Project

scimitar-rbac

0.0
No release in over 3 years
scimitar-rbacspryffee/scimitar-rbacHomepageDocumentationSource CodeBug TrackerWiki
Extends the scimitar gem with Role-Based Access Control (RBAC) resources for SCIM v2, based on the NIST RBAC standard and the Baumer et al. research paper "SCIM: Survey and Enhancement With RBAC" (IEEE Access, 2023). Provides Role, Entitlement, and Application SCIM resource types with full schema definitions, enabling standardized RBAC data exchange via SCIM.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
 Popularity
Downloads
124
Stars
0
Forks
0
Watchers
0
 Releases
Current version
0.1.0
Total releases
1
First release
1980-01-02
Latest release
1980-01-02
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2026-02-20
Reverse Dependencies
0

 Dependencies

Runtime

rails
>= 7.0, < 9.0
scimitar
~> 2.0
 Project Readme

scimitar-rbac

An RBAC (Role-Based Access Control) profile for SCIM v2, built as an extension to the scimitar gem.

Based on the research paper:

Baumer, T., Muller, M., & Pernul, G. (2023). System for Cross-Domain Identity Management (SCIM): Survey and Enhancement With RBAC. IEEE Access, 11, 86872-86894. DOI: 10.1109/ACCESS.2023.3304270

What This Gem Does

The SCIM RFC family (RFC 7642-7644) focuses on identity data (Users, Groups) but only loosely prepares for RBAC. The roles and entitlements attributes on the User resource are specified in a "freestyle" notation without independent endpoints or the critical Role-to-Entitlement relationship. This leads to vendor-specific implementations that break interoperability.

This gem solves this by adding three first-class SCIM resource types:

Resource Endpoint URN Schema ID
Role /Roles urn:ietf:params:scim:schemas:extension:rbac:2.0:Role
Entitlement /Entitlements urn:ietf:params:scim:schemas:extension:rbac:2.0:Entitlement
Application /Applications urn:ietf:params:scim:schemas:extension:rbac:2.0:Application

RBAC Data Model

          0,n          0,n           0,n
  User ────── Role ────── Entitlement ────── Application
               │                │
           0,n │ RH         0,n │ EH
               │                │
              Role          Entitlement
          (hierarchy)      (hierarchy)
  • Role — intermediate entity between Users and Entitlements (permissions)
  • Entitlement — application-specific permission, belongs to one Application
  • Application — target system / Service Provider

Key relationship: Role ↔ Entitlement (PA ⊆ P x R) — the assignment that standard SCIM lacks.

Installation

Add to your Gemfile:

gem "scimitar",      "~> 2.0"
gem "scimitar-rbac", "~> 0.1"

Then run:

bundle install
rails generate scimitar_rbac:install
rails db:migrate

Configuration

Routes

Add RBAC resource routes to your config/routes.rb:

namespace :scim_v2, path: "scim/v2" do
  mount Scimitar::Engine, at: "/"

  # Standard SCIM resources
  get    "Users",     to: "scim_v2/users#index"
  get    "Users/:id", to: "scim_v2/users#show"
  post   "Users",     to: "scim_v2/users#create"
  # ...etc

  # RBAC resources (all at once)
  Scimitar::Rbac::RouteHelper.mount_rbac_routes(self,
    roles_controller:        "scim_v2/roles",
    entitlements_controller: "scim_v2/entitlements",
    applications_controller: "scim_v2/applications"
  )
end

Models

The generator creates RbacRole, RbacEntitlement, and RbacApplication models with the Scimitar::Resources::Mixin already configured. Customize the attribute maps to match your domain.

Controllers

The generator creates controllers inheriting from Scimitar::ActiveRecordBackedResourcesController. Override storage_scope to add custom filtering:

class ScimV2::RolesController < Scimitar::ActiveRecordBackedResourcesController
  def storage_class
    RbacRole
  end

  def storage_scope
    RbacRole.where(active: true)
  end
end

SCIM API Examples

Create a Role

POST /scim/v2/Roles
Content-Type: application/scim+json

{
  "schemas": ["urn:ietf:params:scim:schemas:extension:rbac:2.0:Role"],
  "displayName": "Billing Administrator",
  "type": "business",
  "description": "Full access to billing operations",
  "entitlements": [
    { "value": "ent-uuid-1" },
    { "value": "ent-uuid-2" }
  ]
}

Create an Entitlement

POST /scim/v2/Entitlements
Content-Type: application/scim+json

{
  "schemas": ["urn:ietf:params:scim:schemas:extension:rbac:2.0:Entitlement"],
  "displayName": "billing:write",
  "type": "api_scope",
  "application": { "value": "app-uuid-1" }
}

Discover RBAC Resources

GET /scim/v2/ResourceTypes

Returns Role, Entitlement, and Application alongside standard User and Group resource types.

Design Principles

Following the paper's guidance, this gem balances three design principles:

  1. Validity — implements the NIST RBAC standard (Ferraiolo et al., 2001) with proper User-Role-Entitlement relationships, hierarchies, and cardinality constraints
  2. Simplicity — minimal overhead, reuses SCIM conventions, no unnecessary resources
  3. Flexibility — extensible schemas, custom attributes via SCIM extension mechanism

Future Extensions

The following resources from the full RBAC profile can be added in future versions:

  • Account — user's identity within a specific application
  • SoD (Separation of Duty) — constraints on mutually exclusive roles/entitlements
  • Session — runtime activation of roles and entitlements

References

License

MIT