Configuring Permissions for SCIM 2.0 Operations - PingDirectory

Configuring Permissions for SCIM 2.0 Operations - PingDirectory - 8.0

PingDirectory

bundle

pingdirectory-80

ft:publication_title

PingDirectory

Product_Version_ce

PingDirectory 8.0

category

Product

pd-80

pingdirectory

ContentType_ce

Page created: 21 Nov 2019 |

Page updated: 25 Mar 2020

| 2 min read

8.0 Product PingDirectory IT Administrator Administrator Audience Product documentation Content Type Administration User task Software Deployment Method Configuration Directory Capability

This example assumes that you have set up an LDAP mapping SCIM 2.0 Resource Type for the device objectclass (see Configuring an LDAP Mapping SCIM 2.0 resource type).

Send the following request to the SCIM /Devices endpoint.
```
curl -k -X GET \
  https://localhost:8443/scim/v2/Devices \
  -H 'Authorization: Bearer {"active":true}' \
```
The response from the server should contain no search results:
```
{
  "schemas":[
    "urn:ietf:params:scim:api:messages:2.0:ListResponse"],
  "totalResults":0
}
```
Note: If any results are returned, it is likely that another ACI is allowing the SCIM request to succeed. Enabling the Debug ACI Log Publisher will help determine which ACI is responsible.

In regard to the empty search response, running ldapsearch on the ou=Devices,dc=example,dc=com subtree should confirm that entries exist. These do not appear in the response since SCIM requests do not have the permissions needed to view these.
Use the following ldapmodify command to place an ACI on the ou=Devices,dc=example,dc=com subtree. This gives read, search, and compare access to the objectclass attribute for all entries under the ou=Devices,dc=example,dc=com subtree, as long as the SCIM request includes the device scope.
```
$ ldapmodify

dn:ou=Devices,dc=example,dc=com
changetype:modify
add:aci
aci:(targetattr="objectclass")(version 3.0; acl "ACI for device scope"; allow (read,search,compare) oauthscope="device";)
```
Send the following request to the SCIM /Devices endpoint, this time including the device scope in the bearer token:
```
curl -k -X GET \
  https://localhost:8443/scim/v2/Devices \
  -H 'Authorization: Bearer {"active":true, "scope":"device"}'
```
The response from the server should now contain the entries under the ou=Devices,dc=example,dc=com subtree. However, these are missing values for the name and description attributes since the ACI that was created earlier does not give access to the cn and description LDAP attributes to which they are mapped.

Use the following ldapmodify command to place another ACI on the ou=Devices,dc=example,dc=com subtree, which will give read, search, and compare access to both the cn and description LDAP attributes:

$ ldapmodify

dn:ou=Devices,dc=example,dc=com
changetype:modify
add:aci
aci:(targetattr="cn || description")(version 3.0; acl "ACI for device_extended scope"; allow (read,search,compare) oauthscope="device_extended";)

Send the following request to the SCIM /Devices endpoint, this time including the device_extended scope along with the device scope in the bearer token.
```
curl -k -X GET \
  https://localhost:8443/scim/v2/Devices \
  -H 'Authorization: Bearer {"active":true, "scope":["device", "device_extended"]}'
```
The response from the server should now contain values for the name and description attributes.