UnboundID Data Broker - Resource OAuth2 Scope

Data Broker Documentation Index
Configuration Reference Home

Resource OAuth2 Scope

Note: this component stores cluster-wide configuration data and is mirrored across all servers in the topology within the the same cluster.

Note: changes to cluster-wide configuration objects are immediately and automatically mirrored across all servers within the same cluster, so offline changes are not supported.

An access token granted a Resource OAuth2 Scope may be presented at a SCIM endpoint to perform operations on SCIM resources. Each Resource OAuth2 Scope is specific to a single Resource Type, describes the operations that can be performed against resources of the specified type, and defines which resource attributes or metadata on which those operations may be taken.

↓Parent Component
↓Relations from This Component
↓Properties
↓dsconfig Usage

Parent Component

The Resource OAuth2 Scope component inherits from the OAuth2 Scope

Relations from This Component

The following components have a direct aggregation relation from Resource OAuth2 Scopes:

SCIM Resource Type

Properties

The properties supported by this managed object are as follows:

Basic Properties:	Advanced Properties:
↓ token-name	None
↓ description
↓ tag
↓ consent-prompt-text
↓ consent-operation
↓ external-identity-operation
↓ account-operation
↓ resource-attribute
↓ resource-operation
↓ scim-resource-type

Basic Properties

token-name (Read-Only)

Description	An OAuth 2.0 access token scope compliant with RFC 6749. The following characters are not permitted: space, '"', '\', '+' and ','.
Default Value	None
Allowed Values	An OAuth 2.0 access token scope compliant with RFC 6749. The following characters are not permitted: space, '"', '\', '+' and ','.
Multi-Valued	No
Required	Yes
Admin Action Required	None. Modification requires no further action

description

Description	A description for this OAuth2 Scope
Default Value	None
Allowed Values	A string
Multi-Valued	No
Required	No
Admin Action Required	None. Modification requires no further action

tag

Description	Tags associated with this OAuth2 Scope. Tags are arbitrary additional properties that may be examined by XACML policies.
Default Value	None
Allowed Values	A string
Multi-Valued	Yes
Required	No
Admin Action Required	None. Modification requires no further action

consent-prompt-text

Description	This property is shown to the user when prompting for consent. It should convey a user-friendly description of what access is being requested via this scope.
Default Value	None
Allowed Values	A string
Multi-Valued	No
Required	Yes
Admin Action Required	None. Modification requires no further action

consent-operation

Description	The actions allowed by this Resource OAuth2 Scope on a consent sub-resource.
Default Value	None
Allowed Values	retrieve-consent - Indicates that this scope may be used to retrieve consents from a resource and to search for consents using a SCIM filter. revoke-consent - Indicates that this scope may be used to revoke consents. retrieve-consent-history - Indicates that this scope may be used to retrieve the consent history of a resource.
Multi-Valued	Yes
Required	No
Admin Action Required	None. Modification requires no further action

external-identity-operation

Description	The actions allowed by this Resource OAuth2 Scope on an external identity sub-resource.
Default Value	None
Allowed Values	retrieve-external-identity - Indicates that this scope may be used to retrieve the external identities of a resource and to search for external identities using a SCIM filter. unlink-external-identity - Indicates that this scope may be used to unlink an external identity of a resource.
Multi-Valued	Yes
Required	No
Admin Action Required	None. Modification requires no further action

account-operation

Description	The account management actions allowed by this Resource OAuth2 Scope.
Default Value	None
Allowed Values	reset-password - Indicates that this scope may be used to reset the current user password. retrieve-password-quality-requirements - Indicates that this scope may be used to retrieve the password quality requirements for the current user. retrieve-account-state - Indicates that this scope may be used to retrieve the state of the current user's account. replace-account-state - Indicates that this scope may be used to update the state of the current user's account.
Multi-Valued	Yes
Required	No
Admin Action Required	None. Modification requires no further action

resource-attribute

Description	The resource attributes for which this Resource OAuth2 Scope allows access. The type of access is determined by the resource-operation property. A value of "*" indicates that all attributes are accessible. Retrieval of common attributes schemas, id, and meta will always be allowed if the resource-operation includes the retrieve operation.
Default Value	None
Allowed Values	A string
Multi-Valued	Yes
Required	No
Admin Action Required	None. Modification requires no further action

resource-operation

Description	The operations allowed by this Resource OAuth2 Scope on the specified resource attributes.
Default Value	None
Allowed Values	retrieve - Indicates that this scope may be used to retrieve attributes from a resource. modify - Indicates that this scope may be used to modify resource attributes. This corresponds to a SCIM PATCH or PUT operation. create - Indicates that this scope may be used to create a new instance of a resource. delete - Indicates that this scope may be used to delete resource instances. search - Indicates that this scope may be used to search for resources using a SCIM filter.
Multi-Valued	Yes
Required	No
Admin Action Required	None. Modification requires no further action

scim-resource-type

Description	The resource type that may be accessed by this Resource OAuth2 Scope.
Default Value	None
Allowed Values	The DN of any SCIM Resource Type. The associated resource type must exist.
Multi-Valued	No
Required	Yes
Admin Action Required	None. Modification requires no further action

dsconfig Usage

To list the configured OAuth2 Scopes:

dsconfig list-oauth2-scopes
     [--property {propertyName}] ...

To view the configuration for an existing OAuth2 Scope:

dsconfig get-oauth2-scope-prop
     --scope-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing OAuth2 Scope:

dsconfig set-oauth2-scope-prop
     --scope-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new Resource OAuth2 Scope:

dsconfig create-oauth2-scope
     --scope-name {name}
     --set consent-prompt-text:{propertyValue}
     --set scim-resource-type:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing OAuth2 Scope:

dsconfig delete-oauth2-scope
     --scope-name {name}