Resource versioning is enabled by default in new installations. Upgraded servers that had SCIM enabled need additional configuration to enable resource versioning.

  1. Enable the ds-entry-checksum virtual attribute.
    $ bin/dsconfig set-virtual-attribute-prop \
                            --name ds-entry-checksum \
                            --set enabled:true
  2. Remove any existing access controls required by SCIM for read access to operational attributes:
    $ bin/dsconfig set-access-control-handler-prop \
                            --remove 'global-aci:(targetattr="entryUUID || entryDN || ds-entry-unique-id || createTimestamp || ds-create-time || modifyTimestamp || ds-update-time")(version 3.0;acl "Authenticated read access to operational attributes used by the SCIM servlet extension"; allow (read,search,compare) userdn="ldap:///all"'
  3. On the backend Directory Server, make sure new access controls required by SCIM for read access to operational attributes are enabled with the following command. If this ACI is not present, issues will occur when a SCIM client tries to authenticate with an non-root DN.
    $ bin/dsconfig set-access-control-handler-prop \
                            --add  'global-aci:(targetattr="entryUUID || entryDN || ds-entry-unique-id || createTimestamp || ds-create-time || modifyTimestamp || ds-update-time || ds-entry-checksum")(version 3.0;acl "Authenticated read access to operational attributes used by the SCIM servlet extension"; allow (read,search,compare) userdn="ldap:///all"'