CODEWITHSUNDEEP
wso2wso2-identity-server
Thanat Varathon
Thanat Varathon

Reputation: 3

How to update a single user's groups with WSO2 SCIM 2.0 REST API?

I'm trying to replace a single user's group with a completely new set of groups. I am able to add user to a group and remove user from a group with https://docs.wso2.com/display/IS570/apidocs/SCIM2-endpoints/#!/operations#GroupsEndpoint#patchGroup API.

However, I want to completely replace the groups entirely with a new array, so I don't have to individually add/remove user from each group. I have tried using the following request

POST {url}/scim2/Users/{groupID}

with the following POST body

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ],
    "Operations": [
        {
            "op": "replace",
            "value": {
                "groups": [
                    {
                        "display": "group1",
                        "value": "092555e8-1636-4642-924e-27aef49757fe"
                    },
                    {
                        "display": "group2",
                        "value": "b0d42429-67e2-4447-9846-2b001add431f"
                    }
                ]
            }
        }
    ]
}

However, the response returned was

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:Error"
    ],
    "detail": "Error in performing the add operation",
    "status": "500"
}

How can I achieve this?

Upvotes: 0

Views: 667

Answers (2)

Anuradha Karunarathna
Anuradha Karunarathna

Reputation: 3057

POST {url}/scim2/Users/{groupID} request won't work since there is no such endpoint. I think you tried to replace the groups attribute of the user resource by a patch operation. If so, the request would be PATCH {url}/scim2/Users/{userId}. However, that doesn't work due to the following reasons.

  1. According to the SCIM specification(see groups description in https://www.rfc-editor.org/rfc/rfc7643#section-4.1.2) groups attribute of the user should be managed using the /Groups endpoint.

    Direct group membership indicates that the user is directly associated with the group and SHOULD indicate that clients may modify membership through the "Group" resource.

  2. Also groups attribute of User resource is a ReadOnly attribute. Therefore, it can't be modified using PATCH /User endpoint. (https://www.rfc-editor.org/rfc/rfc7643#section-8.7.1) Schema definition in WSO2 IS: https://github.com/wso2/charon/blob/f5229c1ed55548d74b833e1a04656ac695899d9b/modules/charon-core/src/main/java/org/wso2/charon3/core/schema/SCIMSchemaDefinitions.java#L791

Therefore you have to use PATCH /Groups endpoint to modify the groups details of the user.

Upvotes: 1

Nipun Thathsara
Nipun Thathsara

Reputation: 1139

POST {url}/scim2/Users/{groupID} Such an endpoint doesn't exist. You might have to stick to the /Groups PATCH operation to add or remove roles from users. (Iterate the request programatically in this case.)

Upvotes: 1

Related Questions