How to remove a value of multi-valued SCIM 2.0 sub-attribute?

Question

I have a complex SCIM attribute that looks like follows:

"myattr1": {
  "subattr1": 5,
  "subattr2": [1, 2, 3]
}

I want to modify this to become

"myattr1": {
  "subattr1": 5,
  "subattr2": [1, 3]
}

How can I do this using PATCH ? Should I replace the entire sub-attribute or can I just remove the value 2 from it using PATCH ?

I know how to do this with multi-valued attributes. But I don't know how to do it for sub-attributes.

Zollnerd · Answer 1 · 2022-01-12T18:47:50.953

0

[EDIT: This is wrong..]

I believe this will work:

PATCH /resource/id

{ "schemas":
      ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
     "Operations":[
       {
        "op":"remove",
        "path":"myattr1[subattr2 eq \"2\"]"
        }
    ]
}

Example on path was taken from https://datatracker.ietf.org/doc/html/rfc7644#page-33 where it mentions "path":"members[value eq "2819c223-7f76-453a-919d-413861904646"].displayName" as a way to target the displayName sub-attribute for the complex multi-valued group attribute "members".

The escaped quotes around 2 are necessary if it's a string - if the value is in fact an integer, they won't be necessary.

edited Jan 12 '22 at 18:47

answered Jan 11 '22 at 20:53

Zollnerd

725
4
5

1

Isn't this supposed to delete the value of attribute 'myattr1' which contains a sub-attribute 'subattr2' with value 2 ? members[value eq "2819c223-7f76-453a-919d-413861904646"].displayName would target all values of displayName and not a specific value. Right ? – Rahul Jan 12 '22 at 08:47
I believe you are correct. My above answer is incorrect. I'm looking through the parts of 7644 on remove and replace and I can't find anything that lets you remove a specific sub-attribute value. I think you've already identified the most viable path - replacing the entire sub-attribute value. – Zollnerd Jan 12 '22 at 18:47

score 0 · Answer 2 · answered Jan 13 '22 at 20:15

As per the PingIdentity documentation https://github.com/pingidentity/scim2/wiki/Working-with-SCIM-paths#the-value-sub-attribute, Simple multivalued attributes have a special implicit sub-attribute called "value". If that is the way, your PATCH request payload should be as follows.

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ],
    "Operations": [
        {
           "op": "remove",
           "path": "myattr1.subattr2[value eq \"2\"]"
        }
    ]
}

However, this type of patch operation is not clearly defined in RFC 7644 (https://datatracker.ietf.org/doc/html/rfc7644#section-3.5.2)

You would be able to confirm this if the question is raised in SCIM mailing list https://mailarchive.ietf.org/arch/browse/scim/

How to remove a value of multi-valued SCIM 2.0 sub-attribute?

2 Answers2