SCIM 2.0 PATCH Operations - PingDirectory

Page created: 21 Nov 2019 |

Page updated: 16 Jun 2020

| 1 min read

8.0 Product PingDirectory IT Administrator Administrator Audience Product documentation Content Type Administration User task Software Deployment Method Directory Capability

When using a PATCH request to modify a SCIM 2.0 resource that has one or more required SCIM 2.0 attributes, the requester must also have permissions to read the values of these required attributes, even if the PATCH request does not alter them.

For example, assume we want to modify an LDAP Mapping SCIM 2.0 resource type using the following schema definition, where uid and cn are mapped to their LDAP equivalents:

{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Schema"],
  "id": "urn:test:schema:person",
  "attributes": [
    {
      "name": "uid",
      "type": "string",
      "multiValued": false,
      "required": true,
      "caseExact": false,
      "mutability": "readWrite",
      "returned": "default",
      "uniqueness": "none"
    },
    {
      "name": "cn",
      "type": "string",
      "multiValued": false,
      "required": false,
      "caseExact": false,
      "mutability": "readWrite",
      "returned": "default",
      "uniqueness": "none"
    }
  ],
  ... 
        }

The following PATCH operation will fail if the SCIM 2 service account does not have access to both uid and cn:

{
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
  "Operations":[{
        "op":"add",
        "path":"cn",
         "value": "new cn value”
  }]
        }