound policy requests. | Object | | `HttpRequest.ResponseHeaders` | The HTTP response headers, if available. | Object | | `HttpRequest.ResponseStatus` | The HTTP response status code, if available. | Number | | `impactedAttributes` | Provides the set of attributes that the request modifies. | Collection | | `SCIM2` | Provides additional, SCIM2-specific information about the request. | Object | | `TokenOwner` | Access token subject as a SCIM resource, as obtained by the access token validator. | Object | The access token validator populates the `HttpRequest.AccessToken` attribute, which contains the fields in the following table. These fields correspond approximately to the fields that the IETF Token Introspection specification ([RFC 7662](https://datatracker.ietf.org/doc/html/rfc7662)) defines. | Attribute | Description | Type | | -------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | | `access_token` | The actual access token from the client request. | String | | `active` | Indicates whether this access token is currently active, as determined by the access token validator. | Boolean | | `audience` | Identifies the recipients for whom the access token is intended. Typically, the authorization server sets this field to indicate the resource servers that might accept the token. | Array | | `client_id` | The client ID of the application that was granted the access token. | String | | `expiration` | Date and time at which the access token expires. | DateTime | | `issued_at` | Date and time at which the access token was issued. | DateTime | | `issuer` | Token issuer. This attribute is usually a URI that identifies the authorization server. | String | | `not_before` | Date and time before which a resource server does not accept the access token. | DateTime | | `scope` | Identifies the list of scopes granted to this token. | Collection | | `subject` | Token subject. This attribute is a user identifier that the authorization server sets. | String | | `token_owner` | User identifier that was resolved by the access token validator's token resource lookup method. This attribute is always a SCIM ID of the form `/`. | String | | `token_type` | The token type, as set by the authorization server. This value is typically set to `bearer`. | String | | `user_token` | Flag that the access token validator sets to indicate that the token was issued originally to a subject. If this flag is `false`, the token does not have a subject and was issued directly to a client. | Boolean | | `username` | Subject's user name. This attribute is a user identifier that the authorization server sets. | String | The following table identifies the fields that the `HttpRequest.ClientCertificate` attribute contains. | Attribute | Description | Type | | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | -------- | | `algorithm` | Name of the certificate signature algorithm, such as `SHA256withRSA`. | String | | `algorithmOID` | Signature algorithm OID. | String | | `issuer` | Distinguished name (DN) of the certificate issuer. | String | | `notAfter` | Expiration date and time of the certificate. | DateTime | | `notBefore` | Earliest date on which the certificate is considered valid. | DateTime | | `subject` | DN of the certificate subject. | String | | `subjectRegex` | Regular expression that must be matched by the subject field of the certificate to ensure that the certificate belongs to the requesting client. | String | | `valid` | Indicates whether the certificate is valid. | Boolean | The following table identifies the fields that the `SCIM2` attribute contains. | Attribute | Description | Type | | --------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | | `modifications` | Contains a normalized SCIM 2 PATCH request object that represents all of the changes to apply. This attribute is available for PUT and PATCH requests. | Object | | `resource` | Complete SCIM resource that the request targets. This attribute is available for GET, PUT, PATCH, and DELETE requests.The `resource` attribute is also available in the policy requests that are performed for each matching SCIM resource in a search result. For more information, see [About SCIM searches](paz_about_scim_searches.html). | Object |