PingDirectory

Defining permissions for SCIM 2.0 requests

Executing a System for Cross-domain Identity Management (SCIM) request on a server depends primarily on both the configured access control instructions (ACIs) in the server and the scopes used to authenticate the request present in the provided OAuth bearer token.

You must define ACIs on the backend PingDirectory servers. Do not define ACIs on the PingDirectoryProxy server.

Internally, all SCIM 2.0 requests are processed using the cn=SCIM2 Servlet,cn=Root DNs,cn=config service account. Allowing a requested operation depends on the ACIs that apply to the operation. The oauthscope bind rule is useful because it allows the administrator to use the supplied OAuth scopes in ACI logic.

Because of implementation details, access to the objectclass operational LDAP attribute is necessary for SCIM requests to properly execute. Do not give the service account access to objectclass on a global level. Instead, add the ACI granting objectclass access to the LDAP subtree to expose to clients.

ACIs that don’t use the oauthscope bind rule can still apply to requested operations.

An ACI that grants unconditional read access to any authenticated LDAP user also grants unconditional read access to SCIM requests regardless of the provided OAuth scopes. This is because the requests are processed through the service account.