This example assumes that you have set up an LDAP mapping SCIM 2.0 Resource Type for the device objectclass (see Configuring an LDAP Mapping SCIM 2.0 resource type).
-
Send the following request to the SCIM /Devices
endpoint.
curl -k -X GET \ https://localhost:8443/scim/v2/Devices \ -H 'Authorization: Bearer {"active":true}' \
The response from the server should contain no search results:
{ "schemas":[ "urn:ietf:params:scim:api:messages:2.0:ListResponse"], "totalResults":0 }
Note: If any results are returned, it is likely that another ACI is allowing the SCIM request to succeed. Enabling the Debug ACI Log Publisher will help determine which ACI is responsible.In regard to the empty search response, running ldapsearch on the ou=Devices,dc=example,dc=com subtree should confirm that entries exist. These do not appear in the response since SCIM requests do not have the permissions needed to view these.
-
Use the following ldapmodify command to place an ACI on the
ou=Devices,dc=example,dc=com subtree. This gives read,
search, and compare access to the objectclass attribute for
all entries under the ou=Devices,dc=example,dc=com subtree,
as long as the SCIM request includes the device
scope.
$ ldapmodify dn:ou=Devices,dc=example,dc=com changetype:modify add:aci aci:(targetattr="objectclass")(version 3.0; acl "ACI for device scope"; allow (read,search,compare) oauthscope="device";)
-
Send the following request to the SCIM /Devices endpoint,
this time including the device scope in the bearer
token:
curl -k -X GET \ https://localhost:8443/scim/v2/Devices \ -H 'Authorization: Bearer {"active":true, "scope":"device"}'
The response from the server should now contain the entries under the ou=Devices,dc=example,dc=com subtree. However, these are missing values for the name and description attributes since the ACI that was created earlier does not give access to the cn and description LDAP attributes to which they are mapped.
-
Use the following ldapmodify command to place another ACI
on the ou=Devices,dc=example,dc=com subtree, which will
give read, search, and compare access to both the cn and
description LDAP attributes:
$ ldapmodify dn:ou=Devices,dc=example,dc=com changetype:modify add:aci aci:(targetattr="cn || description")(version 3.0; acl "ACI for device_extended scope"; allow (read,search,compare) oauthscope="device_extended";)
-
Send the following request to the SCIM /Devices endpoint,
this time including the device_extended scope along with
the device scope in the bearer token.
curl -k -X GET \ https://localhost:8443/scim/v2/Devices \ -H 'Authorization: Bearer {"active":true, "scope":["device", "device_extended"]}'
The response from the server should now contain values for the name and description attributes.