Group contract
Groups describe FreeIPA-backed membership topology for SCIM consumers. FreeSCIM supports group list, get, create, and displayName eq filtering while using the FreeIPA group cn as the SCIM Group identifier.
Membership strategy
- Use group responses and snapshots to understand membership before reconciling entitlement drift.
- Keep native replacement and deletion under the FreeIPA/IdM authority boundary.
- Diff reports should show both cardinality and member source system before any approved repair.
Recovery and repair
If writes diverge, prefer reconciliation from source-of-truth snapshots and apply a bounded membership diff with operator approval in critical environments.
Group lifecycle transcript
GET /scim/v2/Groups?filter=displayName+eq+%22eng-admin%22&startIndex=1&count=25POST /scim/v2/Groups { "displayName": "eng-admin" }PUT /scim/v2/Groups/eng-admin -> 501 unsupportedDELETE /scim/v2/Groups/eng-admin -> 501 unsupported
Replacement and deletion are intentionally explicit unsupported operations because native group lifecycle stays with FreeIPA/IdM unless a governed workflow is added.