User & group format
In the rapidly evolving world of cloud-based identity management, the SCIM specification (System for Cross-domain Identity Management) provides a balance between simplicity of user and group models and an ability to extend the model in response to the ever-changing needs of an organization.
Cloud Directory User format
Cloud Directory adheres to the SCIM compliant open API specification for user and group models. Let's look at a user. Here's a Cloud Directory user in JSON format.
{
"userName": "scimuser",
"phoneNumbers": [
{
"type": "work",
"value": "111-222-3333"
}
],
"addresses": [
{
"country": "US",
"region": "Central",
"formatted": "string",
"streetAddress": "123 Beautiful Street, Austin, TX",
"postalCode": "78758",
"type": "work"
}
],
"name": {
"givenName": "Scim",
"familyName": "User",
"formatted": "Scim User"
},
"urn:ietf:params:scim:schemas:extension:ibm:2.0:User": {
"userCategory": "regular",
"realm": "cloudIdentityRealm",
"twoFactorAuthentication": false,
"pwdChangedTime": "2021-01-19T05:17:15Z",
"pwdReset": true,,
"customAttributes": [
{
"values": [
"My car 1",
"My car 2"
],
"name": "cars"
}
],
},
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"department": "Marketing-NA",
"employeeNumber": "12345",
"manager": {
"displayName": "User Manager",
"value": "604000CKMZ",
"$ref": "https://tenant.verify.ibm.com/v2.0/Users/604000CKMZ"
}
},
"id": "603000ABCD",
"meta": {
"resourceType": "User",
"lastModified": "2021-01-19T05:17:15Z",
"location": "https://tenant.verify.ibm.com/v2.0/Users/603000ABCD",
"created": "2021-01-19T05:17:15Z"
},
"externalId": "01234567",
"active": true,
"emails": [
{
"type": "work",
"value": "[email protected]"
}
],
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:ibm:2.0:User"
]
}
Everything is a name: value pair. There are different types of values:
- strings
- booleans
- arrays
- dictionaries (that, in turn, hold more name-value pairs).
For e.g: userName and id are strings, whereas meta is a dictionary.
Some of the attributes are required, for e.g: userName and id are required, whereas addresses is not. Cloud Directory assigns the id at user creation time.
Schemas
In the example above, there are three schemas indicated in the schemas attribute.
| Schema | Description |
|---|---|
| urn:ietf:params:scim:schemas:core:2.0:User | The default required schema from the SCIM specification |
| urn:ietf:params:scim:schemas:extension:ibm:2.0:User | A schema extension of the SCIM model. |
| urn:ietf:params:scim:schemas:extension:enterprise:2.0:User | Another schema extension of the SCIM model. |
The extended urn:ietf:params:scim:schemas:extension:ibm:2.0:User schema lists these attributes among others.
- userCategory
- realm
- twoFactorAuthentication
- customAttributes
The extended urn:ietf:params:scim:schemas:extension:enterprise:2.0:User schema lists these attributes.
- department
- manager
- employeeNumber
Two Types
There are two types of Cloud Directory users.
| Type | Settings |
|---|---|
| Cloud Directory user | userCategory:regular and the realm:cloudIdentityRealm |
| Federated user | userCategory:federated and the realm:<federatedRealm>The <federatedRealm> is associated with the identity source of that user. For e.g: www.ibm.com |
Custom Attributes
Administrators can create their own custom attributes (up to 150) that extends the user model and greatly increase flexibility w.r.t. the various types of metadata associated with the user record. In the example above you see an example of two custom Attributes. Notice the customAttributes in the extended schema section.
| Custom Attribute | Type | Value |
|---|---|---|
| car | single-valued | Bat Mobile |
| pets | multi-valued | Scooby-Doo and Buddy |
Cloud Directory group format
Here's a Cloud Directory group in JSON format.
{
"displayName": "Scim Group",
"id": "603000EFGH",
"meta": {
"resourceType": "Group",
"lastModified": "2021-01-19T06:16:21Z",
"location": "https://tenant.verify.ibm.com/v2.0/Groups/603000EFGH",
"created": "2021-01-19T06:16:21Z"
},
"members": [
{
"type": "user",
"value": "603000ABCD"
},
{
"type": "user",
"value": "603000ABCE"
}
],
"urn:ietf:params:scim:schemas:extension:ibm:2.0:Group": {
"groupType": "standard",
"totalMembers": 2
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group",
"urn:ietf:params:scim:schemas:extension:ibm:2.0:Group"
]
}
The group follows the same pattern as the user model. The group shown above has 2 members and is of type standard. A group can also be of type reserved.
There are no custom attributes associated with groups.
Read more on System for Cross-domain Identity Management (SCIM) for more information on how SCIM is handled across applications.
Anil Levi, IBM Security
Updated 4 months ago