User & group format

In the rapidly evolving world of cloud-based identity management, the SCIM specification (System for Cross-domain Identity Management) provides a balance between simplicity of user and group models and an ability to extend the model in response to the ever-changing needs of an organization.

Cloud Directory User format

569

Cloud Directory adheres to the SCIM compliant open API specification for user and group models. Let's look at a user. Here's a Cloud Directory user in JSON format.

{
  "userName": "scimuser", 
  "phoneNumbers": [
    {
      "type": "work", 
      "value": "111-222-3333"
    }
  ], 
  "addresses": [
    {
      "country": "US", 
      "region": "Central", 
      "formatted": "string", 
      "streetAddress": "123 Beautiful Street, Austin, TX", 
      "postalCode": "78758", 
      "type": "work"
    }
  ], 
  "name": {
    "givenName": "Scim", 
    "familyName": "User", 
    "formatted": "Scim User"
  }, 
  "urn:ietf:params:scim:schemas:extension:ibm:2.0:User": {
    "userCategory": "regular", 
    "realm": "cloudIdentityRealm", 
    "twoFactorAuthentication": false, 
    "pwdChangedTime": "2021-01-19T05:17:15Z", 
    "pwdReset": true,, 
    "customAttributes": [
      {
        "values": [
          "My car 1",
          "My car 2"
        ], 
        "name": "cars"
      }
    ], 
  },  
  "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
    "department": "Marketing-NA", 
    "employeeNumber": "12345", 
    "manager": {
      "displayName": "User Manager", 
      "value": "604000CKMZ", 
      "$ref": "https://tenant.verify.ibm.com/v2.0/Users/604000CKMZ"
    } 
  }, 
  "id": "603000ABCD", 
  "meta": {
    "resourceType": "User", 
    "lastModified": "2021-01-19T05:17:15Z", 
    "location": "https://tenant.verify.ibm.com/v2.0/Users/603000ABCD", 
    "created": "2021-01-19T05:17:15Z"
  }, 
  "externalId": "01234567", 
  "active": true, 
  "emails": [
    {
      "type": "work", 
      "value": "[email protected]"
    }
  ], 
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User", 
    "urn:ietf:params:scim:schemas:extension:ibm:2.0:User"
  ]
}

Everything is a name: value pair. There are different types of values:

  • strings
  • booleans
  • arrays
  • dictionaries (that, in turn, hold more name-value pairs).

For e.g: userName and id are strings, whereas meta is a dictionary.

Some of the attributes are required, for e.g: userName and id are required, whereas addresses is not. Cloud Directory assigns the id at user creation time.

Schemas

In the example above, there are three schemas indicated in the schemas attribute.

SchemaDescription
urn:ietf:params:scim:schemas:core:2.0:UserThe default required schema from the SCIM specification
urn:ietf:params:scim:schemas:extension:ibm:2.0:UserA schema extension of the SCIM model.
urn:ietf:params:scim:schemas:extension:enterprise:2.0:UserAnother schema extension of the SCIM model.

The extended urn:ietf:params:scim:schemas:extension:ibm:2.0:User schema lists these attributes among others.

  • userCategory
  • realm
  • twoFactorAuthentication
  • customAttributes

The extended urn:ietf:params:scim:schemas:extension:enterprise:2.0:User schema lists these attributes.

  • department
  • manager
  • employeeNumber

Two Types

There are two types of Cloud Directory users.

TypeSettings
Cloud Directory useruserCategory:regular and the realm:cloudIdentityRealm
Federated useruserCategory:federated and the realm:<federatedRealm>

The <federatedRealm> is associated with the identity source of that user. For e.g: www.ibm.com

Custom Attributes

Administrators can create their own custom attributes (up to 150) that extends the user model and greatly increase flexibility w.r.t. the various types of metadata associated with the user record. In the example above you see an example of two custom Attributes. Notice the customAttributes in the extended schema section.

Custom AttributeTypeValue
carsingle-valuedBat Mobile
petsmulti-valuedScooby-Doo and Buddy

Cloud Directory group format

Here's a Cloud Directory group in JSON format.

{
  "displayName": "Scim Group", 
  "id": "603000EFGH", 
  "meta": {
    "resourceType": "Group", 
    "lastModified": "2021-01-19T06:16:21Z", 
    "location": "https://tenant.verify.ibm.com/v2.0/Groups/603000EFGH", 
    "created": "2021-01-19T06:16:21Z"
  }, 
  "members": [
    {
      "type": "user", 
      "value": "603000ABCD"
    }, 
    {
      "type": "user", 
      "value": "603000ABCE"
    }
  ], 
  "urn:ietf:params:scim:schemas:extension:ibm:2.0:Group": {
    "groupType": "standard", 
    "totalMembers": 2
  }, 
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:Group", 
    "urn:ietf:params:scim:schemas:extension:ibm:2.0:Group"
  ]
}

The group follows the same pattern as the user model. The group shown above has 2 members and is of type standard. A group can also be of type reserved.
There are no custom attributes associated with groups.

Read more on System for Cross-domain Identity Management (SCIM) for more information on how SCIM is handled across applications.

💎

Anil Levi, IBM Security


What’s Next