When using a PATCH request to modify a SCIM 2.0 resource that has one or more required SCIM 2.0 attributes, the requester must have permissions to read the values of these required attributes in addition to write permissions for the attributes being modified, even if the PATCH request does not alter said requirements.
For example, assume we want to modify an LDAP Mapping SCIM 2.0 resource type using the
following schema definition, where uid and cn are
mapped to their LDAP
equivalents:
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Schema"],
"id": "urn:test:schema:person",
"attributes": [
{
"name": "uid",
"type": "string",
"multiValued": false,
"required": true,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "cn",
"type": "string",
"multiValued": false,
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
}
],
...
}
The following PATCH operation will fail if the SCIM 2 service account does
not have access to both uid and
cn:
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations":[{
"op":"add",
"path":"cn",
"value": "new cn value”
}]
}