Defining permissions for SCIM 2.0 requests
Executing a System for Cross-domain Identity Management (SCIM) request on a server depends primarily on both the configured access control instructions (ACIs) in the server and the scopes used to authenticate the request present in the provided OAuth bearer token.
You must define ACIs on the backend PingDirectory servers. Do not define ACIs on the PingDirectoryProxy server. |
Internally, all SCIM 2.0 requests are processed using the cn=SCIM2 Servlet,cn=Root DNs,cn=config
service account. Allowing a requested operation depends on the ACIs that apply to the operation. The oauthscope
bind rule is useful because it allows the administrator to use the supplied OAuth scopes in ACI logic.
Because of implementation details, access to the objectclass
operational LDAP attribute is necessary for SCIM requests to properly execute. Do not give the service account access to objectclass
on a global level. Instead, add the ACI granting objectclass
access to the LDAP subtree to expose to clients.
For more information, see Configuring permissions for SCIM 2.0 operations.
ACIs that don’t use the An ACI that grants unconditional read access to any authenticated LDAP user also grants unconditional read access to SCIM requests regardless of the provided OAuth scopes. This is because the requests are processed through the service account. |