0

I'm trying to replace a single user's group with a completely new set of groups. I am able to add user to a group and remove user from a group with https://docs.wso2.com/display/IS570/apidocs/SCIM2-endpoints/#!/operations#GroupsEndpoint#patchGroup API.

However, I want to completely replace the groups entirely with a new array, so I don't have to individually add/remove user from each group. I have tried using the following request

POST {url}/scim2/Users/{groupID}

with the following POST body

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ],
    "Operations": [
        {
            "op": "replace",
            "value": {
                "groups": [
                    {
                        "display": "group1",
                        "value": "092555e8-1636-4642-924e-27aef49757fe"
                    },
                    {
                        "display": "group2",
                        "value": "b0d42429-67e2-4447-9846-2b001add431f"
                    }
                ]
            }
        }
    ]
}

However, the response returned was

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:Error"
    ],
    "detail": "Error in performing the add operation",
    "status": "500"
}

How can I achieve this?

Community
  • 1
  • 1
Thanat Varathon
  • 3
  • 1

2 Answers2

1

POST {url}/scim2/Users/{groupID} Such an endpoint doesn't exist. You might have to stick to the /Groups PATCH operation to add or remove roles from users. (Iterate the request programatically in this case.)

Nipun Thathsara
  • 1,119
  • 11
  • 20
  • Thats the only solution which we also figured out . But it has its drawbacks if the user base is high. Could you pls read my question If you could give a solution, pls feel free to add it as an answer to https://stackoverflow.com/questions/65887494/how-to-update-a-single-users-groups-with-wso2-scim-rest-api-without-using-patch and come up with any solution which helps solving the problem ? @Nipun Thanks in advance – Arun s Jan 25 '21 at 15:20
1

POST {url}/scim2/Users/{groupID} request won't work since there is no such endpoint. I think you tried to replace the groups attribute of the user resource by a patch operation. If so, the request would be PATCH {url}/scim2/Users/{userId}. However, that doesn't work due to the following reasons.

  1. According to the SCIM specification(see groups description in https://www.rfc-editor.org/rfc/rfc7643#section-4.1.2) groups attribute of the user should be managed using the /Groups endpoint.

    Direct group membership indicates that the user is directly associated with the group and SHOULD indicate that clients may modify membership through the "Group" resource.

  2. Also groups attribute of User resource is a ReadOnly attribute. Therefore, it can't be modified using PATCH /User endpoint. (https://www.rfc-editor.org/rfc/rfc7643#section-8.7.1) Schema definition in WSO2 IS: https://github.com/wso2/charon/blob/f5229c1ed55548d74b833e1a04656ac695899d9b/modules/charon-core/src/main/java/org/wso2/charon3/core/schema/SCIMSchemaDefinitions.java#L791

Therefore you have to use PATCH /Groups endpoint to modify the groups details of the user.

Community
  • 1
  • 1
Anuradha Karunarathna
  • 2,717
  • 2
  • 9
  • 17
  • This is the solution which we are also using in our project. But we are currently facing an issue with this approach. Inorder to add a new role to a user replacing the old one, we are currently adding the role followed by deleting the existing role (which finally works like an update ) . It was working smoothly for past 1 year. But as the number of users increased , the patch /Groups is not responding and the api gets timeout error. Can you suggest a way to update role of a single user without affecting the entire group? @anuradha – Arun s Jan 25 '21 at 14:54
  • If you could give a solution, pls feel free to add it as an answer to https://stackoverflow.com/questions/65887494/how-to-update-a-single-users-groups-with-wso2-scim-rest-api-without-using-patch – Arun s Jan 25 '21 at 15:18