SCIM: implement Groups #1357
Merged
SCIM: implement Groups #1357
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fbce58e to
2c32360
Compare
8ecb5ce to
7f924fe
Compare
0f8575a to
2e91be2
Compare
fflorent
commented
Jan 31, 2025
| assert.equal(res.status, 401); | ||
| }); | ||
|
|
||
| it.skip('should allow operation like PATCH for kiwi', async function () { |
There was a problem hiding this comment.
Removed it, it looks like this won't be fixed (for good reasons I think):
scimmyjs/scimmy-routers#27
fflorent
commented
Feb 1, 2025
hexaltation
reviewed
Feb 3, 2025
hexaltation
suggested changes
Feb 3, 2025
There was a problem hiding this comment.
Thank you @fflorent for this huge piece of work.
Two small changes asked.
And one concern about the stickyness of the code with SCIMMY.
How much of of work could it need:
- To add a layer of abstraction to not use SCIMMY object in higher levels of grist,
- To replace this lib contributed by only one guy the day he won't maintained it anymore.
But no doubt that it's the best solution for now.
ef96456 to
52aeaec
Compare
fflorent
added a commit
to fflorent/grist-core
that referenced
this pull request
Jul 21, 2025
This change also introduce a "Team" and a "Role" type for Groups. "Role" type is the historical type, it is the role granted to the user for a resource. The "Team" type is a new type, it is meant to gather people and grant them a role together for a resource. The SCIM /Groups endpoints gives access to the "Teams" groups. The SCIM /Roles endpoints gives a (limited) access to the "Roles" groups. For more information, please take a look at this Pr description: gristlabs#1357 (comment) Co-authored-by: Grégoire Cutzach <[email protected]>
fflorent
added a commit
to fflorent/grist-core
that referenced
this pull request
Jul 21, 2025
This change also introduce a "Team" and a "Role" type for Groups. "Role" type is the historical type, it is the role granted to the user for a resource. The "Team" type is a new type, it is meant to gather people and grant them a role together for a resource. The SCIM /Groups endpoints gives access to the "Teams" groups. The SCIM /Roles endpoints gives a (limited) access to the "Roles" groups. For more information, please take a look at this Pr description: gristlabs#1357 (comment) Co-authored-by: Grégoire Cutzach <[email protected]>
52aeaec to
1f3e416
Compare
fflorent
added a commit
to fflorent/grist-core
that referenced
this pull request
Jul 21, 2025
This change also introduce a "Team" and a "Role" type for Groups. "Role" type is the historical type, it is the role granted to the user for a resource. The "Team" type is a new type, it is meant to gather people and grant them a role together for a resource. The SCIM /Groups endpoints gives access to the "Teams" groups. The SCIM /Roles endpoints gives a (limited) access to the "Roles" groups. For more information, please take a look at this Pr description: gristlabs#1357 (comment) Co-authored-by: Grégoire Cutzach <[email protected]>
1f3e416 to
d532cfc
Compare
fflorent
added a commit
to fflorent/grist-core
that referenced
this pull request
Jul 21, 2025
This change also introduce a "Team" and a "Role" type for Groups. "Role" type is the historical type, it is the role granted to the user for a resource. The "Team" type is a new type, it is meant to gather people and grant them a role together for a resource. The SCIM /Groups endpoints gives access to the "Teams" groups. The SCIM /Roles endpoints gives a (limited) access to the "Roles" groups. For more information, please take a look at this Pr description: gristlabs#1357 (comment) Co-authored-by: Grégoire Cutzach <[email protected]>
d532cfc to
2e3c081
Compare
fflorent
added a commit
to fflorent/grist-core
that referenced
this pull request
Jul 21, 2025
This change also introduce a "Team" and a "Role" type for Groups. "Role" type is the historical type, it is the role granted to the user for a resource. The "Team" type is a new type, it is meant to gather people and grant them a role together for a resource. The SCIM /Groups endpoints gives access to the "Teams" groups. The SCIM /Roles endpoints gives a (limited) access to the "Roles" groups. For more information, please take a look at this Pr description: gristlabs#1357 (comment) Co-authored-by: Grégoire Cutzach <[email protected]>
b404afd to
b2ac191
Compare
fflorent
added a commit
to fflorent/grist-core
that referenced
this pull request
Jul 22, 2025
This change also introduce a "Team" and a "Role" type for Groups. "Role" type is the historical type, it is the role granted to the user for a resource. The "Team" type is a new type, it is meant to gather people and grant them a role together for a resource. The SCIM /Groups endpoints gives access to the "Teams" groups. The SCIM /Roles endpoints gives a (limited) access to the "Roles" groups. For more information, please take a look at this Pr description: gristlabs#1357 (comment) Co-authored-by: Grégoire Cutzach <[email protected]>
b2ac191 to
88455b6
Compare
fflorent
added a commit
to fflorent/grist-core
that referenced
this pull request
Jul 22, 2025
This change also introduce a "Team" and a "Role" type for Groups. "Role" type is the historical type, it is the role granted to the user for a resource. The "Team" type is a new type, it is meant to gather people and grant them a role together for a resource. The SCIM /Groups endpoints gives access to the "Teams" groups. The SCIM /Roles endpoints gives a (limited) access to the "Roles" groups. For more information, please take a look at this Pr description: gristlabs#1357 (comment) Co-authored-by: Grégoire Cutzach <[email protected]>
88455b6 to
e304fec
Compare
fflorent
added a commit
to fflorent/grist-core
that referenced
this pull request
Jul 22, 2025
This change also introduce a "Team" and a "Role" type for Groups. "Role" type is the historical type, it is the role granted to the user for a resource. The "Team" type is a new type, it is meant to gather people and grant them a role together for a resource. The SCIM /Groups endpoints gives access to the "Teams" groups. The SCIM /Roles endpoints gives a (limited) access to the "Roles" groups. For more information, please take a look at this Pr description: gristlabs#1357 (comment) Co-authored-by: Grégoire Cutzach <[email protected]>
e304fec to
9c96d90
Compare
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
paulfitz
reviewed
Jul 24, 2025
| } | ||
|
|
||
| /** | ||
| * Returns a Promise for an array of User entites for the given userIds. |
c4982e4 to
653f631
Compare
653f631 to
a7ecfb4
Compare
fflorent
added a commit
to fflorent/grist-core
that referenced
this pull request
Aug 13, 2025
This change also introduce a "Team" and a "Role" type for Groups. "Role" type is the historical type, it is the role granted to the user for a resource. The "Team" type is a new type, it is meant to gather people and grant them a role together for a resource. The SCIM /Groups endpoints gives access to the "Teams" groups. The SCIM /Roles endpoints gives a (limited) access to the "Roles" groups. For more information, please take a look at this Pr description: gristlabs#1357 (comment) Co-authored-by: Grégoire Cutzach <[email protected]>
paulfitz
reviewed
Aug 28, 2025
| const newColumnNonNull = newColumn.clone(); | ||
| newColumnNonNull.isNullable = false; | ||
|
|
||
| await queryRunner.changeColumn('groups', newColumn, newColumnNonNull); |
There was a problem hiding this comment.
Hmm this all feels ok and will probably run alright on large installations. At some point it is more practical to just use nullable columns and take the hit in type-checking, but we're not at that scale yet.
| } | ||
|
|
||
| /** | ||
| * Returns a Promise for an array of User entites for the given userIds. |
This change also introduce a "Team" and a "Role" type for Groups. "Role" type is the historical type, it is the role granted to the user for a resource. The "Team" type is a new type, it is meant to gather people and grant them a role together for a resource. The SCIM /Groups endpoints gives access to the "Teams" groups. The SCIM /Roles endpoints gives a (limited) access to the "Roles" groups. For more information, please take a look at this Pr description: gristlabs#1357 (comment) Co-authored-by: Grégoire Cutzach <[email protected]>
After having introduced the "type" column in the "Groups" table, the test for migrating TeamMembers failed because the Group entity had a property that does not exist yet as a column in the table. Instead execute a plain INSERT INTO statement to run the migration so it does not involve the non-existing yet "type" column.
Co-authored-by: Copilot <[email protected]>
d03c648 to
44c7a3e
Compare
After the upgrade of SCIMMY, it looks like SCIMMY has a better support of typing. Let's take advantage of it!
167bf46 to
279388d
Compare
fflorent
commented
Sep 2, 2025
Co-authored-by: Copilot <[email protected]>
There was a problem hiding this comment.
Pull Request Overview
This PR implements SCIM support for Groups by adding a new /Groups endpoint and related functionality. It introduces a type distinction for groups (Team vs Role), adds extensive test coverage, and upgrades SCIM library dependencies.
- Add Groups endpoints supporting CRUD operations for Teams
- Introduce group type system distinguishing Teams from Roles
- Add comprehensive test coverage for Groups and Roles functionality
Reviewed Changes
Copilot reviewed 23 out of 24 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| test/server/lib/Scim.ts | Adds comprehensive test suite for Groups and Roles SCIM endpoints |
| test/gen-server/seed.ts | Updates group creation to use new Group.create() method with type |
| test/gen-server/migrations.ts | Adds GroupTypes migration and foreign key utility usage |
| test/gen-server/lib/homedb/UsersManager.ts | Updates group creation to use new typed Group.create() method |
| test/gen-server/lib/homedb/GroupsManager.ts | New comprehensive test suite for GroupsManager functionality |
| package.json | Updates SCIM library versions to 1.3.5 and 1.3.2 |
| app/server/lib/scim/v2/roles/SCIMMYRoleSchema.ts | New schema definition for Role resources |
| app/server/lib/scim/v2/roles/SCIMMYRoleResource.ts | New SCIM resource implementation for Roles |
| app/server/lib/scim/v2/ScimV2Api.ts | Integrates Group and Role resources into SCIM API |
| app/server/lib/scim/v2/ScimUtils.ts | Common utilities for SCIM transformations |
| app/server/lib/scim/v2/ScimUserUtils.ts | Removed, functionality moved to ScimUtils |
| app/server/lib/scim/v2/ScimUserController.ts | Refactored to extend BaseController |
| app/server/lib/scim/v2/ScimRoleController.ts | New controller for Role SCIM operations |
| app/server/lib/scim/v2/ScimGroupController.ts | New controller for Group SCIM operations |
| app/server/lib/scim/v2/BaseController.ts | New base class for SCIM controllers |
| app/server/lib/dbUtils.ts | Adds utility for SQLite foreign key constraint management |
| app/gen-server/migration/1753088213255-GroupTypes.ts | New migration adding type column to groups table |
| app/gen-server/migration/1568238234987-TeamMembers.ts | Updates to handle new Group entity structure |
| app/gen-server/lib/homedb/UsersManager.ts | Adds getUsersByIdsStrict method |
| app/gen-server/lib/homedb/Interfaces.ts | Adds GroupWithMembersDescriptor and GroupTypes |
| app/gen-server/lib/homedb/HomeDBManager.ts | Adds group management methods |
| app/gen-server/lib/homedb/GroupsManager.ts | Extensive additions for group CRUD operations |
| app/gen-server/entity/Group.ts | Adds type column and validation logic |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
paulfitz
approved these changes
Sep 2, 2025
There was a problem hiding this comment.
Thanks for persisting @fflorent ! Looks good. The main focus of my reviewing has been to watch out for any security issues. Everything looks well organized from that perspective. The SCIM functionality looks plausible to me but I'm no expert. Responding to related feature requests and bug reports may be like for the OIDC work, where the original contributor bears the brunt of maintenance just due to the knowledge they've accumulated.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Context
Following #1199, this PR proposes to implement the
/GroupsEndpoint.As an IT asset administrator, I can create groups for my users using a centralized solution (an Identity Provider) so they can easily access to the resources. But these groups and memberships are not pushed to Grist as of today. The administrator is either offered to remove access entirely to Grist, or access to Grist and modify the permissions on the resources. Most of all, as Teams are not represented through the UI, it can be a quite painful task.
Proposed solution
SCIM is a standard proposed by the IETF through RFC7644 and RFC7643 which aims to through a simple Rest API provide solution for the above use cases.
Here is the abstract of the RFC7644 which introduces SCIM:
This PR provides a complement to the now existing
/scim/v2/Usersendpoint (documented here):/scim/v2/Groupswho are granted accesses toa set of resources through Roles
/scim/v2/Roles2(
owner,editor,viewer, ...) to a given resourceCurrently only the Roles were represented in the "groups" table. To achieve this distinction, this PR also introduces a "type" column, which only accept
teamorrolevalues.This PR provides the implementation of SCIM for Groups (aka Teams), and supports:
POST /Groups/,PUT /Groups/:id,GET /Groups/,GET /Groups/:idandDELETE /Groups/:id).POST /BulkendpointPOST /Groups/.searchby using the Filters (actually to use them, you must have to fetch all the Resources from the DB, the filtering is done in JS, which is probably fine for small projects, I would just be cautious when using big databases + an ORM);PATCH /Groups/:idendpoint! It reads a resource using the egress method, applies the asked changes, and calls the ingress method to update the record ;The endpoint for
/Rolesare nearly the same, though:orgId,workspaceIdordocIdreadonly attributes.As in #1199, I take advantage of these two libraries: scimmy and scimmy-routers.
👀 Known limitations
⛹️ Play with this endpoint
This is a step-by-step tutorial to play with this new endpoint:
https://gist.github.com/fflorent/dd11a15e424ab4828f679ab038eea764
Related issues
Fixes #870
Has this been tested?
Footnotes
In the Grist terminology, and as specified in the
groups.typecolumn in the database. ↩This is a custom endpoint as allowed by the SCIM standard. ↩