For Authentication, you provide an OAuth 2.0 access (bearer) token. That bearer token controls access to which resources and attributes are returned. It does this through a scope that an administrator configures on the server that contains the data. What this means is that regardless of whether you use PingDirectory or PingDirectoryProxy as the endpoint server, you always configure access controls on the PingDirectory server. For more information on configuring SCIM 2.0 on PingDirectory, see Configuring SCIM 2.0 on Your Server.

If access controls determine that you cannot perform the requested operation, the response depends on the request. See the following examples.

• If you send a search request, but you do not have search and read permissions, you get a 200 OK status code without any results.

• If you send a retrieve, replace, or modify request, but you do not have search and read permissions, you get a 404 Not Found status code.

  {
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:Error"
    ],
    "status": 404,
    "detail": "Request failed:
    correlationID='473ac6b1-50e5-4c48-9d65-8b1fc633280d'"
    }

• If you send a create, replace, or modify request and you have search and read permissions, but you do not have write permissions, you get a 403 Forbidden status code.

  {
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:Error"
    ],
    "status": "403",
    "detail": "Request failed:
    correlationID='aa74e893-2ae6-4395-b3c4-351f38becb8a'"
    }

Based on access control configuration, you may be allowed to access a resource but not all of its attributes. See your administrator if you receive incomplete resources, including resources stripped of attributes that are required by the schema.