From nobody Mon Feb 25 10:37:23 2019 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81E5D130F13 for ; Mon, 25 Feb 2019 10:37:21 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XrmrLcDWbra9 for ; Mon, 25 Feb 2019 10:37:19 -0800 (PST) Received: from mail-ot1-x331.google.com (mail-ot1-x331.google.com [IPv6:2607:f8b0:4864:20::331]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8385D130EFE for ; Mon, 25 Feb 2019 10:37:19 -0800 (PST) Received: by mail-ot1-x331.google.com with SMTP id z19so8772794otm.2 for ; Mon, 25 Feb 2019 10:37:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=bpOOxHhaR8hxzZsL12YLPYIFhX3/jU+RGZrfwIBH+nE=; b=JkkO//iNkSmoqIi3Nq3uqABzNUEaegYzZtk9k5/PT7nlhsCZ/1ERHWt/AeS+HGhiCH 14S0mL6umWYW4w3hhHLdlaMsQ7BWdUuIqikv+1+HbYlXI3kCjt1ufum4gbY61fVqgzy0 CJBDEG/0pYcAUvAjm25MCrK6Z2xymOkvh2RUUWH1Y/rlCCeuN9F7U37WVn21MMWxglkM Y4HtNuzkwkSU33NcioJDH22Epud7CKgDpo8ze/l88mpMBKOTpipROOvaWKUfQ+AoM47F PL0XdAa7Bfz4Mqker+uoRVO+WVUBs+BJ4ElN83JAkjEj7bVsOqtv8OU4KxI3C2EGDEBp /sdw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=bpOOxHhaR8hxzZsL12YLPYIFhX3/jU+RGZrfwIBH+nE=; b=JswvrMBogNoNX3JzGn1tQJTvx/Iy6Wa3dV6d6fap9glfmNYdm14VHqlXOLPddANUbL NVP9cxYO+87Y4mOyLF6WS5Wqa9CooV80y2N90GTz+tces8qkgKQ2wgk6qVATOeDPtqHQ Dp6G3ttt/2qgPgfqX1HAb1ks+4/6R7ReLlsHrMXq6hKfJyF52WBXTLImKS/66yIPRd55 vc423weEpLZVq7mjdi1S+ZOBlNM03OGuGlyo5jzoorU6cz5a1yow+bIWPXQZfxJqxaBE F5zMTf1R66jeIjCUNt5NXT54iypJkL0ydk6+09ISEN1LZtTR9U5hFkpgrP8BnfDTXGc6 INAw== X-Gm-Message-State: AHQUAuZyQmvaykZacagVcGum4oE76EE54Na8jnY7wS23+vvypML3Kh/q X2VcNIqJjXJm0n6Ne82cJrOd8g5ScmvZpzeEnnAwUH64 X-Google-Smtp-Source: AHgI3Ibjpuj5w++uVe/O/QBk5QHL85IrqIjPrPb9XaU3avkcqD3NoY+LEpqn6WqtLapeoEzHbnWFmwBL9bhmDticwQc= X-Received: by 2002:a9d:1a7:: with SMTP id e36mr12374039ote.270.1551119838301; Mon, 25 Feb 2019 10:37:18 -0800 (PST) MIME-Version: 1.0 From: Aleksey Chernoraenko Date: Mon, 25 Feb 2019 12:37:07 -0600 Message-ID: To: scim@ietf.org Content-Type: multipart/alternative; boundary="000000000000f753680582bc3af2" Archived-At: Subject: [scim] How to patch multi-valued nested attributes? X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Feb 2019 18:37:21 -0000 --000000000000f753680582bc3af2 Content-Type: text/plain; charset="UTF-8" Hello, In our SCIM Resource Provider we have resources that have the nested multi-valued attributes. It looks like this: GET /GroupSets/98ae2a7c-40a5-4fff-b59a-5b922908239e { ... "name": "collection #1", "groups": [ { "value": "a0115001-0fd7-4b50-b7b4-ac29d57cc623", "$ref": ".../groups/a0115001-0fd7-4b50-b7b4-ac29d57cc623", ... }, ... ], ... } We use groups endpoint when we update group members, like PATCH /Groups/a0115001-0fd7-4b50-b7b4-ac29d57cc623 { ... "operations": [ { "op": "add", "path": "members", "value": "db81119f-5ee0-464e-b7e3-51573b62b56a" } ] } I understand how the request should look like if I want to update one group members via parent (groupset) endpoint: PATCH /GroupSets/98ae2a7c-40a5-4fff-b59a-5b922908239e { ... "operations": [ { "op": "add", "path": "groups[value eq \"a0115001-0fd7-4b50-b7b4-ac29d57cc623\"].members", ... } ] } but wonder how I can specify "members" from all or a filtered set of "groups" without enumeration all of them on client side? The path value might look like "groups[].members", or "groups[*].members", or even "groups.members". It seems that the spec leaves this question open. What should or can happen if more than one group would be found? --- Thank you, Alexei --000000000000f753680582bc3af2 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hello,

In our SCIM Resource Provider w= e have resources that have the nested multi-valued attributes. It looks lik= e this:
GET /GroupSets/98ae2a7c-40a5-4fff-b59a-5b922908239e
{=C2=A0= =C2=A0=C2=A0 ...
=C2=A0=C2=A0=C2=A0 "name": "collection #= 1",
=C2=A0=C2=A0=C2=A0 "groups": [ {
=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0 "value": "a0115001-0fd7-4b50-b7b= 4-ac29d57cc623",
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "$= ref": ".../groups/a0115001-0fd7-4b50-b7b4-ac29d57cc623",
= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ...
=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 }, ...
=C2=A0=C2=A0=C2=A0 ], ...
}

We use g= roups endpoint when we update group members, like
PATCH /Groups/a011500= 1-0fd7-4b50-b7b4-ac29d57cc623
{=C2=A0=C2=A0 ...
=C2=A0=C2=A0=C2=A0 &q= uot;operations": [ {
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 &q= uot;op": "add", "path": "members", "= ;value": "db81119f-5ee0-464e-b7e3-51573b62b56a"
=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } ]
}

I understand how the r= equest should look like if I want to update one group members via parent (g= roupset) endpoint:
PATCH /GroupSets/98ae2a7c-40a5-4fff-b59a-5b922908239e=
{=C2=A0=C2=A0 ...
=C2=A0=C2=A0=C2=A0 "operations": [ { =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "op": "add"= , "path": "groups[value eq \"a0115001-0fd7-4b50-b7b4-ac= 29d57cc623\"].members", ...
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 } ]
}

but wonder how I can specify "members" = from all or a filtered set of "groups" without enumeration all of= them on client side?

The path value might look like "groups[].= members", or "groups[*].members", or even "groups.membe= rs".

It seems that the spec leaves this question open. What sho= uld or can happen if more than one group would be found?

---
Than= k you,
Alexei

--000000000000f753680582bc3af2-- From nobody Mon Feb 25 11:10:05 2019 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51990130F49 for ; Mon, 25 Feb 2019 11:10:04 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.299 X-Spam-Level: X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KS7Kjdh_O4OF for ; Mon, 25 Feb 2019 11:10:02 -0800 (PST) Received: from userp2120.oracle.com (userp2120.oracle.com [156.151.31.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6B32128AFB for ; Mon, 25 Feb 2019 11:10:01 -0800 (PST) Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x1PJ8dwH004243; Mon, 25 Feb 2019 19:10:00 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=corp-2018-07-02; bh=m+CX3emF4oCPm7waw7iAW2XCoJ427wwqEvPn0WOgvkE=; b=4ds9F46Cf6RgrbQBtwZP/fTO9xJnE7RWAqNAJFk+ydYXR9vMwGNcMlc4tXGkKIh0Fb+f R6MYOT4Vy+BuDMjfV7SXWDQUvRRv5ls0Uc/jY0eyStuinVZH7XzhjJB8eqMNoGQoEsdG MUYILyyea4C81gTtINGmx5dbz0rr6d/Mn6kW0QZVYBDWg25MyFyXef8FjyPn6tH0KsVy bxKqRlZpXQzfx+1NBZnaM2+qri8d5aSPjY7oUMEQhTVXR3/gm0PZO4yfldCCzeP7Vewy 8iYrnu1IyINBDyMO0uXiqlLHCg4yTdGW+jXmhmxIiyzMYfP20ngxwFlsaOGTcMneTbQW 6g== Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp2120.oracle.com with ESMTP id 2qtxtrg08h-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 25 Feb 2019 19:09:59 +0000 Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id x1PJ9xod005775 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 25 Feb 2019 19:09:59 GMT Received: from abhmp0006.oracle.com (abhmp0006.oracle.com [141.146.116.12]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id x1PJ9x6P031147; Mon, 25 Feb 2019 19:09:59 GMT Received: from dhcp-10-65-173-200.vpn.oracle.com (/10.65.173.200) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 25 Feb 2019 11:09:59 -0800 From: Phil Hunt Message-Id: <96DFFA94-CA40-44F3-9B6B-8267C1CEB069@oracle.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_F41665C1-67A0-437B-B644-28D3FC7AEA49" Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Date: Mon, 25 Feb 2019 11:09:57 -0800 In-Reply-To: Cc: scim@ietf.org To: Aleksey Chernoraenko References: X-Mailer: Apple Mail (2.3445.9.1) X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9178 signatures=668685 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1902250138 Archived-At: Subject: Re: [scim] How to patch multi-valued nested attributes? X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Feb 2019 19:10:04 -0000 --Apple-Mail=_F41665C1-67A0-437B-B644-28D3FC7AEA49 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Aleksey Unfortunately there is no mass-update style function in SCIM. PATCH only = impacts one specific resource at a time. By design each transaction = impacts only a single resource at a time. Even inside of =E2=80=9Cbulk=E2=80= =9D the transaction semantics a per resource. You really have to do this in two or more steps. =20 1. Query for a set of resources that need updating 2. Apply the patch to each resource For step 2, you can do as multiple calls for each resource, or be as a = =E2=80=9Cbulk=E2=80=9D request if supported by the provider. Phil Hunt | Cloud Security and Identity Architect Oracle Corporation, Oracle Cloud Infrastructure @independentid www.independentid.com phil.hunt@oracle.com > On Feb 25, 2019, at 10:37 AM, Aleksey Chernoraenko = wrote: >=20 > Hello, >=20 > In our SCIM Resource Provider we have resources that have the nested = multi-valued attributes. It looks like this: > GET /GroupSets/98ae2a7c-40a5-4fff-b59a-5b922908239e > { ... > "name": "collection #1", > "groups": [ {=20 > "value": "a0115001-0fd7-4b50-b7b4-ac29d57cc623", > "$ref": ".../groups/a0115001-0fd7-4b50-b7b4-ac29d57cc623", > ... > }, ... > ], ... > } >=20 > We use groups endpoint when we update group members, like=20 > PATCH /Groups/a0115001-0fd7-4b50-b7b4-ac29d57cc623 > { ... > "operations": [ {=20 > "op": "add", "path": "members", "value": = "db81119f-5ee0-464e-b7e3-51573b62b56a"=20 > } ] > } >=20 > I understand how the request should look like if I want to update one = group members via parent (groupset) endpoint: > PATCH /GroupSets/98ae2a7c-40a5-4fff-b59a-5b922908239e > { ... > "operations": [ {=20 > "op": "add", "path": "groups[value eq = \"a0115001-0fd7-4b50-b7b4-ac29d57cc623\"].members", ... > } ] > } >=20 > but wonder how I can specify "members" from all or a filtered set of = "groups" without enumeration all of them on client side? >=20 > The path value might look like "groups[].members", or = "groups[*].members", or even "groups.members". >=20 > It seems that the spec leaves this question open. What should or can = happen if more than one group would be found? >=20 > --- > Thank you, > Alexei >=20 > _______________________________________________ > scim mailing list > scim@ietf.org > = https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__www.ietf.org_mailma= n_listinfo_scim&d=3DDwICAg&c=3DRoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE= &r=3Dna5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=3DJ5uAPT1VUXS--3Zqx02iJ= Fx-Kh1FYPojmNLiY1UIV9c&s=3D3pJVZK_E4QPr_rZxk8h7qoWTXDo2XRCEJTDhYKRAgD0&e=3D= --Apple-Mail=_F41665C1-67A0-437B-B644-28D3FC7AEA49 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Aleksey

Unfortunately there is no mass-update style function in SCIM. = PATCH only impacts one specific resource at a time. By design each = transaction impacts only a single resource at a time. Even inside of = =E2=80=9Cbulk=E2=80=9D the transaction semantics a per = resource.

You = really have to do this in two or more steps.  

1. Query for a set of = resources that need updating
2. Apply the patch to = each resource

For step 2, you can do as multiple calls for each resource, = or be as a =E2=80=9Cbulk=E2=80=9D request if supported by the = provider.

Phil Hunt | Cloud Security and Identity Architect
Oracle Corporation, Oracle Cloud Infrastructure
@independentid






On Feb 25, 2019, at 10:37 AM, Aleksey Chernoraenko <achernoraenko@gmail.com> wrote:

Hello,

In our SCIM Resource Provider we have resources that have the = nested multi-valued attributes. It looks like this:
GET = /GroupSets/98ae2a7c-40a5-4fff-b59a-5b922908239e
{    ...
    = "name": "collection #1",
    "groups": [ { =
        "value": = "a0115001-0fd7-4b50-b7b4-ac29d57cc623",
        "$ref": = ".../groups/a0115001-0fd7-4b50-b7b4-ac29d57cc623",
        ...
        }, ...
    ], ...
}

We use groups endpoint when we update group members, like
PATCH /Groups/a0115001-0fd7-4b50-b7b4-ac29d57cc623
{   ...
    = "operations": [ {
        "op": "add", = "path": "members", "value": "db81119f-5ee0-464e-b7e3-51573b62b56a"
        } ]
}

I understand how the request = should look like if I want to update one group members via parent = (groupset) endpoint:
PATCH = /GroupSets/98ae2a7c-40a5-4fff-b59a-5b922908239e
{   ...
    = "operations": [ {
        "op": "add", = "path": "groups[value eq = \"a0115001-0fd7-4b50-b7b4-ac29d57cc623\"].members", ...
        } ]
}

but wonder how I can specify = "members" from all or a filtered set of "groups" without enumeration all = of them on client side?

The path value = might look like "groups[].members", or "groups[*].members", or even = "groups.members".

It seems that the spec = leaves this question open. What should or can happen if more than one = group would be found?

---
Thank= you,
Alexei

_______________________________________________
scim = mailing list
scim@ietf.org
https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__www.ietf= .org_mailman_listinfo_scim&d=3DDwICAg&c=3DRoP1YumCXCgaWHvlZYR8PZh8= Bv7qIrMUB65eapI_JnE&r=3Dna5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&am= p;m=3DJ5uAPT1VUXS--3Zqx02iJFx-Kh1FYPojmNLiY1UIV9c&s=3D3pJVZK_E4QPr_rZx= k8h7qoWTXDo2XRCEJTDhYKRAgD0&e=3D

= --Apple-Mail=_F41665C1-67A0-437B-B644-28D3FC7AEA49-- From nobody Mon Feb 25 14:32:12 2019 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5E5A131110 for ; Mon, 25 Feb 2019 14:32:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QJdRCvHR01lO for ; Mon, 25 Feb 2019 14:32:08 -0800 (PST) Received: from mail-oi1-x243.google.com (mail-oi1-x243.google.com [IPv6:2607:f8b0:4864:20::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 313D01310C5 for ; Mon, 25 Feb 2019 14:32:08 -0800 (PST) Received: by mail-oi1-x243.google.com with SMTP id e7so8699051oia.8 for ; Mon, 25 Feb 2019 14:32:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=T7hfm/Qsl7DW52/q7kF4rQS0bG2IOUhsAWAR6w8wAHE=; b=VW3QMIp1PM/WnVl9US7oq656H+GHrQm3lvaDoq2cewEKWQ6a81FhDAyNGRl1MNU7o/ hOF+bmquBm3vxmxESlQMi0h/A/oMQB8JSosk8ifD6A6Xwf3carL4LU9ug6WvxCXvk7M5 7xOyfBlfjThFXtbwGM+JiMtluA8o0xGDaZB+Rc+d0CdxJ/gRWBygWdsiIQLpPcjcsIKJ FfRFjcxHH+V3vD4ZKLE7slPQBE8a6EzeDxJHmoru0FEFbVwScIgKVu9zRUigexnSLQWH ytwq/aiMdnqeW0p3LhCzdKqzXth67mksTpYPxFnwamFydaeynb5c2DaCBrMX6c+W1WJn Bgkw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=T7hfm/Qsl7DW52/q7kF4rQS0bG2IOUhsAWAR6w8wAHE=; b=o7WwpIO8Ra7PkTfxduA/gDEy7mKxe7zN2QxONo0OZ9bTbourtVYoP1iWyB8XJGQ1IA 1T7yW1htwMR0AYBFOgOXAGZitVshF1JCifpTyZT/R5kp1H2MpDdn7g1htjkAmYfsKcZ+ OQtBqMiVD0gn4fawqVzWc1PxQ+TH8/gPjG9w+yaTw0mTQGEdwHyzc69RyHt09TMSCyGd dFHXMiypIwlvo9EHHjTRO/hPSsBNR9KSPcZhuxc2yXJzTLTCNSXF20RgpwtPzmQwFJPx uGRt5HjeB1LHRgSP/UtuUeThYzIWoxEKMGiirE2u3tHg4pr9NNHWD0NKX64kFCCZ2asV Xh7A== X-Gm-Message-State: AHQUAubdXZa7z3vTqvldjrdJupzrgIE/YWJwex5UU2D9svCPxOaKncnl OTkxoj3wiD5cKsxF0vajjuqGF7X82gLvZEWrRIU= X-Google-Smtp-Source: AHgI3IbuaJAMY9f06o20/ctN4la02OwryPSlfXMQSq/l4+Ez7qrvNFQo4PsCPGn9ixWj4wHVKSmZ0oMLFPUpVy7WEsw= X-Received: by 2002:aca:d4d4:: with SMTP id l203mr406255oig.96.1551133927275; Mon, 25 Feb 2019 14:32:07 -0800 (PST) MIME-Version: 1.0 References: <96DFFA94-CA40-44F3-9B6B-8267C1CEB069@oracle.com> In-Reply-To: <96DFFA94-CA40-44F3-9B6B-8267C1CEB069@oracle.com> From: Aleksey Chernoraenko Date: Mon, 25 Feb 2019 16:31:56 -0600 Message-ID: To: Phil Hunt Cc: scim@ietf.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Archived-At: Subject: Re: [scim] How to patch multi-valued nested attributes? X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Feb 2019 22:32:10 -0000 Thank you for response! On Mon, Feb 25, 2019 at 1:10 PM Phil Hunt wrote: > > Unfortunately there is no mass-update style function in SCIM. PATCH only = impacts one specific resource at a time. By design each transaction impacts= only a single resource at a time. Even inside of =E2=80=9Cbulk=E2=80=9D th= e transaction semantics a per resource. > > You really have to do this in two or more steps. > > 1. Query for a set of resources that need updating > 2. Apply the patch to each resource > > For step 2, you can do as multiple calls for each resource, or be as a = =E2=80=9Cbulk=E2=80=9D request if supported by the provider. > This probably might be "worked around" as a PATCH request to groups endpoint with query parameters. It would be like a =E2=80=9Cbulk=E2=80=9D request but in more declarative w= ay, I guess. PATCH /Groups?groupSet=3D98ae2a7c-40a5-4fff-b59a-5b922908239e { ... "operations": [ { "op": "add", "path": "members", "value": "db81119f-5ee0-464e-b7e3-51573b62b56a" } ] } Would it be still SCIM compliant? --- Alexei >> >> >> On Feb 25, 2019, at 10:37 AM, Aleksey Chernoraenko wrote: >> >> Hello, >> >> In our SCIM Resource Provider we have resources that have the nested mul= ti-valued attributes. It looks like this: >> GET /GroupSets/98ae2a7c-40a5-4fff-b59a-5b922908239e >> { ... >> "name": "collection #1", >> "groups": [ { >> "value": "a0115001-0fd7-4b50-b7b4-ac29d57cc623", >> "$ref": ".../groups/a0115001-0fd7-4b50-b7b4-ac29d57cc623", >> ... >> }, ... >> ], ... >> } >> >> We use groups endpoint when we update group members, like >> PATCH /Groups/a0115001-0fd7-4b50-b7b4-ac29d57cc623 >> { ... >> "operations": [ { >> "op": "add", "path": "members", "value": "db81119f-5ee0-464e-b7e= 3-51573b62b56a" >> } ] >> } >> >> I understand how the request should look like if I want to update one gr= oup members via parent (groupset) endpoint: >> PATCH /GroupSets/98ae2a7c-40a5-4fff-b59a-5b922908239e >> { ... >> "operations": [ { >> "op": "add", "path": "groups[value eq \"a0115001-0fd7-4b50-b7b4-= ac29d57cc623\"].members", ... >> } ] >> } >> >> but wonder how I can specify "members" from all or a filtered set of "gr= oups" without enumeration all of them on client side? >> >> The path value might look like "groups[].members", or "groups[*].members= ", or even "groups.members". >> >> It seems that the spec leaves this question open. What should or can hap= pen if more than one group would be found? From nobody Mon Feb 25 14:40:54 2019 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04D3F131136 for ; Mon, 25 Feb 2019 14:40:53 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.302 X-Spam-Level: X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jHlwIeJYLmBp for ; Mon, 25 Feb 2019 14:40:51 -0800 (PST) Received: from aserp2130.oracle.com (aserp2130.oracle.com [141.146.126.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8834C131133 for ; Mon, 25 Feb 2019 14:40:51 -0800 (PST) Received: from pps.filterd (aserp2130.oracle.com [127.0.0.1]) by aserp2130.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x1PMdJNO178178; Mon, 25 Feb 2019 22:40:49 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2018-07-02; bh=OzJY127VV//UHmdCLExaGo+jc8K0/C6D7CIVS/qfac4=; b=OqPnfVW3KzhR18JUpwMPFdbkyYGdj5aWxJggcXH7YxnRJbyNFoNM57nkHZxmbcWi2mWg pFLvsRvHPWDikYg/cMVxsjgs8NgfwYFXt6h/21lWV2K66Ale8fDBAcFWqmdlvo/Jmelt le/990M0RPodwNo9N/sGt0lqxvsoU43dfGLoS6PbpqE/aG2Sgf60lcgDxzOwH+xBplXC zW5VG/ZLYhjpQ0eCCId4by8UgL8paf+ws+ApR+ILO24AwhJXWa4E1xyPRZShRm3cDjOR rBffmA0/iomOV5UEYVcCy867owqAHWju2U177Zq0pcF06KnRb9VvzrrdZ4/Lvx6AClXF VQ== Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by aserp2130.oracle.com with ESMTP id 2qtupe1asd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 25 Feb 2019 22:40:49 +0000 Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id x1PMemkt028549 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 25 Feb 2019 22:40:49 GMT Received: from abhmp0020.oracle.com (abhmp0020.oracle.com [141.146.116.26]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id x1PMemeY006918; Mon, 25 Feb 2019 22:40:48 GMT Received: from [192.168.1.22] (/70.70.142.148) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 25 Feb 2019 14:40:48 -0800 Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (1.0) From: Phil Hunt X-Mailer: iPhone Mail (16D57) In-Reply-To: Date: Mon, 25 Feb 2019 14:40:46 -0800 Cc: scim@ietf.org Content-Transfer-Encoding: quoted-printable Message-Id: <2910C863-6343-451C-934A-FA1CC6DE18B1@oracle.com> References: <96DFFA94-CA40-44F3-9B6B-8267C1CEB069@oracle.com> To: Aleksey Chernoraenko X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9178 signatures=668685 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1902250158 Archived-At: Subject: Re: [scim] How to patch multi-valued nested attributes? X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Feb 2019 22:40:53 -0000 No it would not be compliant =20 Scim as a restful api can only impact one resource at a time.=20 To enhnce would require a new draft.=20 Phil > On Feb 25, 2019, at 2:31 PM, Aleksey Chernoraenko wrote: >=20 > Thank you for response! >=20 >> On Mon, Feb 25, 2019 at 1:10 PM Phil Hunt wrote: >>=20 >> Unfortunately there is no mass-update style function in SCIM. PATCH only i= mpacts one specific resource at a time. By design each transaction impacts o= nly a single resource at a time. Even inside of =E2=80=9Cbulk=E2=80=9D the t= ransaction semantics a per resource. >>=20 >> You really have to do this in two or more steps. >>=20 >> 1. Query for a set of resources that need updating >> 2. Apply the patch to each resource >>=20 >> For step 2, you can do as multiple calls for each resource, or be as a =E2= =80=9Cbulk=E2=80=9D request if supported by the provider. >>=20 >=20 > This probably might be "worked around" as a PATCH request to groups > endpoint with query parameters. > It would be like a =E2=80=9Cbulk=E2=80=9D request but in more declarative w= ay, I guess. >=20 > PATCH /Groups?groupSet=3D98ae2a7c-40a5-4fff-b59a-5b922908239e > { ... > "operations": [ { > "op": "add", "path": "members", "value": > "db81119f-5ee0-464e-b7e3-51573b62b56a" > } ] > } >=20 > Would it be still SCIM compliant? >=20 > --- > Alexei >=20 >>>=20 >>>=20 >>> On Feb 25, 2019, at 10:37 AM, Aleksey Chernoraenko wrote: >>>=20 >>> Hello, >>>=20 >>> In our SCIM Resource Provider we have resources that have the nested mul= ti-valued attributes. It looks like this: >>> GET /GroupSets/98ae2a7c-40a5-4fff-b59a-5b922908239e >>> { ... >>> "name": "collection #1", >>> "groups": [ { >>> "value": "a0115001-0fd7-4b50-b7b4-ac29d57cc623", >>> "$ref": ".../groups/a0115001-0fd7-4b50-b7b4-ac29d57cc623", >>> ... >>> }, ... >>> ], ... >>> } >>>=20 >>> We use groups endpoint when we update group members, like >>> PATCH /Groups/a0115001-0fd7-4b50-b7b4-ac29d57cc623 >>> { ... >>> "operations": [ { >>> "op": "add", "path": "members", "value": "db81119f-5ee0-464e-b7e3= -51573b62b56a" >>> } ] >>> } >>>=20 >>> I understand how the request should look like if I want to update one gr= oup members via parent (groupset) endpoint: >>> PATCH /GroupSets/98ae2a7c-40a5-4fff-b59a-5b922908239e >>> { ... >>> "operations": [ { >>> "op": "add", "path": "groups[value eq \"a0115001-0fd7-4b50-b7b4-a= c29d57cc623\"].members", ... >>> } ] >>> } >>>=20 >>> but wonder how I can specify "members" from all or a filtered set of "gr= oups" without enumeration all of them on client side? >>>=20 >>> The path value might look like "groups[].members", or "groups[*].members= ", or even "groups.members". >>>=20 >>> It seems that the spec leaves this question open. What should or can hap= pen if more than one group would be found?