How to update a single user's groups with WSO2 SCIM REST API without using patch/ Groups as it results in timeout when the user count is high?

0
votes

We are using WSO2 SCIM apis to define roles to user and update it. For role update operation , we are currently adding the new user role(add user to new role group using SCIM api) , and then delete the existing user role (call users SCIM GET request under a GROUP, delete the existing user from the list and use the newly created list as body arguments to call SCIM PATCH request for the GROUP). With this approach , we were able to update roles. But as the user base increased , the above approach of PATCH operation is getting timeout error .(The new role gets updated to user, but the existing role persists as the 2nd api is getting failed).

Below is one solution which i tried out :

Add new role, delete the newly created role inside user details and call PATCH api with the updated roles of user. But then realized on further investigation that roles inside user is readonly and can't be updated using patch/put operations. So i failed in getting a proper solution .

Is there a way to update a single user's role inside the GROUP without using PATCH /Groups endpoint ?

1
wso2wso2iswso2carbonscim

1 Answers

1
votes

As I have mentioned in the answer https://stackoverflow.com/a/64225419/10055162, the SCIM specification doesn't allow to update the user's group attribute using PATCH /Users/{userId}.

Also, PATCH /Groups/{groupId} may cause performance issues when the group's member count is too high.

WSO2 IS has improved the performance of PATCH /Groups/{groupId} to some extent.

  1. https://github.com/wso2/product-is/issues/6918 - available 5.10.0 onwards
  2. https://github.com/wso2/product-is/issues/9120 - available 5.11.0 onwards

So, if you are using an older version of IS, can you please try with the latest GA release(5.11.0). It may improve the performance.

UPDATED:

You can use SCIM POST /Bulk endpoint to update user's groups by single REST call, instead of having multiple PATCH /Groups/{group-id} calls. Refer to https://anuradha-15.medium.com/scim-2-0-bulk-operation-support-in-wso2-identity-server-5-10-0-8041577a4fe3 for more details on Bulk endpoint.

example: To assign two groups (Group1 and Group2) to a user, execute POST https://<host>:<port>/scim2/Bulk with payload similar to the following.

{
    "Operations": [
        {
            "data": {
                "Operations": [
                    {
                        "op": "add",
                        "value": {
                            "members": [
                                {
                                    "display": "anuradha",
                                    "value": "db15b161-a205-454d-9da1-4a2a0df0585e"
                                }
                            ]
                        }
                    }
                ]
            },
            "method": "PATCH",
            "path": "/Groups/f707b6cc-91f8-4b8a-97fb-a01c2a79515c"
        },
        {
            "data": {
                "Operations": [
                    {
                        "op": "add",
                        "value": {
                            "members": [
                                {
                                    "display": "anuradha",
                                    "value": "db15b161-a205-454d-9da1-4a2a0df0585e"
                                }
                            ]
                        }
                    }
                ]
            },
            "method": "PATCH",
            "path": "/Groups/8c91215f-1b7a-4cdb-87d9-ae29c60d70de"
        }
    ],
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:BulkRequest"
    ]
}