idnits 2.17.1 draft-grizzle-scim-pam-ext-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 19 instances of too long lines in the document, the longest one being 30 characters in excess of 72. ** The abstract seems to contain references ([RFC7643]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (September 27, 2017) is 2402 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 4 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group K. Grizzle, Ed. 3 Internet-Draft SailPoint 4 Intended status: Standards Track B. Yoder 5 Expires: March 31, 2018 Thycotic 6 J. Jones 7 Bomgar 8 P. Lieberman 9 Lieberman 10 September 27, 2017 12 SCIM Extension for Privileged Access Management 13 draft-grizzle-scim-pam-ext-00 15 Abstract 17 The System for Cross-domain Identity Management (SCIM) specification 18 [RFC7643] provides schemas that represent common identity information 19 about users and groups. Privileged Access Management (PAM) software 20 typically makes use of common user and group models - as well as 21 defining additional constructs - to provide fine-grained 22 authorization and management for privileged access. 24 This document contains a SCIM 2.0 extension for Privileged Access 25 Management, which includes extensions to the core User and Group 26 objects, and new resource types and schemas for standard Privileged 27 Access Management constructs. This extension is intended to provide 28 greater interoperability between PAM software and clients, a common 29 language for PAM concepts, and a baseline that can be further 30 extended to support more complex PAM requirements. 32 Status of This Memo 34 This Internet-Draft is submitted in full conformance with the 35 provisions of BCP 78 and BCP 79. 37 Internet-Drafts are working documents of the Internet Engineering 38 Task Force (IETF). Note that other groups may also distribute 39 working documents as Internet-Drafts. The list of current Internet- 40 Drafts is at https://datatracker.ietf.org/drafts/current/. 42 Internet-Drafts are draft documents valid for a maximum of six months 43 and may be updated, replaced, or obsoleted by other documents at any 44 time. It is inappropriate to use Internet-Drafts as reference 45 material or to cite them other than as "work in progress." 47 This Internet-Draft will expire on March 31, 2018. 49 Copyright Notice 51 Copyright (c) 2017 IETF Trust and the persons identified as the 52 document authors. All rights reserved. 54 This document is subject to BCP 78 and the IETF Trust's Legal 55 Provisions Relating to IETF Documents 56 (https://trustee.ietf.org/license-info) in effect on the date of 57 publication of this document. Please review these documents 58 carefully, as they describe your rights and restrictions with respect 59 to this document. Code Components extracted from this document must 60 include Simplified BSD License text as described in Section 4.e of 61 the Trust Legal Provisions and are provided without warranty as 62 described in the Simplified BSD License. 64 Table of Contents 66 1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 67 1.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 3 68 1.2. Requirements Notation and Conventions . . . . . . . . . . 4 69 2. Core Schema Extensions . . . . . . . . . . . . . . . . . . . 4 70 2.1. Linked Object . . . . . . . . . . . . . . . . . . . . . . 4 71 2.1.1. Example . . . . . . . . . . . . . . . . . . . . . . . 5 72 2.1.2. Considerations for External Groups . . . . . . . . . 6 73 3. Additional ResourceTypes and Schemas . . . . . . . . . . . . 6 74 3.1. Container . . . . . . . . . . . . . . . . . . . . . . . . 7 75 3.1.1. Resource Type . . . . . . . . . . . . . . . . . . . . 7 76 3.1.2. Schema . . . . . . . . . . . . . . . . . . . . . . . 7 77 3.1.3. Example . . . . . . . . . . . . . . . . . . . . . . . 8 78 3.2. PrivilegedData . . . . . . . . . . . . . . . . . . . . . 9 79 3.2.1. Resource Type . . . . . . . . . . . . . . . . . . . . 10 80 3.2.2. Schema . . . . . . . . . . . . . . . . . . . . . . . 10 81 3.2.3. Example . . . . . . . . . . . . . . . . . . . . . . . 10 82 3.3. ContainerPermission . . . . . . . . . . . . . . . . . . . 11 83 3.3.1. Resource Type . . . . . . . . . . . . . . . . . . . . 11 84 3.3.2. Schema . . . . . . . . . . . . . . . . . . . . . . . 11 85 3.3.3. Example . . . . . . . . . . . . . . . . . . . . . . . 12 86 3.4. PrivilegedDataPermission . . . . . . . . . . . . . . . . 13 87 3.4.1. Resource Type . . . . . . . . . . . . . . . . . . . . 13 88 3.4.2. Schema . . . . . . . . . . . . . . . . . . . . . . . 14 89 3.4.3. Example . . . . . . . . . . . . . . . . . . . . . . . 15 90 4. Normative References . . . . . . . . . . . . . . . . . . . . 16 91 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17 93 1. Overview 95 Most Privileged Access Management (PAM) software contains external 96 APIs that can be used to manage users, groups, privileged access, and 97 authorization to privileged data. However, these APIs are not 98 consistent across different software (e.g. - some software uses REST 99 and some uses SOAP), and each API exposes different functionality. 100 This makes it difficult for a client to externally manage multiple 101 PAM providers. 103 The System for Cross-domain Identity Management (SCIM) specification 104 provides schemas that represent common identity information about 105 users and groups. Privileged Access Management (PAM) software 106 typically makes use of common user and group models - as well as 107 defining additional constructs - to provide fine-grained 108 authorization and management for privileged access. 110 This document contains a SCIM 2.0 extension for Privileged Access 111 Management, which includes extensions to the core User and Group 112 objects, and new resource types and schemas for standard Privileged 113 Access Management constructs. This extension is intended to provide 114 greater interoperability between PAM software and clients, a common 115 language for PAM concepts, and a baseline that can be further 116 extended to support more complex PAM requirements. 118 Some providers may not support all of the endpoints or data that is 119 described in this extension. When this is encountered, the PAM 120 provider can safely treat endpoints or data as optional. 122 1.1. Definitions 124 User: A user account that can be used to access the PAM system to 125 manage or access privileged data. This user can either exist only 126 in the PAM system or can be an external user that is defined in 127 another system (e.g. - Active Directory or LDAP). 129 Group: A group of users or other groups that can be used to govern 130 access within the PAM system. This group can either exist only in 131 the PAM system or can be an external group that is defined in 132 another system (e.g. - Active Directory or LDAP). 134 Container: A Container is a logical grouping of privileged data 135 (credentials, etc...) that can be used for organizational or 136 operational purposes. Access control lists (ACLs) can be applied 137 to a container to control which users and groups have permissions 138 to the privileged data in the container. 140 Privileged Data: Privileged data is secret information that is 141 protected by the PAM system (e.g. - credentials for a privileged 142 account, an SSH key, etc...). Privileged data MAY be stored 143 inside of a Container, but does not have to be. Access control 144 lists (ACLs) can be applied to privileged data to control which 145 users and groups have permissions to the privileged data. More 146 often, the ACL information is inherited from the container. 148 Access Control List (ACL): An access control list can be associated 149 with a Container or Privileged Data. This contains information 150 about which users and groups have access to the Container or 151 Privileged Data, and what rights they have. 153 External Store: An external store is a system that contains users 154 and groups (e.g. - Active Directory or LDAP) that can be used by a 155 PAM system. This allows using existing infrastructure and group 156 definitions to provide authorization, authentication, and 157 information within a PAM system. 159 1.2. Requirements Notation and Conventions 161 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 162 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 163 document are to be interpreted as described in [RFC2119] . 165 Throughout this document, values are quoted to indicate that they are 166 to be taken literally. When using these values in protocol messages, 167 the quotes MUST NOT be used as part of the value. 169 2. Core Schema Extensions 171 In a PAM system, users and groups can either be locally or externally 172 defined. When local, the user or group exists only on the PAM 173 system. When external, the user or group is defined in an External 174 Store, and is somehow synchronized into the PAM system. In this 175 case, the PAM system keeps a record of the external user or group, 176 along with a reference that can be used to correlate the record back 177 to the external store. To support this, an optional schema extension 178 "urn:ietf:params:scim:schemas:pam:1.0:LinkedObject" MAY be added to 179 the User and Group resource types. 181 2.1. Linked Object 183 The "urn:ietf:params:scim:schemas:pam:1.0:LinkedObject" schema 184 contains the following attributes. 186 source The name of the External Source from which the User or Group 187 came. If this is a local User or Group, this is null. Required 188 if nativeIdentifier is non-null. 190 nativeIdentifier The unique identifier of the User or Group on the 191 External Source (e.g. - an LDAP distinguished name). If this is a 192 local User or Group, this is null. Required if source is non- 193 null. 195 2.1.1. Example 197 The following is a non-normative example of a User with the 198 LinkedObject extension. 200 { 201 "schemas": [ 202 "urn:ietf:params:scim:schemas:core:2.0:User", 203 "urn:ietf:params:scim:schemas:pam:1.0:LinkedObject" 204 ], 205 "id": "2819c223-7f76-453a-919d-413861904646", 206 "userName": "bjensen", 207 "name": { 208 "formatted": "Ms. Barbara J Jensen, III", 209 "givenName": "Barbara", 210 "familyName": "Jensen", 211 "middleName": "Jane", 212 "honorificPrefix": "Ms.", 213 "honorificSuffix": "III" 214 }, 215 "displayName": "Babs Jensen", 216 "emails": [ 217 { 218 "value": "bjensen@example.com", 219 "type": "work", 220 "primary": true 221 }, 222 { 223 "value": "babs@jensen.org", 224 "type": "home" 225 } 226 ], 227 "active": true, 228 "groups": [ 229 { 230 "value": "e9e30dba-f08f-4109-8486-d5c6a331660a", 231 "$ref": "https://example.com/v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a", 232 "display": "Tour Guides", 233 "type": "direct" 235 }, 236 { 237 "value": "fc348aa8-3835-40eb-a20b-c726e15c55b5", 238 "$ref": "https://example.com/v2/Groups/fc348aa8-3835-40eb-a20b-c726e15c55b5", 239 "display": "Employees", 240 "type": "indirect" 241 } 242 ], 243 "urn:ietf:params:scim:schemas:pam:1.0:LinkedObject": { 244 "source": "Corporate Active Directory", 245 "nativeIdentifier": "cn=Barbara Jensen,ou=Users,dc=example,dc=com" 246 }, 247 "meta": { 248 "resourceType": "User", 249 "created": "2010-01-23 04:56:22 UTC", 250 "lastModified": "2011-05-13 04:42:34 UTC", 251 "location": "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646" 252 } 253 } 255 2.1.2. Considerations for External Groups 257 Members of external groups are stored and managed on the External 258 Store, and not in the PAM system. As a result, the User and Group 259 representations returned by the PAM system MAY return empty values 260 for the "groups" and "members" attributes, respectively. 261 Additionally, the PAM system MAY choose to return an error response 262 with the 400 status code and "invalidSyntax" error type for requests 263 that attempt to modify or create a group with an invalid 264 configuration. Examples include, but are not limited to: 266 o An external group with any members. 268 o An external group with local Users or Groups as members. 270 o A local group with external Users or Groups as members. 272 3. Additional ResourceTypes and Schemas 274 PAM systems define additional constructs to provide enhanced 275 authorization, authentication, and management for privileged data. 276 To support this, the SCIM PAM extension defines additional 277 ResourceTypes and Schemas that MAY be implemented by the service 278 provider. If implemented, these ResourceTypes SHOULD support all 279 SCIM operations [RFC7644]. All attributes defined in the schemas are 280 optional unless explicitly marked as REQUIRED. 282 3.1. Container 284 A Container is a logical grouping of privileged data that can be used 285 for organizational or operational purposes. 287 3.1.1. Resource Type 289 The Container ResourceType supports reading and managing containers, 290 and has the following properties. 292 Name: Container 294 Endpoint: /Containers 296 Schema: urn:ietf:params:scim:schemas:pam:1.0:Container 298 3.1.1.1. Filtering 300 Clients may have a reference to the Container name but not the ID. 301 For this reason, it is RECOMMENDED that service providers implement 302 filtering that allows equality matching on the "name" attribute. 303 Example (note that escaping has been removed for readability): 305 GET /scim/v2/Containers?filter=name eq 'Admin Accounts' 307 3.1.2. Schema 309 The "urn:ietf:params:scim:schemas:pam:1.0:Container" defines all 310 common attributes for a Container. 312 id The unique identifier of the Container. REQUIRED 314 name The name of the Container. REQUIRED 316 displayName The display name of the Container. If null, the name 317 should be used as the display name. 319 description The description of the Container. 321 type The type of container. There are no canonical values defined 322 for type, but service providers MAY choose to define the valid 323 types. Optional if the PAM system does not support multiple types 324 of Containers. 326 parent A complex attribute that defines the parent Container of this 327 Container if the service provider supports hierarchies of 328 containers. The following sub-attributes are defined. 330 value The ID of the Container that is the parent of this 331 Container in the hierarchy. 333 $ref A URI reference to the Container that is the parent of this 334 Container in the hierarchy. 336 display The display name of the Container that is the parent of 337 this Container in the hierarchy. 339 owner A complex attribute that defines the User that is the owner of 340 this Container. The following sub-attributes are defined. 342 value The ID of the User that owns this Container. 344 $ref A URI reference to the User that owns this Container. 346 display The display name of the user that owns this Container. 348 privilegedData A multi-valued complex attribute that contains the 349 PrivilegedData that resides in this Container. Service providers 350 MAY choose to make this attribute have a "returned" value of 351 "request" if the list of privileged data could be very large. 352 Using this option will prevent this attribute from being returned 353 upon retrieval unless explicitly requested using the "attributes" 354 query parameter. The following sub-attributes are defined. 356 value The ID of the PrivilegedData. 358 $ref A URI reference to the PrivilegedData. 360 display The displayable value of the PrivilegedData. 362 type The type of the PrivilegedData. 364 3.1.3. Example 366 The following is a non-normative example of a Container. 368 { 369 "schemas": [ 370 "urn:ietf:params:scim:schemas:pam:1.0:Container" 371 ], 372 "id": "ab8e901-883f-4109-8486-bab810943d93e", 373 "name": "prodDBAAccounts", 374 "displayName": "Production DBA Accounts", 375 "description": "This contains all DBA accounts for the production environment.", 376 "type": "safe", 377 "parent": { 378 "value": "78234914-7fb3-828e-7281-87234abe8300", 379 "$ref": "https://example.com/v2/Containers/78234914-7fb3-828e-7281-87234abe8300", 380 "display": "Root Container" 381 }, 382 "owner": { 383 "value": "2819c223-7f76-453a-919d-413861904646", 384 "$ref": "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646", 385 "display": "Babs Jensen" 386 }, 387 "privilegedData": [ 388 { 389 "value": "d973b5-8834f-1784-8734-caf833e9b3efa", 390 "$ref": "https://example.com/v2/Containers/d973b5-8834f-1784-8734-caf833e9b3efa", 391 "display": "root @ Oracle Financials Warehouse", 392 "type": "credential" 393 }, 394 { 395 "value": "d249e9-92759-7883-88723-fa390734beba", 396 "$ref": "https://example.com/v2/Containers/d249e9-92759-7883-88723-fa390734beba", 397 "display": "root @ Enterprise Purchase Ordering", 398 "type": "credential" 399 } 400 ], 401 "meta": { 402 "resourceType": "Container", 403 "created": "2010-01-23T04:56:22.000Z", 404 "lastModified": "2011-05-13T04:42:34.000Z", 405 "location": "https://example.com/v2/Container/ab8e901-883f-4109-8486-bab810943d93e" 406 } 407 } 409 3.2. PrivilegedData 411 Privileged data is secret information that is protected by the PAM 412 system (e.g. - credentials for a privileged account, an SSH key, 413 etc...). Privileged data MAY be stored inside of a Container, but 414 does not have to be. 416 3.2.1. Resource Type 418 The PrivilegedData ResourceType supports reading and managing 419 privileged data, and has the following properties. 421 Name: PrivilegedData 423 Endpoint: /PrivilegedData 425 Schema: urn:ietf:params:scim:schemas:pam:1.0:PrivilegedData 427 3.2.2. Schema 429 The "urn:ietf:params:scim:schemas:pam:1.0:PrivilegedData" defines all 430 common attributes for a PrivilegedData. 432 id The unique identifier of the PrivilegedData. REQUIRED 434 name A descriptive name for this piece of PrivilegedData. For 435 example, root@mylinuxhost. REQUIRED 437 description A description for this piece of PrivilegedData. 439 type The type of PrivilegedData. The value will be dependent on 440 what is supported by the PAM system. Examples include 441 'credential', 'ssh key', 'file', etc... 443 3.2.3. Example 445 The following is a non-normative example of a PrivilegedData. 447 { 448 "schemas": [ 449 "urn:ietf:params:scim:schemas:pam:1.0:PrivilegedData" 450 ], 451 "id": "d973b5-8834f-1784-8734-caf833e9b3efa", 452 "name": "root @ Oracle Financials Warehouse", 453 "description": "Full access to the Oracle Financials Warehouse database.", 454 "type": "credential", 455 "meta": { 456 "resourceType": "PrivilegedData", 457 "created": "2010-01-23T04:56:22.000Z", 458 "lastModified": "2011-05-13T04:42:34.000Z", 459 "location": "https://example.com/v2/PrivilegedData/d973b5-8834f-1784-8734-caf833e9b3efa" 460 } 461 } 462 3.3. ContainerPermission 464 A ContainerPermission contains authorization information that 465 describes which rights a User or Group has on a Container. This is a 466 piece of an Access Control List that contains all information about a 467 specific User or Group in relation to a specific Container. 468 Typically, permissions that are granted on a Container apply to all 469 privileged data that resides in the container. 471 3.3.1. Resource Type 473 The ContainerPermission ResourceType supports reading and managing 474 permissions that a User or Group have on a Container, and has the 475 following properties. 477 Name: ContainerPermission 479 Endpoint: /ContainerPermissions 481 Schema: urn:ietf:params:scim:schemas:pam:1.0:ContainerPermission 483 3.3.1.1. Filtering 485 It is expected that clients will need to find the permissions on a 486 specific Container that are granted to a specific User or Group. For 487 this reason, it is RECOMMENDED that service providers implement 488 filtering that allows equality matching on the "container.value", 489 "user.value", and "group.value" attributes. Example (note that 490 escaping has been removed and newlines added for readability): 492 GET /scim/v2/ContainerPermissions? 493 filter=container.value eq '8729e778-9af6-874c-778a3-783956810384' and 494 user.value eq '2819c223-7f76-453a-919d-413861904646' 496 3.3.2. Schema 498 The "urn:ietf:params:scim:schemas:pam:1.0:ContainerPermission" 499 defines all common attributes for a ContainerPermission. 501 id The unique identifier of the ContainerPermission. REQUIRED 503 container A complex attribute that references the Container that 504 these permissions apply to. The following sub-attributes are 505 defined. REQUIRED 507 value The ID of the Container that these permissions apply to. 509 $ref A URI reference to the Container that these permissions 510 apply to. 512 name The name of the Container that these permissions apply to. 514 display The display name of the Container that these permissions 515 apply to. 517 user A complex attribute that references the User that these 518 permissions apply to. Either this attribute or "group" is 519 required. The following sub-attributes are defined. 521 value The ID of the User that these permissions apply to. 523 $ref A URI reference to the User that these permissions apply to. 525 display The display name of the User that these permissions apply 526 to. 528 group A complex attribute that references the Group that these 529 permissions apply to. Either this attribute or "user" is 530 required. The following sub-attributes are defined. 532 value The ID of the Group that these permissions apply to. 534 $ref A URI reference to the Group that these permissions apply 535 to. 537 display The display name of the Group that these permissions 538 apply to. 540 rights An array of strings that are the names of the rights that the 541 User or Group has on this Container. There are no canonical 542 values defined for rights, and these will vary between service 543 providers. 545 3.3.3. Example 547 The following is a non-normative example of a ContainerPermission. 549 { 550 "schemas": [ 551 "urn:ietf:params:scim:schemas:pam:1.0:ContainerPermission" 552 ], 553 "id": "c387432-78823-87234-7832-93c9ae93745e", 554 "container": { 555 "value": "ab8e901-883f-4109-8486-bab810943d93e", 556 "$ref": "https://example.com/v2/Containers/ab8e901-883f-4109-8486-bab810943d93e", 557 "display": "Production DBA Accounts", 558 "name": "prodDBAAccounts" 559 }, 560 "user": { 561 "value": "2819c223-7f76-453a-919d-413861904646", 562 "$ref": "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646", 563 "display": "Babs Jensen" 564 }, 565 "rights": [ 566 "Connect", 567 "List Accounts", 568 "View Password" 569 ], 570 "meta": { 571 "resourceType": "ContainerPermission", 572 "created": "2010-01-23T04:56:22.000Z", 573 "lastModified": "2011-05-13T04:42:34.000Z", 574 "location": "https://example.com/v2/ContainerPermissions/c387432-78823-87234-7832-93c9ae93745e" 575 } 576 } 578 3.4. PrivilegedDataPermission 580 A PrivilegedDataPermission contains authorization information that 581 describes which rights a User or Group has on a PrivilegedData. This 582 is a piece of an Access Control List that contains all information 583 about a specific User or Group in relation to a specific piece of 584 privileged data. This resource type and schema are OPTIONAL if the 585 service provider does not support permissions on privileged data. 587 3.4.1. Resource Type 589 The PrivilegedDataPermission ResourceType supports reading and 590 managing permissions that a User or Group have on a PrivilegedData, 591 and has the following properties. 593 Name: PrivilegedDataPermission 595 Endpoint: /PrivilegedDataPermissions 596 Schema: urn:ietf:params:scim:schemas:pam:1.0:PrivilegedDataPermissio 597 n 599 3.4.1.1. Filtering 601 It is expected that clients will need to find the permissions on a 602 specific PrivilegedData that are granted to a specific User or Group. 603 For this reason, it is RECOMMENDED that service providers implement 604 filtering that allows equality matching on the 605 "privilegedData.value", "user.value", and "group.value" attributes. 606 Example (note that escaping has been removed and newlines added for 607 readability): 609 GET /scim/v2/PrivilegedDataPermissions? 610 filter=privilegedData.value eq '2746c134-59e8-848a-874d3-782303476812' and 611 user.value eq '2819c223-7f76-453a-919d-413861904646' 613 3.4.2. Schema 615 The "urn:ietf:params:scim:schemas:pam:1.0:PrivilegedDataPermission" 616 defines all common attributes for a PrivilegedDataPermission. 618 id The unique identifier of the PrivilegedDataPermission. REQUIRED 620 privilegedData A complex attribute that references the 621 PrivilegedData that these permissions apply to. The following 622 sub-attributes are defined. REQUIRED 624 value The ID of the PrivilegedData that these permissions apply 625 to. 627 $ref A URI reference to the PrivilegedData that these permissions 628 apply to. 630 display The display name of the PrivilegedData that these 631 permissions apply to. 633 user A complex attribute that references the User that these 634 permissions apply to. Either this attribute or "group" is 635 required. The following sub-attributes are defined. 637 value The ID of the User that these permissions apply to. 639 $ref A URI reference to the User that these permissions apply to. 641 display The display name of the User that these permissions apply 642 to. 644 group A complex attribute that references the Group that these 645 permissions apply to. Either this attribute or "user" is 646 required. The following sub-attributes are defined. 648 value The ID of the Group that these permissions apply to. 650 $ref A URI reference to the Group that these permissions apply 651 to. 653 display The display name of the Group that these permissions 654 apply to. 656 rights An array of strings that are the names of the rights that the 657 User or Group has on this PrivilegedData. There are no canonical 658 values defined for rights, and these will vary between service 659 providers. 661 3.4.3. Example 663 The following is a non-normative example of a 664 PrivilegedDataPermission. 666 { 667 "schemas": [ 668 "urn:ietf:params:scim:schemas:pam:1.0:PrivilegedDataPermission" 669 ], 670 "id": "f823414-872344-77381-ab93489d83ea87", 671 "privilegedData": { 672 "value": "d973b5-8834f-1784-8734-caf833e9b3efa", 673 "$ref": "https://example.com/v2/PrivilegedData/d973b5-8834f-1784-8734-caf833e9b3efa", 674 "display": "root @ Oracle Financials Warehouse" 675 }, 676 "group": { 677 "value": "e9e30dba-f08f-4109-8486-d5c6a331660a", 678 "$ref": "https://example.com/v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a", 679 "display": "Tour Guides" 680 }, 681 "rights": [ 682 "Connect", 683 "View Password" 684 ], 685 "meta": { 686 "resourceType": "PrivilegedDataPermission", 687 "created": "2010-01-23T04:56:22.000Z", 688 "lastModified": "2011-05-13T04:42:34.000Z", 689 "location": "https://example.com/v2/PrivilegedDataPermissions/f823414-872344-77381-ab93489d83ea87" 690 } 691 } 693 4. Normative References 695 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 696 Requirement Levels", BCP 14, RFC 2119, 697 DOI 10.17487/RFC2119, March 1997, 698 . 700 [RFC7643] Hunt, P., Ed., Grizzle, K., Wahlstroem, E., and C. 701 Mortimore, "System for Cross-domain Identity Management: 702 Core Schema", RFC 7643, DOI 10.17487/RFC7643, September 703 2015, . 705 [RFC7644] Hunt, P., Ed., Grizzle, K., Ansari, M., Wahlstroem, E., 706 and C. Mortimore, "System for Cross-domain Identity 707 Management: Protocol", RFC 7644, DOI 10.17487/RFC7644, 708 September 2015, . 710 Authors' Addresses 712 Kelly Grizzle (editor) 713 SailPoint 715 Email: kelly.grizzle@sailpoint.com 717 Benjamin Yoder 718 Thycotic 720 Email: ben.yoder@thycotic.com 722 Jason Jones 723 Bomgar 725 Email: jjones@bomgar.com 727 Philip Lieberman 728 Lieberman Software 730 Email: phil@liebsoft.com