SCIM(4.3)

It is possible to use SCIM via the REST HTTP interface to POST, GET, DELETE, PUT and PATCH user and group configurations. This section will cover the schemas used to create, update and remove users and groups, as well as the limitations when using SCIM for  .

For more information regarding the specifications for SCIM, please see RFC:  https://tools.ietf.org/html/rfc7643 

For information regarding the API endpoints, please see RFC: https://tools.ietf.org/html/rfc7644#section-3.2

Note!

When importing the user configurations into  or when upgrading , the users will be disabled after the import operation or the upgrade. In order to enable the users, you can use PATCH or PUT, a user with attribute active : true. You can also enable the user by ticking the checkbox for the users you want to enable from the User tab in Access Controller on the   desktop.

When creating a new user from SCIM, the user will be enabled by default.

These are the limitations for using SCIM instead of the  desktop.

  • Only users with write access for application Access Controller should be able to Add, update and delete users or groups.
  • A user can only be created once using the HTTP method POST
  • The password attribute is not mandatory when you create a user with POST , however the user will not be able to login to  without a password.
  • All user details can be modified except the username.
  • The users assigned group can only be updated using the HTTP method PUT
  • When using PUT to assign a user's group, no default group will be selected.
  • You can only POST an access group with same name one time, the group name can not be changed.
  • It is not possible to set or change the applications connected to the access group using the HTTP methods available via SCIM, this is only possible using the desktop.

Custom Schema

 has an additional schema for the "User" resource. The Schema URI for it is:

urn:sap:cloud:scim:schemas:extension:custom:2.0:mzuser


The following attributes are defined:

  • successor: The successor user takes over all configs when the current user is removed.
    • value: The identifier of the successor user.

      Example

      71a36bb7-816f-460d-b580-3bd9352b0953
    • display: A human-readable name, primarily used for display purposes. It is read-only.

  • validityPeriod: The validity period of a user. Format is: yyyy-mm-ddThh:mm:ss
    • from: The "DateTime" the user should be valid from.

      Example

      2021-03-18T23:00:00Z


    • to: The "DateTime" the user should be valid to.

      Example

      2021-03-23T22:59:59Z


      Note

      The to field should always be greater or equal to from field.

User related APIs

This section will cover all the REST HTTP APIs that are used for user related operations.

Retrieving Users

You can use this to retrieve all users:

URL: http://<host>:9000/scim/api/v1/Users
Method: GET
Header: 
Accept: application/scim+json
Content-Type: application/scim+json

You can use this to retrieve a specific user:

URL: http://<host>:9000/scim/api/v1/Users/14c257bd-e486-4ec6-b73e-47bb1e9b491b
Method: GET
Header: 
Accept: application/scim+json
Content-Type: application/scim+json

Creating Users

You can use this to create a user:

Info!

The schemas and userName fields as shown below are mandatory. They must be filled in. The rest of the fields are optional

URL: http://<host>:9000/scim/api/v1/Users
Method: POST
Header: 
Accept: application/scim+json
Content-Type: application/scim+json
Request Body: 
{
	"schemas":["urn:ietf:params:scim:schemas:core:2.0:User",
    "urn:sap:cloud:scim:schemas:extension:custom:2.0:mzuser"],
	"userName":"bjensen",
	"displayName": "mz80u3",
	"password": "mz80u3",
	"active": "true",
	"emails": [
	{ 
		"value": "b@b.com",
		"display": "bbb",
		"primary": true
	}

	],
	"externalId":"bjensen",
	"name":
	{
		"formatted":"Ms. Barbara J Jensen III",
		"familyName":"Jensen",
		"givenName":"Barbara"
	},
	"groups": [
	{
		"value": "ed309a27-3f34-45d3-ade5-b2f8f798deb5"
	},
	{
		"value": "86138dad-9742-44a2-a9cb-70347fb884a8"
	}
	],
	"urn:sap:cloud:scim:schemas:extension:custom:2.0:mzuser": {
        "successor": {
            "value": "71a36bb7-816f-460d-b580-3bd9352b0953"
        },
        "validityPeriod": {
                    "from": "2021-03-19T23:00:00Z",
                    "to": "2021-03-23T22:59:59Z"
                }
    }
}

Updating Users

You can use this to update all the values for a user:

Info!

The schemas and userName fields as shown below are mandatory. They must be filled in. The rest of the fields are optional

URL: http://<host>:9000/scim/api/v1/Users/c9706a50-6fd3-44cf-8f8d-7ea00fb05f1c
Method: PUT
Header: 
Accept: application/scim+json
Content-Type: application/scim+json
Request Body: 
{
	"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User",
    "urn:sap:cloud:scim:schemas:extension:custom:2.0:mzuser"],
	"userName": "bjensen",
	"displayName": "mz80u3",
	"emails": [
	{ 
		"value": "b@b.com",
		"display": "mz80u3",
		"primary": true
	}
	],
	"groups": [
	{
		"value": "119fe1b7-4b8b-4970-8ea6-b62bdaa11f05"
	},
	{
		"value": "53aabe0b-715d-4d96-a220-56c6efc11ae9"
	}
	],
	"urn:sap:cloud:scim:schemas:extension:custom:2.0:mzuser": {
        "successor": {
            "value": "71a36bb7-816f-460d-b580-3bd9352b0953"
        },
        "validityPeriod": {
                    "from": "2021-03-20T23:00:00Z",
                    "to": "2021-03-25T22:59:59Z"
                }
    }
}


You can use this to update specific values for a user:

Info!

The schemas, Operations, op and value fields as shown below are mandatory. They must be filled in. The rest of the fields are optional

URL: http://<host>:9000/scim/api/v1/Users/c9706a50-6fd3-44cf-8f8d-7ea00fb05f1c
Method: PATCH
Header: 
Accept: application/scim+json
Content-Type: application/scim+json
Request Body: 
{
		"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp",
        "urn:sap:cloud:scim:schemas:extension:custom:2.0:mzuser"],
		"Operations":[
		{
			"op":"add",
			"value":
			{
				"emails":[
				{ 
					"value":"babs@jensen.org",
					"type":"home"
				}
				]
			}
		},
		{
            "op": "add",
            "path": "urn:sap:cloud:scim:schemas:extension:custom:2.0:mzuser:validityPeriod",
            "value": {
                "from": "2021-03-19T23:00:00Z",
                "to": "2021-03-23T22:59:59Z"
            }
        }
		
		]
}

Removing Users

You can use this to remove a user:

URL: http://<host>:9000/scim/api/v1/Users/c9706a50-6fd3-44cf-8f8d-7ea00fb05f1c
Method: DELETE
Header: 
Accept: application/scim+json
Content-Type: application/scim+json

Group related APIs

This section will cover all the REST HTTP APIs that are used for group related operations.

Retrieving Groups

You can use this to retrieve all groups:

URL: http://<host>:9000/scim/api/v1/Groups
Method: GET
Accept: */*
Content-Type: */* 

You can use this to retrieve a specific group:

URL: http://<host>:9000/scim/api/v1/Groups/119fe1b7-4b8b-4970-8ea6-b62bdaa11f05
Method: GET
Accept: */*
Content-Type: */*

Creating groups

You can use this to create a group:

Info!

The schemas and userName fields as shown below are mandatory. They must be filled in. The rest of the fields are optional

URL: http://<host>:9000/scim/api/v1/Groups
Method: POST
Accept: */*
Content-Type: */*
Request body:
{
	"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],
	"displayName":"group2",
	"members":[
	{
		"value":"a12822ad-a5c0-4f83-9a4e-96733a0d2e1b"
	},
	{
		"value":"8792b456-860a-499d-aa38-5caf4fe487c3"
	}
	]
}

Updating Groups

You can use this to update a group:

Info!

The schemas and userName fields as shown below are mandatory. They must be filled in. The rest of the fields are optional

URL: http://<host>:9000/scim/api/v1/Groups/a85d8e8c-0b6d-4653-b7c6-33c1fd6c1921
Method: PUT
Accept: */*
Content-Type: */*
Request body:
{
	"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],
	"displayName":"group2",
	"members":[
	{
		"value":"a12822ad-a5c0-4f83-9a4e-96733a0d2e1b"
	},
	{
		"value":"8792b456-860a-499d-aa38-5caf4fe487c3"
	}
	]
}

Deleting Groups

You can use this to delete a group:

URL: http://<host>:9000/scim/api/v1/Groups/a85d8e8c-0b6d-4653-b7c6-33c1fd6c1921
Method: DELETE
Accept: */*
Content-Type: */*