We are currently implementing a SCIM 2.0 based on the rfc7643; our current user database doesn't contains any group, either group management obviously.
We would like to know what is mandatory in order to be compliant with the industry .
Can we simply implement the user end-points or shall we implements the group/resources end-points as well.
Thanks for your help
The only way to know what is mandatory is to carefully read the relevant RFCs (RFC7643 and RFC7644).
In terms of your specific questions: firstly, whether implementation of groups is mandatory: RFC7643 section 4 says that:
This section defines the default resource schemas present in a SCIM server. SCIM is not exclusive to these resources and may be extended to support other resource types
In my reading, that implies that support for the Group schema as defined in that RFC in section 4.2, and the "/Groups" endpoint defined in RFC 7644 section 3.2, is mandatory. (Admittedly, the RFCs would be clearer on this point, if they actually used the word "MUST" in those sections.)
However, to my knowledge the SCIM standard nowhere requires that any groups actually exist, nor that any particular client have privilege to create them. So, if your server had a dummy implementation of groups, in which the Group schema exists, along with the /Groups endpoint, but no groups actually exist, and any attempt to create a group results in a HTTP Error 403 – that would comply. Another (somewhat more involved) option might be to have a single group "Everyone" of which everyone is automatically a member, but to reject any attempts to create further groups or remove any user from the "Everyone" group with a 403 error.
You also ask whether the filtering parameters are mandatory. RFC 7644 section 3.4.2.2 states that implementation of the filter= parameter is OPTIONAL. However, the startIndex= and itemsPerPage= parameters are not filtering parameters, rather they are pagination parameters. [Section 3.4.2.4]https://www.rfc-editor.org/rfc/rfc7644#section-3.4.2.2) defines pagination parameters, and unlike filtering (and sorting), it does not explicitly define it as OPTIONAL, which implies it is mandatory. Furthermore, the service provider config schema RFC 7643 section 5 defines attributes which the server can use to indicate which optional features it supports (e.g. patch, bulk, filter, sort, etc); there is no attribute to indicate whether the server implements pagination, which is further evidence that it is mandatory.
