1. Before you enable the SCIM servlet extension, add access controls on each of the backend Directory Servers to allow read access to operational attributes used by the SCIM Servlet Extension. We recommend using the following non-interactive command to add access control instructions, rather than its dsconfig interactive equivalent.
    $ bin/dsconfig set-access-control-handler-prop \
      --add 'global-aci:(targetattr="entryUUID || entryDN || ds-entry-unique-id || 
        createTimestamp || modifyTimestamp")
        (version 3.0;acl "Authenticated read access to operational attributes \
        used by the SCIM servlet extension"; allow (read,search,compare) 
  2. On the Directory Proxy Server, enable the SCIM servlet extension by running the dsconfig batch file.
    $ bin/dsconfig --batch-file config/scim-config-proxy.dsconfig
  3. The dsconfig batch file must be edited to use the correct request processor name and base DN name(s) for the set-request-processor-prop and set-root-dse-backend-prop commands, respectively, as described in the "Configuring LDAP Control Support on All Request Processors" and "SCIM Servlet Extension Authentication" sections later in the chapter.