Differences

This shows you the differences between two versions of the page.

--- 711:user_groups_permissions_scim [2024/09/18 15:46] – Nerlich, Axel
+++ 711:user_groups_permissions_scim [2025/09/09 12:06] (current) – Nerlich, Axel
@@ Line 1: / Line 1: @@
 ====== SCIM provisioning ======
-SCIM, or System for Cross-domain Identity Management, is an open standard for the provisioning and deprovisioning of users and user groups to enterprise applications. It is able to significantly simplify the rollout of users and their permissions in Stages.
+SCIM, or System for Cross-domain Identity Management, is an open standard for the provisioning and deprovisioning of users and user groups to enterprise applications. It is able to significantly simplify the rollout of users and their permission group assignments in Stages.
-Stages V7.11 implements the SCIM standard version 2.0, which is supported by most modern identity providers like Okta Lifecycle Management or Microsoft Entra ID. They provide the capability to configure the connection to the Stages application.
+Stages V7.11 implements the SCIM standard version 2.0 (see [[https://scim.cloud]]), which is supported by most modern identity providers like Okta Lifecycle Management or Microsoft Entra ID. They provide the capability to configure the connection to the Stages application.
 Before connecting with Stages, an API token has to be created. This will then be used by the identity provider to authenticate against the Stages application.
+To connect Stages to an identity provider via SCIM, the provider must be configured by a local system administrator. The corresponding configuration instructions can be found below.
 ===== Setting the Token secret =====
-Stages generates its API tokens on the basis of a unique secret that can only be set by the Stages administrator. This should be a random string value with at least 32 two characters. This value should be stored in the file conf/secret.properties like this:
+Stages generates its API tokens on the basis of a unique secret that can only be set by the Stages administrator. This should be a random string value with at least 32 characters. This value should be stored in the file conf/secret.properties like this:
-''apitoken.secret = <value>''
+<code ->
+apitoken.secret = <value>
+</code>
 In the conf/config.xml file the following configuration property needs to be declared:
-''<property name="restapi.apitoken.secret" value="${apitoken.secret}"/>''
+<code ->
+<property name="restapi.apitoken.secret" value="${apitoken.secret}"/>
+</code>
 After that, a service restart is necessary.
@@ Line 25: / Line 31: @@
 Each token is identified by a label that is defined upon generation. The resulting token values will not be stored at the server but the server is able to identify a valid token by its value. Tokens become invalid after explicitly being revoked by the Stages administrator or after their expiry date has been reached.
-(image)
+{{issue_apitoken.png}}
 Directly after creating the API Token, the token value can be copied from the Stages popup dialog and saved in a secure location. Once the dialog has been closed, it can not be retrieved anymore.
@@ Line 54: / Line 60: @@
 | ''user_perm_group.name'' | ''Group'' | ''displayName'' |   |   |
 | ''user_group.user_id'' | ''Group'' | ''members.value'' |   |   |
+===== Mapping the license type =====
+The license type of a user can be set with the following SCIM core attributes for the User resource:
+  * ''active'' - If the boolean value is ''false'' the user's license type will be set to NONE, regardless of the userType value.
+  * ''userType'' - String value in the format ''<license type ident>''%%__%%<license pool name>, both separated by two underscore characters.
+Possible Stages license type idents: NONE, ADMIN, ADMIN_ONLY, AUTH_PROCESS_READER, PERSONAL_EXTDEV, PERSONAL_ADEV, PERSONAL_QM, PERSONAL_PM, PERSONAL_DEV, FLOATING_DEV, FLOATING_PM, FLOATING_QM, FLOATING_ADEV
+For license types in the default license pool, the license pool name is omitted, but the double underscore separator is kept. Example value: %%PERSONAL_QM__%%
 ===== Addressing the SCIM endpoint =====
@@ Line 67: / Line 85: @@
 However, participants (defined under Administration > Process Release > Participants) are another powerful way to allocate permissions for specific workspace contexts to a specific set of users.
-Participants are defined globally but user assignments are workspace-specific (under Management > Participants). Therefore every combination of participant and workspace can be seen as another user permission group. For such a combination, it is possible to declare it as a user permission group with a custom name (see SCIM settings). When set to enabled for a participant and a workspace, this is returned by the Stages SCIM API as user permission group with the given name and the prefix ''VG-<workspace-id>''.
+Participants are defined globally but user assignments are workspace-specific (under Management > Participants). Therefore every combination of participant and workspace can be seen as another user permission group. Such combinations can be selectivly exposed as user groups via SCIM for managing user assignments. When SCIM exposure is enabled via the SCIM settings of a workspace-specific participant a custom name needs to be set, which will be visible by the SCIM client prefixed by ''VG-<workspace-id>''.
+{{scim_settings.png}}