idnits 2.17.1 draft-grizzle-scim-pam-ext-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 60 instances of too long lines in the document, the longest one being 30 characters in excess of 72. ** The abstract seems to contain references ([RFC7643]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 18, 2017) is 2382 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 4 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group K. Grizzle, Ed. 3 Internet-Draft SailPoint 4 Intended status: Standards Track B. Yoder 5 Expires: April 21, 2018 Thycotic 6 J. Jones 7 Bomgar 8 P. Lieberman 9 Lieberman 10 E. Nunez 11 Cyberark 12 October 18, 2017 14 SCIM Extension for Privileged Access Management 15 draft-grizzle-scim-pam-ext-01 17 Abstract 19 The System for Cross-domain Identity Management (SCIM) specification 20 [RFC7643] provides schemas that represent common identity information 21 about users and groups. Privileged Access Management (PAM) software 22 typically makes use of common user and group models - as well as 23 defining additional constructs - to provide fine-grained 24 authorization and management for privileged access. 26 This document contains a SCIM 2.0 extension for Privileged Access 27 Management, which includes extensions to the core User and Group 28 objects, and new resource types and schemas for standard Privileged 29 Access Management constructs. This extension is intended to provide 30 greater interoperability between PAM software and clients, a common 31 language for PAM concepts, and a baseline that can be further 32 extended to support more complex PAM requirements. 34 Status of This Memo 36 This Internet-Draft is submitted in full conformance with the 37 provisions of BCP 78 and BCP 79. 39 Internet-Drafts are working documents of the Internet Engineering 40 Task Force (IETF). Note that other groups may also distribute 41 working documents as Internet-Drafts. The list of current Internet- 42 Drafts is at https://datatracker.ietf.org/drafts/current/. 44 Internet-Drafts are draft documents valid for a maximum of six months 45 and may be updated, replaced, or obsoleted by other documents at any 46 time. It is inappropriate to use Internet-Drafts as reference 47 material or to cite them other than as "work in progress." 48 This Internet-Draft will expire on April 21, 2018. 50 Copyright Notice 52 Copyright (c) 2017 IETF Trust and the persons identified as the 53 document authors. All rights reserved. 55 This document is subject to BCP 78 and the IETF Trust's Legal 56 Provisions Relating to IETF Documents 57 (https://trustee.ietf.org/license-info) in effect on the date of 58 publication of this document. Please review these documents 59 carefully, as they describe your rights and restrictions with respect 60 to this document. Code Components extracted from this document must 61 include Simplified BSD License text as described in Section 4.e of 62 the Trust Legal Provisions and are provided without warranty as 63 described in the Simplified BSD License. 65 Table of Contents 67 1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 68 1.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 3 69 1.2. Requirements Notation and Conventions . . . . . . . . . . 4 70 2. Core Schema Extensions . . . . . . . . . . . . . . . . . . . 4 71 2.1. Linked Object . . . . . . . . . . . . . . . . . . . . . . 4 72 2.1.1. Example . . . . . . . . . . . . . . . . . . . . . . . 5 73 2.1.2. Considerations for External Groups . . . . . . . . . 6 74 3. Additional ResourceTypes and Schemas . . . . . . . . . . . . 6 75 3.1. Container . . . . . . . . . . . . . . . . . . . . . . . . 7 76 3.1.1. Resource Type . . . . . . . . . . . . . . . . . . . . 7 77 3.1.2. Schema . . . . . . . . . . . . . . . . . . . . . . . 7 78 3.1.3. Example . . . . . . . . . . . . . . . . . . . . . . . 8 79 3.2. PrivilegedData . . . . . . . . . . . . . . . . . . . . . 9 80 3.2.1. Resource Type . . . . . . . . . . . . . . . . . . . . 10 81 3.2.2. Schema . . . . . . . . . . . . . . . . . . . . . . . 10 82 3.2.3. Example . . . . . . . . . . . . . . . . . . . . . . . 10 83 3.3. ContainerPermission . . . . . . . . . . . . . . . . . . . 11 84 3.3.1. Resource Type . . . . . . . . . . . . . . . . . . . . 11 85 3.3.2. Schema . . . . . . . . . . . . . . . . . . . . . . . 11 86 3.3.3. Example . . . . . . . . . . . . . . . . . . . . . . . 12 87 3.4. PrivilegedDataPermission . . . . . . . . . . . . . . . . 13 88 3.4.1. Resource Type . . . . . . . . . . . . . . . . . . . . 13 89 3.4.2. Schema . . . . . . . . . . . . . . . . . . . . . . . 14 90 3.4.3. Example . . . . . . . . . . . . . . . . . . . . . . . 15 91 4. Schema JSON Representations . . . . . . . . . . . . . . . . . 16 92 5. Normative References . . . . . . . . . . . . . . . . . . . . 29 93 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 30 95 1. Overview 97 Most Privileged Access Management (PAM) software contains external 98 APIs that can be used to manage users, groups, privileged access, and 99 authorization to privileged data. However, these APIs are not 100 consistent across different software (e.g. - some software uses REST 101 and some uses SOAP), and each API exposes different functionality. 102 This makes it difficult for a client to externally manage multiple 103 PAM providers. 105 The System for Cross-domain Identity Management (SCIM) specification 106 provides schemas that represent common identity information about 107 users and groups. Privileged Access Management (PAM) software 108 typically makes use of common user and group models - as well as 109 defining additional constructs - to provide fine-grained 110 authorization and management for privileged access. 112 This document contains a SCIM 2.0 extension for Privileged Access 113 Management, which includes extensions to the core User and Group 114 objects, and new resource types and schemas for standard Privileged 115 Access Management constructs. This extension is intended to provide 116 greater interoperability between PAM software and clients, a common 117 language for PAM concepts, and a baseline that can be further 118 extended to support more complex PAM requirements. 120 Some providers MAY not support all of the endpoints or data that is 121 described in this extension. When this is encountered, the PAM 122 provider can safely treat endpoints or data as optional. 124 1.1. Definitions 126 User: A user account that can be used to access the PAM system to 127 manage or access privileged data. This user can either exist only 128 in the PAM system or can be an external user that is defined in 129 another system (e.g. - Active Directory or LDAP). 131 Group: A group of users or other groups that can be used to govern 132 access within the PAM system. This group can either exist only in 133 the PAM system or can be an external group that is defined in 134 another system (e.g. - Active Directory or LDAP). 136 Container: A Container is a logical grouping of privileged data 137 (credentials, etc...) that can be used for organizational or 138 operational purposes. Access control lists (ACLs) can be applied 139 to a container to control which users and groups have permissions 140 to the privileged data in the container. 142 Privileged Data: Privileged data is secret information that is 143 protected by the PAM system (e.g. - credentials for a privileged 144 account, an SSH key, etc...). Privileged data MAY be stored 145 inside of a Container, but does not have to be. Access control 146 lists (ACLs) can be applied to privileged data to control which 147 users and groups have permissions to the privileged data. More 148 often, the ACL information is inherited from the container. 150 Access Control List (ACL): An access control list can be associated 151 with a Container or Privileged Data. This contains information 152 about which users and groups have access to the Container or 153 Privileged Data, and what rights they have. 155 External Store: An External Store is a system that contains users 156 and groups (e.g. - Active Directory or LDAP) that can be used by a 157 PAM system. This allows using existing infrastructure and group 158 definitions to provide authorization, authentication, and 159 information within a PAM system. 161 1.2. Requirements Notation and Conventions 163 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 164 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 165 document are to be interpreted as described in [RFC2119] . 167 Throughout this document, values are quoted to indicate that they are 168 to be taken literally. When using these values in protocol messages, 169 the quotes MUST NOT be used as part of the value. 171 2. Core Schema Extensions 173 In a PAM system, users and groups can either be locally or externally 174 defined. When local, the user or group exists only on the PAM 175 system. When external, the user or group is defined in an External 176 Store, and is somehow synchronized into the PAM system. In this 177 case, the PAM system keeps a record of the external user or group, 178 along with a reference that can be used to correlate the record back 179 to the External Store. To support this, an optional schema extension 180 "urn:ietf:params:scim:schemas:pam:1.0:LinkedObject" SHOULD be added 181 to the User and Group resource types. 183 2.1. Linked Object 185 The "urn:ietf:params:scim:schemas:pam:1.0:LinkedObject" schema 186 contains the following attributes. 188 source The name of the External Source from which the User or Group 189 came. If this is a local User or Group, this is null. Required 190 if nativeIdentifier is non-null. 192 nativeIdentifier The unique identifier of the User or Group on the 193 External Source (e.g. - an LDAP distinguished name). If this is a 194 local User or Group, this is null. Required if source is non- 195 null. 197 2.1.1. Example 199 The following is a non-normative example of a User with the 200 LinkedObject extension. 202 { 203 "schemas": [ 204 "urn:ietf:params:scim:schemas:core:2.0:User", 205 "urn:ietf:params:scim:schemas:pam:1.0:LinkedObject" 206 ], 207 "id": "2819c223-7f76-453a-919d-413861904646", 208 "userName": "bjensen", 209 "name": { 210 "formatted": "Ms. Barbara J Jensen, III", 211 "givenName": "Barbara", 212 "familyName": "Jensen", 213 "middleName": "Jane", 214 "honorificPrefix": "Ms.", 215 "honorificSuffix": "III" 216 }, 217 "displayName": "Babs Jensen", 218 "emails": [ 219 { 220 "value": "bjensen@example.com", 221 "type": "work", 222 "primary": true 223 }, 224 { 225 "value": "babs@jensen.org", 226 "type": "home" 227 } 228 ], 229 "active": true, 230 "groups": [ 231 { 232 "value": "e9e30dba-f08f-4109-8486-d5c6a331660a", 233 "$ref": "https://example.com/v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a", 234 "display": "Tour Guides", 235 "type": "direct" 237 }, 238 { 239 "value": "fc348aa8-3835-40eb-a20b-c726e15c55b5", 240 "$ref": "https://example.com/v2/Groups/fc348aa8-3835-40eb-a20b-c726e15c55b5", 241 "display": "Employees", 242 "type": "indirect" 243 } 244 ], 245 "urn:ietf:params:scim:schemas:pam:1.0:LinkedObject": { 246 "source": "Corporate Active Directory", 247 "nativeIdentifier": "cn=Barbara Jensen,ou=Users,dc=example,dc=com" 248 }, 249 "meta": { 250 "resourceType": "User", 251 "created": "2010-01-23 04:56:22 UTC", 252 "lastModified": "2011-05-13 04:42:34 UTC", 253 "location": "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646" 254 } 255 } 257 2.1.2. Considerations for External Groups 259 Members of external groups are stored and managed on the External 260 Store, and not in the PAM system. As a result, the User and Group 261 representations returned by the PAM system MAY return empty values 262 for the "groups" and "members" attributes, respectively. 263 Additionally, the PAM system MAY choose to return an error response 264 with the 400 status code and "invalidSyntax" error type for requests 265 that attempt to modify or create a group with an invalid 266 configuration. Examples include, but are not limited to: 268 o An external group with any members. 270 o An external group with local Users or Groups as members. 272 o A local group with external Users or Groups as members. 274 3. Additional ResourceTypes and Schemas 276 PAM systems define additional constructs to provide enhanced 277 authorization, authentication, and management for privileged data. 278 To support this, the SCIM PAM extension defines additional 279 ResourceTypes and Schemas that MAY be implemented by the service 280 provider. If implemented, these ResourceTypes SHOULD support all 281 SCIM operations [RFC7644]. All attributes defined in the schemas are 282 optional unless explicitly marked as REQUIRED. 284 3.1. Container 286 A Container is a logical grouping of privileged data that can be used 287 for organizational or operational purposes. 289 3.1.1. Resource Type 291 The Container ResourceType supports reading and managing containers, 292 and has the following properties. 294 Name: Container 296 Endpoint: /Containers 298 Schema: urn:ietf:params:scim:schemas:pam:1.0:Container 300 3.1.1.1. Filtering 302 Clients MAY have a reference to the Container name but not the ID. 303 For this reason, it is RECOMMENDED that service providers implement 304 filtering that allows equality matching on the "name" attribute. 305 Example (note that escaping has been removed for readability): 307 GET /scim/v2/Containers?filter=name eq 'Admin Accounts' 309 3.1.2. Schema 311 The "urn:ietf:params:scim:schemas:pam:1.0:Container" defines all 312 common attributes for a Container. 314 id The unique identifier of the Container. REQUIRED 316 name The name of the Container. REQUIRED 318 displayName The display name of the Container. OPTIONAL. If 319 displayName is unassigned, the name MAY be used as the display 320 name. 322 description The description of the Container. OPTIONAL 324 type The type of container. There are no canonical values defined 325 for type, but service providers MAY choose to define the valid 326 types. OPTIONAL if the PAM system does not support multiple types 327 of Containers. 329 parent A complex attribute that defines the parent Container of this 330 Container if the service provider supports hierarchies of 331 containers. The following sub-attributes are defined. 333 value The ID of the Container that is the parent of this 334 Container in the hierarchy. 336 $ref A URI reference to the Container that is the parent of this 337 Container in the hierarchy. 339 display The display name of the Container that is the parent of 340 this Container in the hierarchy. 342 owner A complex attribute that defines the User that is the owner of 343 this Container. OPTIONAL. The following sub-attributes are 344 defined. 346 value The ID of the User that owns this Container. 348 $ref A URI reference to the User that owns this Container. 350 display The display name of the user that owns this Container. 352 privilegedData A multi-valued complex attribute that contains the 353 PrivilegedData that resides in this Container. Service providers 354 MAY choose to make this attribute have a "returned" value of 355 "request" if the list of privileged data could be very large. 356 Using this option will prevent this attribute from being returned 357 upon retrieval unless explicitly requested using the "attributes" 358 query parameter. The following sub-attributes are defined. 360 value The ID of the PrivilegedData. 362 $ref A URI reference to the PrivilegedData. 364 display The displayable value of the PrivilegedData. 366 type The type of the PrivilegedData. 368 3.1.3. Example 370 The following is a non-normative example of a Container. 372 { 373 "schemas": [ 374 "urn:ietf:params:scim:schemas:pam:1.0:Container" 375 ], 376 "id": "ab8e901-883f-4109-8486-bab810943d93e", 377 "name": "prodDBAAccounts", 378 "displayName": "Production DBA Accounts", 379 "description": "This contains all DBA accounts for the production environment.", 380 "type": "safe", 381 "parent": { 382 "value": "78234914-7fb3-828e-7281-87234abe8300", 383 "$ref": "https://example.com/v2/Containers/78234914-7fb3-828e-7281-87234abe8300", 384 "display": "Root Container" 385 }, 386 "owner": { 387 "value": "2819c223-7f76-453a-919d-413861904646", 388 "$ref": "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646", 389 "display": "Babs Jensen" 390 }, 391 "privilegedData": [ 392 { 393 "value": "d973b5-8834f-1784-8734-caf833e9b3efa", 394 "$ref": "https://example.com/v2/PrivilegedData/d973b5-8834f-1784-8734-caf833e9b3efa", 395 "display": "root @ Oracle Financials Warehouse", 396 "type": "credential" 397 }, 398 { 399 "value": "d249e9-92759-7883-88723-fa390734beba", 400 "$ref": "https://example.com/v2/PrivilegedData/d249e9-92759-7883-88723-fa390734beba", 401 "display": "root @ Enterprise Purchase Ordering", 402 "type": "credential" 403 } 404 ], 405 "meta": { 406 "resourceType": "Container", 407 "created": "2010-01-23T04:56:22.000Z", 408 "lastModified": "2011-05-13T04:42:34.000Z", 409 "location": "https://example.com/v2/Container/ab8e901-883f-4109-8486-bab810943d93e" 410 } 411 } 413 3.2. PrivilegedData 415 Privileged data is secret information that is protected by the PAM 416 system (e.g. - credentials for a privileged account, an SSH key, 417 etc...). Privileged data MAY be stored inside of a Container, but 418 does not have to be. 420 3.2.1. Resource Type 422 The PrivilegedData ResourceType supports reading and managing 423 privileged data, and has the following properties. 425 Name: PrivilegedData 427 Endpoint: /PrivilegedData 429 Schema: urn:ietf:params:scim:schemas:pam:1.0:PrivilegedData 431 3.2.2. Schema 433 The "urn:ietf:params:scim:schemas:pam:1.0:PrivilegedData" defines all 434 common attributes for a PrivilegedData. 436 id The unique identifier of the PrivilegedData. REQUIRED 438 name A descriptive name for this piece of PrivilegedData. For 439 example, root@mylinuxhost. REQUIRED 441 description A description for this piece of PrivilegedData. 443 type The type of PrivilegedData. The value will be dependent on 444 what is supported by the PAM system. Examples include 445 'credential', 'ssh key', 'file', etc... OPTIONAL. 447 3.2.3. Example 449 The following is a non-normative example of a PrivilegedData. 451 { 452 "schemas": [ 453 "urn:ietf:params:scim:schemas:pam:1.0:PrivilegedData" 454 ], 455 "id": "d973b5-8834f-1784-8734-caf833e9b3efa", 456 "name": "root @ Oracle Financials Warehouse", 457 "description": "Full access to the Oracle Financials Warehouse database.", 458 "type": "credential", 459 "meta": { 460 "resourceType": "PrivilegedData", 461 "created": "2010-01-23T04:56:22.000Z", 462 "lastModified": "2011-05-13T04:42:34.000Z", 463 "location": "https://example.com/v2/PrivilegedData/d973b5-8834f-1784-8734-caf833e9b3efa" 464 } 465 } 466 3.3. ContainerPermission 468 A ContainerPermission contains authorization information that 469 describes which rights a User or Group has on a Container. This is a 470 piece of an Access Control List that contains all information about a 471 specific User or Group in relation to a specific Container. 472 Typically, permissions that are granted on a Container apply to all 473 privileged data that resides in the container. 475 3.3.1. Resource Type 477 The ContainerPermission ResourceType supports reading and managing 478 permissions that a User or Group have on a Container, and has the 479 following properties. 481 Name: ContainerPermission 483 Endpoint: /ContainerPermissions 485 Schema: urn:ietf:params:scim:schemas:pam:1.0:ContainerPermission 487 3.3.1.1. Filtering 489 It is expected that clients will need to find the all permissions on 490 a specific Container, permissions that are granted to a specific User 491 or Group, or permissions for a specific user or group on a specific 492 container. For this reason, it is RECOMMENDED that service providers 493 implement filtering that allows equality matching on the 494 "container.value", "user.value", and "group.value" attributes. 495 Example (note that escaping has been removed and newlines added for 496 readability): 498 GET /scim/v2/ContainerPermissions? 499 filter=container.value eq '8729e778-9af6-874c-778a3-783956810384' 501 GET /scim/v2/ContainerPermissions? 502 filter=user.value eq '2819c223-7f76-453a-919d-413861904646' 504 GET /scim/v2/ContainerPermissions? 505 filter=container.value eq '8729e778-9af6-874c-778a3-783956810384' and 506 user.value eq '2819c223-7f76-453a-919d-413861904646' 508 3.3.2. Schema 510 The "urn:ietf:params:scim:schemas:pam:1.0:ContainerPermission" 511 defines all common attributes for a ContainerPermission. 513 id The unique identifier of the ContainerPermission. REQUIRED 514 container A complex attribute that references the Container that 515 these permissions apply to. The following sub-attributes are 516 defined. REQUIRED 518 value The ID of the Container that these permissions apply to. 520 $ref A URI reference to the Container that these permissions 521 apply to. 523 name The name of the Container that these permissions apply to. 525 display The display name of the Container that these permissions 526 apply to. 528 user A complex attribute that references the User that these 529 permissions apply to. Either this attribute or "group" is 530 required. The following sub-attributes are defined. 532 value The ID of the User that these permissions apply to. 534 $ref A URI reference to the User that these permissions apply to. 536 display The display name of the User that these permissions apply 537 to. 539 group A complex attribute that references the Group that these 540 permissions apply to. Either this attribute or "user" is 541 required. The following sub-attributes are defined. 543 value The ID of the Group that these permissions apply to. 545 $ref A URI reference to the Group that these permissions apply 546 to. 548 display The display name of the Group that these permissions 549 apply to. 551 rights An array of strings that are the names of the rights that the 552 User or Group has on this Container. There are no canonical 553 values defined for rights, and these will vary between service 554 providers. 556 3.3.3. Example 558 The following is a non-normative example of a ContainerPermission. 560 { 561 "schemas": [ 562 "urn:ietf:params:scim:schemas:pam:1.0:ContainerPermission" 563 ], 564 "id": "c387432-78823-87234-7832-93c9ae93745e", 565 "container": { 566 "value": "ab8e901-883f-4109-8486-bab810943d93e", 567 "$ref": "https://example.com/v2/Containers/ab8e901-883f-4109-8486-bab810943d93e", 568 "display": "Production DBA Accounts", 569 "name": "prodDBAAccounts" 570 }, 571 "user": { 572 "value": "2819c223-7f76-453a-919d-413861904646", 573 "$ref": "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646", 574 "display": "Babs Jensen" 575 }, 576 "rights": [ 577 "Connect", 578 "List Accounts", 579 "View Password" 580 ], 581 "meta": { 582 "resourceType": "ContainerPermission", 583 "created": "2010-01-23T04:56:22.000Z", 584 "lastModified": "2011-05-13T04:42:34.000Z", 585 "location": "https://example.com/v2/ContainerPermissions/c387432-78823-87234-7832-93c9ae93745e" 586 } 587 } 589 3.4. PrivilegedDataPermission 591 A PrivilegedDataPermission contains authorization information that 592 describes which rights a User or Group has on a PrivilegedData. This 593 is a piece of an Access Control List that contains all information 594 about a specific User or Group in relation to a specific piece of 595 privileged data. This resource MUST only return permissions that are 596 granted directly to the PrivilegedData. Permissions that are 597 inherited from a Container on the PrivilegedData MUST NOT be 598 returned. This resource type and schema are OPTIONAL if the service 599 provider does not support permissions on privileged data. 601 3.4.1. Resource Type 603 The PrivilegedDataPermission ResourceType supports reading and 604 managing permissions that a User or Group have on a PrivilegedData, 605 and has the following properties. 607 Name: PrivilegedDataPermission 609 Endpoint: /PrivilegedDataPermissions 611 Schema: urn:ietf:params:scim:schemas:pam:1.0:PrivilegedDataPermissio 612 n 614 3.4.1.1. Filtering 616 It is expected that clients will need to find the all permissions on 617 a specific PrivilegedData, permissions that are granted to a specific 618 User or Group, or permissions for a specific user or group on a 619 specific privileged data item. For this reason, it is RECOMMENDED 620 that service providers implement filtering that allows equality 621 matching on the "privilegedData.value", "user.value", and 622 "group.value" attributes. Example (note that escaping has been 623 removed and newlines added for readability): 625 GET /scim/v2/PrivilegedDataPermissions? 626 filter=privilegedData.value eq '2746c134-59e8-848a-874d3-782303476812' 628 GET /scim/v2/PrivilegedDataPermissions? 629 filter=user.value eq '2819c223-7f76-453a-919d-413861904646' 631 GET /scim/v2/PrivilegedDataPermissions? 632 filter=privilegedData.value eq '2746c134-59e8-848a-874d3-782303476812' and 633 user.value eq '2819c223-7f76-453a-919d-413861904646' 635 3.4.2. Schema 637 The "urn:ietf:params:scim:schemas:pam:1.0:PrivilegedDataPermission" 638 defines all common attributes for a PrivilegedDataPermission. 640 id The unique identifier of the PrivilegedDataPermission. REQUIRED 642 privilegedData A complex attribute that references the 643 PrivilegedData that these permissions apply to. The following 644 sub-attributes are defined. REQUIRED 646 value The ID of the PrivilegedData that these permissions apply 647 to. 649 $ref A URI reference to the PrivilegedData that these permissions 650 apply to. 652 display The display name of the PrivilegedData that these 653 permissions apply to. 655 user A complex attribute that references the User that these 656 permissions apply to. Either this attribute or "group" is 657 required. The following sub-attributes are defined. 659 value The ID of the User that these permissions apply to. 661 $ref A URI reference to the User that these permissions apply to. 663 display The display name of the User that these permissions apply 664 to. 666 group A complex attribute that references the Group that these 667 permissions apply to. Either this attribute or "user" is 668 required. The following sub-attributes are defined. 670 value The ID of the Group that these permissions apply to. 672 $ref A URI reference to the Group that these permissions apply 673 to. 675 display The display name of the Group that these permissions 676 apply to. 678 rights An array of strings that are the names of the rights that the 679 User or Group has on this PrivilegedData. There are no canonical 680 values defined for rights, and these will vary between service 681 providers. 683 3.4.3. Example 685 The following is a non-normative example of a 686 PrivilegedDataPermission. 688 { 689 "schemas": [ 690 "urn:ietf:params:scim:schemas:pam:1.0:PrivilegedDataPermission" 691 ], 692 "id": "f823414-872344-77381-ab93489d83ea87", 693 "privilegedData": { 694 "value": "d973b5-8834f-1784-8734-caf833e9b3efa", 695 "$ref": "https://example.com/v2/PrivilegedData/d973b5-8834f-1784-8734-caf833e9b3efa", 696 "display": "root @ Oracle Financials Warehouse" 697 }, 698 "group": { 699 "value": "e9e30dba-f08f-4109-8486-d5c6a331660a", 700 "$ref": "https://example.com/v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a", 701 "display": "Tour Guides" 702 }, 703 "rights": [ 704 "Connect", 705 "View Password" 706 ], 707 "meta": { 708 "resourceType": "PrivilegedDataPermission", 709 "created": "2010-01-23T04:56:22.000Z", 710 "lastModified": "2011-05-13T04:42:34.000Z", 711 "location": "https://example.com/v2/PrivilegedDataPermissions/f823414-872344-77381-ab93489d83ea87" 712 } 713 } 715 4. Schema JSON Representations 717 The following section provide representations of schemas for the 718 schema extensions and new schemas introduced in this document. 720 { 721 "id":"urn:ietf:params:scim:schemas:pam:1.0:LinkedObject", 722 "name":"Linked Object", 723 "description":"A LinkedObject contains information about the source that an object 724 came from. For example, a User or Group that comes from an external AD.", 725 "attributes":[ 726 { 727 "name":"source", 728 "type":"string", 729 "multiValued":false, 730 "description":"The name of the external application on which the object lives. 731 If this is a PAM local object, this is null.", 732 "required":false, 733 "caseExact":false, 734 "mutability":"readWrite", 735 "returned":"default", 736 "uniqueness":"none" 737 }, 738 { 739 "name":"nativeIdentifier", 740 "type":"string", 741 "multiValued":false, 742 "description":"The native identifier of the object on the external application 743 (eg - the LDAP DN). If this is a PAM local object, this is null.", 744 "required":false, 745 "caseExact":false, 746 "mutability":"readWrite", 747 "returned":"default", 748 "uniqueness":"none" 749 } 750 ] 751 }, 752 { 753 "id":"urn:ietf:params:scim:schemas:pam:1.0:Container", 754 "name":"Container", 755 "description":"A Container is a logical grouping of privileged data (credentials, 756 etc...) that can be used for organizational or operational purposes.", 757 "attributes":[ 758 { 759 "name":"id", 760 "type":"string", 761 "multiValued":false, 762 "description":"The unique identifier of the Container", 763 "required":false, 764 "caseExact":true, 765 "mutability":"readOnly", 766 "returned":"always", 767 "uniqueness":"server" 768 }, 769 { 770 "name":"name", 771 "type":"string", 772 "multiValued":false, 773 "description":"The name of the container.", 774 "required":true, 775 "caseExact":false, 776 "mutability":"readWrite", 777 "returned":"default", 778 "uniqueness":"server" 779 }, 780 { 781 "name":"displayName", 782 "type":"string", 783 "multiValued":false, 784 "description":"The display name of the container. This is optional. If null, 785 the name will be used as the display name.", 786 "required":false, 787 "caseExact":false, 788 "mutability":"readWrite", 789 "returned":"default", 790 "uniqueness":"none" 791 }, 792 { 793 "name":"description", 794 "type":"string", 795 "multiValued":false, 796 "description":"The description of the container.", 797 "required":false, 798 "caseExact":false, 799 "mutability":"readWrite", 800 "returned":"default", 801 "uniqueness":"none" 802 }, 803 { 804 "name":"type", 805 "type":"string", 806 "multiValued":false, 807 "description":"The type of container (eg - management set or account store). 808 This is optional if the PAM system does not support multiple types of 809 containers.", 810 "required":false, 811 "caseExact":false, 812 "mutability":"readWrite", 813 "returned":"default", 814 "uniqueness":"none" 815 }, 816 { 817 "name":"owner", 818 "type":"complex", 819 "multiValued":false, 820 "description":"The user that owns this container.", 821 "mutability":"readWrite", 822 "required":false, 823 "returned":"default", 824 "uniqueness":"none", 825 "subAttributes":[ 826 { 827 "name":"value", 828 "type":"string", 829 "multiValued":false, 830 "description":"The ID of the user that owns this container", 831 "required":false, 832 "caseExact":false, 833 "mutability":"readWrite", 834 "returned":"default", 835 "uniqueness":"none" 836 }, 837 { 838 "name":"$ref", 839 "type":"reference", 840 "referenceTypes":[ 841 "User" 842 ], 843 "multiValued":false, 844 "description":"A URI reference to the user that owns this container.", 845 "required":false, 846 "caseExact":false, 847 "mutability":"readWrite", 848 "returned":"default", 849 "uniqueness":"none" 850 }, 851 { 852 "name":"display", 853 "type":"string", 854 "multiValued":false, 855 "description":"The display name of the user that owns this container", 856 "required":false, 857 "caseExact":false, 858 "mutability":"readOnly", 859 "returned":"default", 860 "uniqueness":"none" 861 } 862 ] 863 }, 864 { 865 "name":"privilegedData", 866 "type":"complex", 867 "multiValued":true, 868 "description":"The privileged data that resides in this container.", 869 "required":false, 870 "mutability":"readWrite", 871 "returned":"default", 872 "uniqueness":"none", 873 "subAttributes":[ 874 { 875 "name":"value", 876 "type":"string", 877 "multiValued":false, 878 "description":"The ID of the privileged data.", 879 "required":false, 880 "caseExact":false, 881 "mutability":"readWrite", 882 "returned":"default", 883 "uniqueness":"none" 884 }, 885 { 886 "name":"$ref", 887 "type":"reference", 888 "referenceTypes":[ 889 "User" 890 ], 891 "multiValued":false, 892 "description":"A URI reference to the PrivilegedData", 893 "required":false, 894 "caseExact":false, 895 "mutability":"readWrite", 896 "returned":"default", 897 "uniqueness":"none" 898 }, 899 { 900 "name":"display", 901 "type":"string", 902 "multiValued":false, 903 "description":"The displayable value of the PrivilegedData", 904 "required":false, 905 "caseExact":false, 906 "mutability":"readOnly", 907 "returned":"default", 908 "uniqueness":"none" 909 }, 910 { 911 "name":"type", 912 "type":"string", 913 "multiValued":false, 914 "description":"The type of the PrivilegedData.", 915 "required":false, 916 "caseExact":false, 917 "mutability":"readOnly", 918 "returned":"default", 919 "uniqueness":"none" 920 } 921 ] 922 } 923 ] 924 }, 925 { 926 "id":"urn:ietf:params:scim:schemas:pam:1.0:PrivilegedData", 927 "name":"Privileged Data", 928 "description":"Privileged data is secret information that is protected by the PAM 929 system (eg - a credential, an SSH key, etc...). Privileged data MAY be stored 930 inside of a Container, but does not have to be.", 931 "attributes":[ 932 { 933 "name":"id", 934 "type":"string", 935 "multiValued":false, 936 "description":"The unique identifier of the PrivilegedData.", 937 "required":false, 938 "caseExact":true, 939 "mutability":"readOnly", 940 "returned":"always", 941 "uniqueness":"server" 942 }, 943 { 944 "name":"name", 945 "type":"string", 946 "multiValued":false, 947 "description":"A descriptive name for this piece of PrivilegedData. 948 For example, root@mylinuxhost", 949 "required":true, 950 "caseExact":false, 951 "mutability":"readWrite", 952 "returned":"default", 953 "uniqueness":"none" 954 }, 955 { 956 "name":"description", 957 "type":"string", 958 "multiValued":false, 959 "description":"A description for this piece of PrivilegedData.", 960 "required":false, 961 "caseExact":false, 962 "mutability":"readWrite", 963 "returned":"default", 964 "uniqueness":"none" 965 }, 966 { 967 "name":"type", 968 "type":"string", 969 "multiValued":false, 970 "description":"The type of PrivilegedData. The value will be dependent on what 971 is supported by the PAM system. Examples include 'credential', 'ssh key', 972 'file', etc...", 973 "required":false, 974 "caseExact":false, 975 "mutability":"readWrite", 976 "returned":"default", 977 "uniqueness":"none" 978 } 979 ] 980 }, 981 { 982 "id":"urn:ietf:params:scim:schemas:pam:1.0:ContainerPermission", 983 "name":"Container Permission", 984 "description":"ACL information that is attached to a container.", 985 "attributes":[ 986 { 987 "name":"id", 988 "type":"string", 989 "multiValued":false, 990 "description":"The unique identifier of the ContainerPermission.", 991 "required":false, 992 "caseExact":true, 993 "mutability":"readOnly", 994 "returned":"always", 995 "uniqueness":"server" 996 }, 997 { 998 "name":"container", 999 "type":"complex", 1000 "multiValued":false, 1001 "description":"The container that these permissions apply to. REQUIRED", 1002 "required":true, 1003 "mutability":"readWrite", 1004 "returned":"default", 1005 "uniqueness":"none", 1006 "subAttributes":[ 1007 { 1008 "name":"value", 1009 "type":"string", 1010 "multiValued":false, 1011 "description":"The ID of the container that these permissions apply to.", 1012 "required":true, 1013 "caseExact":false, 1014 "mutability":"readWrite", 1015 "returned":"default", 1016 "uniqueness":"none" 1017 }, 1018 { 1019 "name":"$ref", 1020 "type":"reference", 1021 "referenceTypes":[ 1022 "Container" 1024 ], 1025 "multiValued":false, 1026 "description":"A URI reference to the container that these permissions apply to.", 1027 "required":true, 1028 "caseExact":false, 1029 "mutability":"readWrite", 1030 "returned":"default", 1031 "uniqueness":"none" 1032 }, 1033 { 1034 "name":"display", 1035 "type":"string", 1036 "multiValued":false, 1037 "description":"The display name of the container", 1038 "required":false, 1039 "caseExact":false, 1040 "mutability":"readOnly", 1041 "returned":"default", 1042 "uniqueness":"none" 1043 }, 1044 { 1045 "name":"name", 1046 "type":"string", 1047 "multiValued":false, 1048 "description":"The name of the container", 1049 "required":false, 1050 "caseExact":false, 1051 "mutability":"readOnly", 1052 "returned":"default", 1053 "uniqueness":"none" 1054 } 1055 ] 1056 }, 1057 { 1058 "name":"user", 1059 "type":"complex", 1060 "multiValued":false, 1061 "description":"The User that these permissions apply to. Either this or group 1062 is required.", 1063 "required":false, 1064 "mutability":"readWrite", 1065 "returned":"default", 1066 "uniqueness":"none", 1067 "subAttributes":[ 1068 { 1069 "name":"value", 1070 "type":"string", 1071 "multiValued":false, 1072 "description":"The ID of the user that these permissions apply to.", 1073 "required":false, 1074 "caseExact":false, 1075 "mutability":"readWrite", 1076 "returned":"default", 1077 "uniqueness":"none" 1078 }, 1079 { 1080 "name":"$ref", 1081 "type":"reference", 1082 "referenceTypes":[ 1083 "User" 1084 ], 1085 "multiValued":false, 1086 "description":"A URI reference to the user that these permissions apply to.", 1087 "required":false, 1088 "caseExact":false, 1089 "mutability":"readWrite", 1090 "returned":"default", 1091 "uniqueness":"none" 1092 }, 1093 { 1094 "name":"display", 1095 "type":"string", 1096 "multiValued":false, 1097 "description":"The display name of the user", 1098 "required":false, 1099 "caseExact":false, 1100 "mutability":"readOnly", 1101 "returned":"default", 1102 "uniqueness":"none" 1103 } 1104 ] 1105 }, 1106 { 1107 "name":"group", 1108 "type":"complex", 1109 "multiValued":false, 1110 "description":"The Group that these permissions apply to. Either this or user 1111 is required.", 1112 "required":false, 1113 "mutability":"readWrite", 1114 "returned":"default", 1115 "uniqueness":"none", 1116 "subAttributes":[ 1117 { 1118 "name":"value", 1119 "type":"string", 1120 "multiValued":false, 1121 "description":"The ID of the group that these permissions apply to.", 1122 "required":false, 1123 "caseExact":false, 1124 "mutability":"readWrite", 1125 "returned":"default", 1126 "uniqueness":"none" 1127 }, 1128 { 1129 "name":"$ref", 1130 "type":"reference", 1131 "referenceTypes":[ 1132 "Group" 1133 ], 1134 "multiValued":false, 1135 "description":"A URI reference to the group that these permissions apply to.", 1136 "required":false, 1137 "caseExact":false, 1138 "mutability":"readWrite", 1139 "returned":"default", 1140 "uniqueness":"none" 1141 }, 1142 { 1143 "name":"display", 1144 "type":"string", 1145 "multiValued":false, 1146 "description":"The display name of the group", 1147 "required":false, 1148 "caseExact":false, 1149 "mutability":"readOnly", 1150 "returned":"default", 1151 "uniqueness":"none" 1152 } 1153 ] 1154 }, 1155 { 1156 "name":"rights", 1157 "type":"string", 1158 "multiValued":true, 1159 "description":"The rights that the user or group has on this container.", 1160 "required":true, 1161 "caseExact":false, 1162 "mutability":"readWrite", 1163 "returned":"default", 1164 "uniqueness":"none" 1165 } 1166 ] 1167 }, 1168 { 1169 "id":"urn:ietf:params:scim:schemas:pam:1.0:PrivilegedDataPermission", 1170 "name":"Privileged Data Permission", 1171 "description":"ACL information that is attached to privileged data.", 1172 "attributes":[ 1173 { 1174 "name":"id", 1175 "type":"string", 1176 "multiValued":false, 1177 "description":"The unique identifier of the PrivilegedDataPermission.", 1178 "required":false, 1179 "caseExact":true, 1180 "mutability":"readOnly", 1181 "returned":"always", 1182 "uniqueness":"server" 1183 }, 1184 { 1185 "name":"privilegedData", 1186 "type":"complex", 1187 "multiValued":false, 1188 "description":"The PrivilegedData that these permissions apply to. REQUIRED", 1189 "required":true, 1190 "mutability":"readWrite", 1191 "returned":"default", 1192 "uniqueness":"none", 1193 "subAttributes":[ 1194 { 1195 "name":"value", 1196 "type":"string", 1197 "multiValued":false, 1198 "description":"The ID of the PrivilegedData that these permissions apply to.", 1199 "required":true, 1200 "caseExact":false, 1201 "mutability":"readWrite", 1202 "returned":"default", 1203 "uniqueness":"none" 1204 }, 1205 { 1206 "name":"$ref", 1207 "type":"reference", 1208 "referenceTypes":[ 1209 "PrivilegedData" 1210 ], 1211 "multiValued":false, 1212 "description":"A URI reference to the PrivilegedData that these permissions 1213 apply to.", 1214 "required":true, 1215 "caseExact":false, 1216 "mutability":"readWrite", 1217 "returned":"default", 1218 "uniqueness":"none" 1219 }, 1220 { 1221 "name":"display", 1222 "type":"string", 1223 "multiValued":false, 1224 "description":"The display value of the PrivilegedData", 1225 "required":false, 1226 "caseExact":false, 1227 "mutability":"readOnly", 1228 "returned":"default", 1229 "uniqueness":"none" 1230 } 1231 ] 1232 }, 1233 { 1234 "name":"user", 1235 "type":"complex", 1236 "multiValued":false, 1237 "description":"The User that these permissions apply to. Either this or group 1238 is required.", 1239 "required":false, 1240 "mutability":"readWrite", 1241 "returned":"default", 1242 "uniqueness":"none", 1243 "subAttributes":[ 1244 { 1245 "name":"value", 1246 "type":"string", 1247 "multiValued":false, 1248 "description":"The ID of the user that these permissions apply to.", 1249 "required":false, 1250 "caseExact":false, 1251 "mutability":"readWrite", 1252 "returned":"default", 1253 "uniqueness":"none" 1254 }, 1255 { 1256 "name":"$ref", 1257 "type":"reference", 1258 "referenceTypes":[ 1259 "User" 1260 ], 1261 "multiValued":false, 1262 "description":"A URI reference to the user that these permissions apply to.", 1263 "required":false, 1264 "caseExact":false, 1265 "mutability":"readWrite", 1266 "returned":"default", 1267 "uniqueness":"none" 1268 }, 1269 { 1270 "name":"display", 1271 "type":"string", 1272 "multiValued":false, 1273 "description":"The display name of the user", 1274 "required":false, 1275 "caseExact":false, 1276 "mutability":"readOnly", 1277 "returned":"default", 1278 "uniqueness":"none" 1279 } 1280 ] 1281 }, 1282 { 1283 "name":"group", 1284 "type":"complex", 1285 "multiValued":false, 1286 "description":"The Group that these permissions apply to. Either this or user 1287 is required.", 1288 "required":false, 1289 "mutability":"readWrite", 1290 "returned":"default", 1291 "uniqueness":"none", 1292 "subAttributes":[ 1293 { 1294 "name":"value", 1295 "type":"string", 1296 "multiValued":false, 1297 "description":"The ID of the group that these permissions apply to.", 1298 "required":false, 1299 "caseExact":false, 1300 "mutability":"readWrite", 1301 "returned":"default", 1302 "uniqueness":"none" 1303 }, 1304 { 1305 "name":"$ref", 1306 "type":"reference", 1307 "referenceTypes":[ 1308 "Group" 1309 ], 1310 "multiValued":false, 1311 "description":"A URI reference to the group that these permissions apply to.", 1312 "required":false, 1313 "caseExact":false, 1314 "mutability":"readWrite", 1315 "returned":"default", 1316 "uniqueness":"none" 1317 }, 1318 { 1319 "name":"display", 1320 "type":"string", 1321 "multiValued":false, 1322 "description":"The display name of the group", 1323 "required":false, 1324 "caseExact":false, 1325 "mutability":"readOnly", 1326 "returned":"default", 1327 "uniqueness":"none" 1328 } 1329 ] 1330 }, 1331 { 1332 "name":"rights", 1333 "type":"string", 1334 "multiValued":true, 1335 "description":"The rights that the user or group has on this privileged data.", 1336 "required":true, 1337 "caseExact":false, 1338 "mutability":"readWrite", 1339 "returned":"default", 1340 "uniqueness":"none" 1341 } 1342 ] 1343 } 1345 5. Normative References 1347 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1348 Requirement Levels", BCP 14, RFC 2119, 1349 DOI 10.17487/RFC2119, March 1997, 1350 . 1352 [RFC7643] Hunt, P., Ed., Grizzle, K., Wahlstroem, E., and C. 1353 Mortimore, "System for Cross-domain Identity Management: 1354 Core Schema", RFC 7643, DOI 10.17487/RFC7643, September 1355 2015, . 1357 [RFC7644] Hunt, P., Ed., Grizzle, K., Ansari, M., Wahlstroem, E., 1358 and C. Mortimore, "System for Cross-domain Identity 1359 Management: Protocol", RFC 7644, DOI 10.17487/RFC7644, 1360 September 2015, . 1362 Authors' Addresses 1364 Kelly Grizzle (editor) 1365 SailPoint 1367 Email: kelly.grizzle@sailpoint.com 1369 Benjamin Yoder 1370 Thycotic 1372 Email: ben.yoder@thycotic.com 1374 Jason Jones 1375 Bomgar 1377 Email: jjones@bomgar.com 1379 Philip Lieberman 1380 Lieberman Software 1382 Email: phil@liebsoft.com 1384 Edward Nunez 1385 CyberArk 1387 Email: Edward.Nunez@cyberark.com