How to handle RBAC through SCIM?

I have one user directory in Octa and one SCIM application. The application that I wish to provision users to contains multiple resources and multiple roles for each resource. One user can have one role per resource but access to multiple resources. How should I utilize the SCIM api so that I can manage resources and roles on users through Okta?

My initial thought was that this could be done with Groups but afaik there is no possibility to add attributes to Groups? I would at least want to have a slug attribute on a Group so that it can be mapped to a resource in my end application. I was also playing a bit with utilizing a parameter on a user with type string array. In that case I would have values like resource-1:admin, resource-2:user and so on, which is not that great either.


Hello again! I think your idea to use groups is the correct approach. But instead of using additional group attributes, you would determine access solely based off the group(s) the user is a part of. For instance, in Okta you could make groups with the following 2 names:

  1. Admin
  2. User

You then determine access based off group membership, with no need to delve deeper into specific group attributes.

Honestly neither SCIM nor Okta well support what you are trying to do. What you are thinking about is similar to what is frequently called granular RBAC or resource based authorization. One of the reasons is that JWTs and OAuth are not designed to support putting resources into tokens. So even if there is a way to get the functionality you want out of the services available, you might want to take a hard look at authorization as a service.