SCIM 2.0 - How to provision entitlements, and how to link them to groups

Question

I've read RFC7644, and RFC7643, and have a few questions.

First: how do I provision entitlements? I see there's a default methodology for provisioning groups and users. That includes a pretty straightforward mechanism for provisioning users' membership in groups, entitlements they have, and roles they have.

I also see that there's a mechanism for creating a group with members in it during provisioning.

What I don't see is a built-in mechanism for creating a group, and linking entitlements to it (or creating entitlements that are then linked to groups).

Do I need to build a custom schema extension for groups? Do I need to build a custom schema for entitlements?

My second question is: how exactly DO I create custom extensions and schemas? The RFCs are pretty vague about how you might do that while being compliant with their standard.

Answer 1

After re-reading the SCIM standard, I have an answer to at least the first part of my question.

"Group" resources are meant to enable expression of common group-based or role-based access control models, although no explicit authorization model is defined. It is intended that the semantics of group membership, and any behavior or authorization granted as a result of membership, are defined by the service provider; these are considered out of scope for this specification.

What this means is that entitlements granted via membership in a group are out of scope for SCIM. If you want to provision entitlements (or non-Group roles), you need to implement it yourself, or build a custom schema extension/custom schema.

Unfortunately, the RFC has yet to yield how you would actually do that last bit.