Whether or not a SCIM request is executed on a server depends primarily on both the configured Access Control Instructions (ACIs) in the server and the scopes which are present in the provided OAuth bearer token used to authenticate the request.

Note: ACIs need to be defined on the backend PD servers instead of on the Proxy server.

Internally, all SCIM 2.0 requests are processed using the cn=SCIM2 Servlet,cn=Root DNs,cn=config service account. Whether a requested operation is allowed depends on the ACIs that apply to the operation. The oauthscope bind rule is particularly useful for this, since it allows the administrator to use the supplied OAuth scopes in ACI logic.

Due to implementation details, access to the objectclass operational LDAP attribute is necessary for SCIM requests to properly execute. However, it is not advisable to give the service account access to objectclass on a global level. Instead, add the ACI granting objectclass access to the LDAP subtree you wish to expose to clients. See Configuring Permissions for SCIM 2.0 Operations for an example of this.

Note: ACIs that do not use the oauthscope bind rule can still apply to requested operations. For example, an ACI that grants unconditional read access to any authenticated LDAP user will also grant unconditional read access to SCIM requests regardless of the provided OAuth scopes, since the requests are processed through the service account.