PingAuthorize

SCIM policy requests

For every System for Cross-domain Identity Management (SCIM) request or response, one or more policy requests are sent to the policy decision point (PDP) for authorization.

Policies can use a policy request’s action value to determine the processing phase and to act accordingly. Understanding how the SCIM service formulates policy requests will help you to create and troubleshoot policies more effectively.

Most SCIM operations are authorized in the following phases:

  1. The operation itself is authorized.

  2. The outgoing response is authorized with the retrieve action.

In most cases, you can reuse policies that target the retrieve action to specify read-access control rules. You can disable this retrieve action for a SCIM Resource Type if policies are only used for authorization before the operation. To do so, set the SCIM Resource Type’s disable-response-processing property to true. The resource is then returned as-is after the operation completes. This property also affects SCIM searches.

Operation Actions

POST /scim/v2/<resourceType>

create, retrieve

GET /scim/v2/<resourceType>/<resourceId>

retrieve

PUT /scim/v2/<resourceType>/<resourceId>

PATCH /scim/v2/<resourceType>/<resourceId>

modify, retrieve

DELETE /scim/v2/<resourceType>/<resourceId>

delete

GET /scim/v2/<resourceType>

POST /scim/v2/<resourceType>/.search

search, retrieve

-OR-

search, search-results

For more information about authorizing searches, see About SCIM searches.

Enable detailed decision logging and view all policy request attributes in action, particularly when learning how to develop SCIM policies. For more information, see Policy Decision Logger.