Rate this page

SCIM Sub-resources

Typically, a SCIM resource is a view of the attributes for a particular user (or other resource type) at the user store. With the Ping Identity Data Governance Broker, a SCIM resource may also have a number of child SCIM sub-resources. These provide extended capabilities related to the resource that cannot be expressed solely using CRUD operations against the resource’s attributes. For example, the password sub-resource provides a rich password change API supporting generated passwords, password update failure details, and other features that cannot be expressed in a standard SCIM response.

The path to a SCIM sub-resource is always a sub-path of the parent SCIM resource. For example, the user at the path /scim/v2/Users/25d0af58-a93b-4ba4-a49c-ab0fe35783c4 might have the following SCIM sub-resources.

  • /scim/v2/Users/25d0af58-a93b-4ba4-a49c-ab0fe35783c4/password
  • /scim/v2/Users/25d0af58-a93b-4ba4-a49c-ab0fe35783c4/consentHistory

The Data Governance Broker provides the following SCIM sub-resources:

Searching SCIM sub-resources

Any SCIM sub-resource endpoint that exposes multiple sub-resources may be searched. For example, the session sub-resource may be searched, because a user may have multiple sessions. On the other hand, a user’s account sub-resource may not be searched, because a user only has a single account.

A client may only search for sub-resources rooted under a particular SCIM resources. For example, a client can search a single user’s consent records using the consent sub-resource, but a user may not search all users’ consent records.