OASIS Service Provisioning Markup Language (SPML) Version 2

2OASIS Service Provisioning Markup 3Language (SPML) Version 2

4Draft Committee Specification 0.10 52005 June 7

6Document identifier: draft-pstc-SPMLv2.doc 7Location: http://www.oasis-open.org/committees/provision/docs/ 8Send comments to: [email protected] 9Editor: 10 Gary Cole, Sun Microsystems ([email protected]) 11Contributors: 12 Jeff Bohren, BMC 13 Gerry Woods, SOA Software 14 Doron Cohen, BMC 15 Darran Rolls, Sun Microsystems 16 Gavenraj Sodhi, CA 17 Hal Lockhart, BEA 18 Jeff Larson, Sun Microsystems 19 Rami Elron, BMC 20 Gary Cole, Sun Microsystems 21 Ron Jacobsen, CA 22 Martin Raepple, SAP 23 Cory Williams, IBM 24 Ian Glazer, IBM 25Abstract:

26 This specification defines the concepts and operations of an XML-based provisioning 27 request-and-response protocol. 28Status:

29 This is a candidate Committee Specification that is undergoing a vote of the OASIS 30 membership in pursuit of OASIS Standard status.

31 If you are on the provision list for committee members, send comments there. If you are not 32 on that list, subscribe to the [email protected] list and send 33 comments there. To subscribe, send an email message to provision-comment- 34 [email protected] with the word "subscribe" as the body of the message.

307212bb8d0cf1f11a2b881ca263fc19f.doc Page 2 of 158 36Table of contents 371 Introduction...... 5 38 1.1 Purpose...... 5 39 1.2 Organization...... 5 40 1.3 Audience...... 5 41 1.4 Notation...... 6 42 1.4.1 Normative sections...... 6 43 1.4.2 Normative terms...... 6 44 1.4.3 Typographical conventions...... 6 45 1.4.4 Namespaces...... 7 462 Concepts...... 8 47 2.1 Domain Model...... 8 48 2.1.1 Requestor...... 8 49 2.1.2 Provider...... 9 50 2.1.3 Target...... 9 51 2.1.3.1 Target Schema...... 9 52 2.1.3.2 Supported Schema Entities...... 10 53 2.1.3.3 Capabilities...... 10 54 2.1.4 Provisioning Service Object (PSO)...... 10 55 2.2 Core Protocol...... 10 56 2.3 Profile...... 11 573 Protocol...... 12 58 3.1 Request/Response Model...... 12 59 3.1.1 Conversational flow...... 14 60 3.1.2 Status and Error codes...... 14 61 3.1.2.1 Status (normative)...... 14 62 3.1.2.2 Error (normative)...... 15 63 3.1.3 Synchronous and asynchronous operations...... 15 64 3.1.3.1 ExecutionMode attribute...... 16 65 3.1.3.2 Async Capability...... 16 66 3.1.3.3 Determining execution mode...... 17 67 3.1.3.4 Results of asynchronous operations (normative)...... 19 68 3.1.4 Individual and batch requests...... 19 69 3.2 Identifiers...... 20 70 3.2.1 RequestID (normative)...... 20 71 3.2.2 Target Identifier (normative)...... 21 72 3.2.3 PSO Identifier (normative)...... 21 73 3.3 Selection...... 23 74 3.3.1 QueryClauseType...... 23 75 3.3.2 Logical Operators...... 23 76 3.3.3 SelectionType...... 24 77 3.3.3.1 SelectionType in a Request (normative)...... 24 78 3.3.3.2 SelectionType Processing (normative)...... 25 79 3.3.3.3 SelectionType Errors (normative)...... 26 80 3.3.4 SearchQueryType...... 26 81 3.3.4.1 SearchQueryType in a Request (normative)...... 27 82 3.3.4.2 SearchQueryType Errors (normative)...... 28 83 3.4 Transactional Semantics...... 29 84 3.5 Operations...... 29 85 3.5.1 Core Operations...... 29 86 3.5.1.1 listTargets...... 29 87 3.5.1.2 add...... 39 88 3.5.1.3 lookup...... 44 89 3.5.1.4 modify...... 49

407212bb8d0cf1f11a2b881ca263fc19f.doc Page 3 of 158 90 3.5.1.5 delete...... 56 91 3.5.2 Async Capability...... 59 92 3.5.2.1 cancel...... 59 93 3.5.2.2 status...... 61 94 3.5.3 Batch Capability...... 66 95 3.5.3.1 batch...... 66 96 3.5.4 Bulk Capability...... 73 97 3.5.4.1 bulkModify...... 73 98 3.5.4.2 bulkDelete...... 75 99 3.5.5 Password Capability...... 78 100 3.5.5.1 setPassword...... 78 101 3.5.5.2 expirePassword...... 80 102 3.5.5.3 resetPassword...... 81 103 3.5.5.4 validatePassword...... 83 104 3.5.6 Reference Capability...... 86 105 3.5.6.1 Reference Definitions...... 88 106 3.5.6.2 References...... 89 107 3.5.6.3 Complex References...... 89 108 3.5.7 Search Capability...... 95 109 3.5.7.1 search...... 96 110 3.5.7.2 iterate...... 102 111 3.5.7.3 closeIterator...... 107 112 3.5.8 Suspend Capability...... 111 113 3.5.8.1 suspend...... 111 114 3.5.8.2 resume...... 113 115 3.5.8.3 active...... 115 116 3.6 Custom Capabilities...... 118 1174 Conformance (normative)...... 119 118 4.1 Core operations and schema are mandatory...... 119 119 4.2 Standard capabilities are optional...... 119 120 4.3 Custom capabilities...... 119 1215 Security and privacy considerations...... 120 122 5.1 Threat model...... 120 123 5.1.1 Unauthorized disclosure...... 120 124 5.1.2 Message Replay...... 120 125 5.1.2.1 Message insertion...... 120 126 5.1.2.2 Message deletion...... 120 127 5.1.2.3 Message modification...... 121 128 5.2 Safeguards...... 121 129 5.2.1 Authentication...... 121 130 5.2.2 Confidentiality...... 121 131 5.2.2.1 Communication confidentiality...... 121 132 5.2.2.2 Trust model...... 122 133 5.2.2.3 Privacy...... 122 134Appendix A. Core XSD...... 123 135Appendix B. Async Capability XSD...... 130 136Appendix C. Batch Capability XSD...... 132 137Appendix D. Bulk Capability XSD...... 134 138Appendix E. Password Capability XSD...... 136 139Appendix F. Reference Capability XSD...... 138 140Appendix G. Search Capability XSD...... 140 141Appendix H. Suspend Capability XSD...... 143 142Appendix I. Document References...... 145 143Appendix J. Acknowledgments...... 147 144Appendix K. Notices...... 148 145Appendix L. Revision history...... 149

507212bb8d0cf1f11a2b881ca263fc19f.doc Page 4 of 158 146

1471 Introduction

1481.1 Purpose

149This specification defines the concepts and operations of an XML-based provisioning request-and- 150response protocol.

1511.2 Organization

152The body of this specification is organized into three major sections: Concepts, Protocol and 153Conformance. 154 The Concepts section introduces the main ideas in SPMLv2. Subsections highlight significant 155 features that later sections will discuss in more detail. 156 The Protocol section first presents an overview of protocol features and then discusses the 157 purpose and behavior of each protocol operation. The core operations are presented in an 158 order that permits a continuing set of examples. Subsequent sections present optional 159 operations. 160 161 Each section that describes an operation includes: 162 - The relevant XML Schema 163 - A normative subsection that describes the request for the operation 164 - A normative subsection that describes the response to the operation 165 - A non-normative sub-section that discusses examples of the operation 166 The Conformance section describes the aspects of this protocol that a requestor or provider 167 must support in order to be considered conformant. 168 A Security and privacy considerations section describes risks that an implementer of this 169 protocol should weigh in deciding how to deploy this protocol in a specific environment. 170Appendices contain additional information that supports the specification, including references to 171other documents.

1721.3 Audience

173The PSTC intends this specification to meet the needs of several audiences. 174One group of readers will want to know: "What is SPML?” 175A reader of this type should pay special attention to the Concepts section. 176A second group of readers will want to know: "How would I use SPML?" 177A reader of this type should read the Protocol section 178(with special attention to the examples). 179A third group of readers will want to know: "How must I implement SPML?" 180A reader of this type must read the Protocol section 181(with special attention to normative request and response sub-sections). 182A reader who is already familiar with SPML 1.0 will want to know: “What is new in SPMLv2?” 183A reader of this type should read the Concepts section thoroughly 184and also read the Appendix ?? which describes changes from SPML1.0 to SPMLv2.

807212bb8d0cf1f11a2b881ca263fc19f.doc Page 6 of 158 1851.4 Notation

1861.4.1 Normative sections

187Normative sections of this specification are labeled as such. The title of a normative section will 188contain the word “normative” in parentheses, as in the following title: “Syntax (normative)”.

1891.4.2 Normative terms

190This specification contains schema that conforms to W3C XML Schema and contains normative 191text that describes the syntax and semantics of XML-encoded policy statements. 192The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", 193"SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this specification are to be 194interpreted as described in IETF RFC 2119 [RFC2119] 195 "they MUST only be used where it is actually required for interoperation or to limit 196 behavior which has potential for causing harm (e.g., limiting retransmissions)" 197These keywords are capitalized when used to unambiguously specify requirements of the protocol 198or application features and behavior that affect the interoperability and security of implementations. 199When these words are not capitalized, they are meant in their natural-language sense.

2001.4.3 Typographical conventions

201This specification uses the following typographical conventions in text: Format Description Indicates xmlName monospace font The name of an XML attribute, element or type.

“attributeName” monospace font An instance of an XML attribute. surrounded by double quotes

‘attributeValue’ monospace font A literal value (of type string). surrounded by double quotes

“attributeName=’value’ monospace font name An instance of an XML attribute value. ” followed by equals sign and value Read as “a value of (value) specified for surrounded by an instance of the (attributeName) single quotes attribute.” {XmlTypeName} monospace font The name of an XML type or surrounded by that is defined as part of SPMLv2. {ns:XmlTypeName} curly braces

or monospace font An instance of an XML element surrounded by <> that is defined as part of SPMLv2.

202Terms in italic bold-face are intended to have the meaning defined in the Glossary.

203Listings of SPML schemas appear like this.

205Example code listings appear like this.

2061.4.4 Namespaces

207Conventional XML namespace prefixes are used throughout the listings in this specification to 208stand for their respective namespaces as follows, whether or not a namespace declaration is 209present in the example:

210 The prefix dsml: stands for the Directory Services Markup Language namespace [DSML].

211 The prefix xsd: stands for the W3C XML Schema namespace [XSD].

212 The prefix spml: stands for the SPMLv2 Core XSD namespace 213 [SPMLv2-CORE].

214 The prefix spmlasync: stands for the SPMLv2 Async Capability XSD namespace. [SPMLv2- 215 ASYNC].

216 The prefix spmlbatch: stands for the SPMLv2 Batch Capability XSD namespace 217 [SPMLv2-BATCH].

218 The prefix spmlbulk: stands for the SPMLv2 Bulk Capability XSD namespace 219 [SPMLv2-BULK].

220 The prefix spmlpass: stands for the SPMLv2 Password Capability XSD namespace 221 [SPMLv2-PASS].

222 The prefix spmlref: stands for the SPMLv2 Reference Capability XSD namespace 223 [SPMLv2-REF].

224 The prefix spmlsearch: stands for the SPMLv2 Search Capability XSD namespace 225 [SPMLv2-SEARCH].

226 The prefix spmlsuspend: stands for the SPMLv2 Suspend Capability XSD namespace 227 [SPMLv2-SUSPEND].

2282 Concepts

229SPML Version 2 (SPMLv2) builds on the concepts defined in SPML Version 1. 230The basic roles of Requesting Authority (RA) and Provisioning Service Provider (PSP) are 231unchanged. The core protocol continues to define the basis for interoperable management of 232Provisioning Service Objects (PSO). However, the concept of Provisioning Service Target (PST) 233has taken on new importance in SPMLv2.

2342.1 Domain Model

235The following section describes the main conceptual elements of the SPML domain model. The 236Entity Relationship Diagram (ERD) in Figure 1 shows the basic relationships between these 237elements.

RA PSP

238 239 Figure 1. Domain model elements

2402.1.1 Requestor

241A Requesting Authority (RA) or requestor is a software component that issues well-formed SPML 242requests to a Provisioning Service Provider. Examples of requestors include: 243 Portal applications that broker the subscription of client requests to system resources 244 Service subscription interfaces within an Application Service Provider 245Trust relationship. In an end-to-end integrated provisioning scenario, any component that issues 246an SPML request is said to be operating as a requestor. This description assumes that the 247requestor and its provider have established a trust relationship between them. The details of 248establishing and maintaining this trust relationship are beyond the scope of this specification.

1207212bb8d0cf1f11a2b881ca263fc19f.doc Page 9 of 158 2492.1.2 Provider

250A Provisioning Service Provider (PSP) or provider is a software component that listens for, 251processes, and returns the results for well-formed SPML requests from a known requestor. For 252example, an installation of an Identity Management system could serve as a provider. 253Trust relationship. In an end-to-end integrated provisioning scenario, any component that 254receives and processes an SPML request is said to be operating as a provider. This description 255assumes that the provider and its requestor have established a trust relationship between them. 256The details of establishing and maintaining this trust relationship are beyond the scope of this 257specification.

2582.1.3 Target

259A Provisioning Service Target (PST) or target represents a destination or endpoint that a provider 260makes available for provisioning actions. 261A target is not a provider. A requestor asks a provider to act upon objects that the provider 262manages. Each target is a container for objects that a provider manages. 263A target may not be an actual endpoint. A target may represent a traditional user account source 264(such as a Windows NT domain or a directory service instance), or a target may represent an 265abstract collection of endpoints. 266Every provider exposes at least one target. Each target represents a destination or endpoint 267(e.g., a system, application or service—or a set of systems, applications, and services) to which the 268provider can provision (e.g., create or modify accounts). 269A target is a special, top-level object that: 270 A requestor can discover from the provider 271 No requestor can add, modify, delete or otherwise act upon 272 May contain any number of provisioning service objects (PSO) upon which a requestor may act 273 May contain a schema that defines the XML structure of the provisioning service objects (PSO) 274 that the target may contain 275 May define which schema entities the target supports 276 May expose capabilities: 277 - That apply to every supported schema entity 278 - That apply only to specific schema entities 279The SPMLv2 model does not restrict a provider’s targets other than to specify that: 280 A provider (PSP) must uniquely identify each target that it exposes. 281 A provider must uniquely identify each object (PSO) that a target contains. 282 Exactly one target must contain each object (PSO) that the provider manages.

2832.1.3.1 Target Schema

284The schema for each target defines the XML structure of the objects (PSO) that the target may 285contain. 286SPMLv2 does not specify a required format for the target schema. For example, a target schema 287could be XML Schema [XSD] or (a target schema could be) SPML1.0 Schema [SPMLv2-Profile- 288DSML]. 289Each target schema includes a schema namespace. The schema namespace indicates (to any 290requestor that recognizes the schema namespace) how to interpret the schema.

1307212bb8d0cf1f11a2b881ca263fc19f.doc Page 10 of 158 291A provider must present any object (to a requestor) as XML that is valid according to the schema of 292the target that contains the object. A requestor must accept and manipulate, as XML that is valid 293according to the schema of the target, any object that a target contains.

2942.1.3.2 Supported Schema Entities

295A target may declare that it supports only a subset of the entities (e.g., objectclasses or top-level 296elements) in its schema. A target that does not declare such a subset is assumed to support every 297entity in its schema. 298A provider must implement the basic SPML operations for objects on each target that are instances 299of each schema entity that the target supports.

3002.1.3.3 Capabilities

301A target may also expose a set of capabilities that it supports. Each capability defines optional 302operations or semantics. 303A capability must be either "standard" or "custom": 304 The OASIS PSTC defines each standard capability in an SPML namespace. 305 See the section entitled “Namespaces”. 306 Anyone may define a custom capability in another namespace. 307A target may support a capability for all of its supported schema entities or (a target may support a 308capability) only for specific subset of its supported schema entities. Each capability may specify 309any number of supported schema entities to which it applies. A capability that does not specify a 310supported schema entity is assumed to apply to every schema entity that the target supports. 311Optional operations. If a capability defines an optional operation and if the target supports that 312capability for a schema entity of which an object is an instance, then the provider must support that 313optional operation for that object. For example, if a target supports the Password Capability for 314User objects (but not for Group objects), then a requestor may ask the provider to perform the 315‘resetPassword’ operation for any User object (but the provider will fail any request to 316‘resetPassword’ for a Group).

3172.1.4 Provisioning Service Object (PSO)

318A Provisioning Service Object (PSO), sometimes simply called an object, represents a data entity 319or an information object on a target. For example, a provider would represent each account that 320the provider manages as an object. 321NOTE: Within this document, the term “object” (unless otherwise qualified) refers to a PSO. 322Every object is contained by exactly one target. Each object has a unique identifier (PSO-ID).

3232.2 Core Protocol

324SPMLv2 retains the SPML1.0 concept of a “core protocol”. The SPMLv2 Core XSD defines: 325 Basic operations (such as ‘add’, ’modify’ and ‘delete’) 326 Basic and extensible data elements 327 The means to expose individual targets and optional operations 328The SPMLv2 Core XSD also defines modal mechanisms that allow a requestor to: 329 Specify that a requested operation must be executed asynchronously 330 (or to specify that a requested operation must be executed synchronously)

1407212bb8d0cf1f11a2b881ca263fc19f.doc Page 11 of 158 331 Recognize that a provider has chosen to execute an operation asynchronously 332 Obtain the status of an asynchronous request 333 Cancel an asynchronous request 334Conformant SPMLv2 implementations must support the core protocol, including: 335 The new ‘listTargets’ operation 336 The basic operations for every schema entity that a target supports 337 The modal mechanisms for asynchronous operations 338(For more information, see the section entitled “Conformance”).

3392.3 Profile

340SPMLv2 defines two “profiles” in which a requestor and provider may exchange SPML protocol: 341 XML Schema as defined in the “SPMLv2 XSD Profile” [SPMLv2-Profile-XSD]. 342 DSMLv2 as defined in the “SPMLv2 DSMLv2 Profile” [SPMLv2-Profile-DSML]. 343A requestor and a provider may exchange SPML protocol in any profile to which they agree. 344SPML 1.0 defined file bindings and SOAP bindings that assumed the SPML1.0 Schema for DSML 345[SPML-Bind]. The SPMLv2 DSMLv2 Profile provides a degree of backward compatibility with 346SPML 1.0. The DSMLv2 profile supports a schema model similar to that of SPML 1.0. 347The DSMLv2 Profile may be more convenient for applications that access mainly targets that are 348LDAP or X500 directory services. The XSD Profile may be more convenient for applications that 349access mainly targets that are web services.

3503 Protocol

351The general model adopted by this protocol is that a requestor (client) asks a provider (server) to 352perform operations. In the simplest case, each request for an SPML operation is processed 353individually and is processed synchronously. The “Request/Response Model” section below 354presents this general model and discusses mechanisms that govern asynchronous execution. The 355Identifiers and Selection sections also describe aspects (of the protocol) that apply to many 356operations. 357In order to encourage adoption of this standard, this specification minimizes the set of operations 358that a provider must implement. The Core Operations section discusses these required operations. 359This specification also defines optional operations. Some operations are optional (rather than 360required) because the operations may be more difficult for a provider to implement for certain kinds 361of targets. Some operations are optional because the operations may apply only to specific types of 362objects on a target. This specification defines a set of standard capabilities, each of which groups 363optional operations that are functionally related. The remainder of the Operations section discusses 364optional operations (such as search) that are associated with SPMLv2’s standard capabilities. 365The capability mechanism in SPMLv2 is open and allows an individual provider (or any third party) 366to define additional custom capabilities. See Custom Capabilities later in this section.

3673.1 Request/Response Model

368The general model adopted by this protocol is that a requestor (client) asks a provider (server) to 369perform an operation. A requestor asks a provider to perform an operation by sending to the 370provider an SPML request that describes the operation. The provider examines the request and, if 371the provider determines that the request is valid, the provider does whatever is necessary to 372implement the requested operation. The provider also returns to the requestor an SPML response 373that details any status or error that pertains to the request.

1707212bb8d0cf1f11a2b881ca263fc19f.doc Page 13 of 158

1807212bb8d0cf1f11a2b881ca263fc19f.doc Page 14 of 158 use="required"/>

374The following subsections describe aspects of this request/response model in more detail: 375 the exchange of requests and responses between requestor and provider 376 synchronous and asynchronous execution of operations 377 individual and batch requests

3783.1.1 Conversational flow 379A requestor asks a provider to do something by issuing an SPML request. A provider responds 380exactly once to each request. Therefore, the simplest conversation (i.e., pattern of exchange) 381between a requestor and a provider is an orderly alternation of request and response. However, the 382SPML protocol does not require this. A requestor may issue any number of concurrent requests to 383a single provider. A requestor may issue any number of concurrent requests to multiple providers. 384Recommend requestID. Each SPML request should specify a reasonably unique identifier as the 385value of “requestID”. See “Request Identifier (normative)”. This allows a requestor to control the 386identifier for each requested operation and (also allows the requestor) to match each response to 387the corresponding request without relying on the transport protocol that underlies the SPML 388protocol exchange.

3893.1.2 Status and Error codes

390A provider’s response always specifies a “status”. This value tells the requestor what the 391provider did with (the operation that was described by) the corresponding request. 392If a provider’s response specifies “status=’failure’”, then the provider’s response must also specify 393an “error”. This value tells the requestor what type of problem prevented the provider from 394executing (the operation that was described by) the corresponding request.

395The “status” and “error” attributes of a response apply to (the operation that is described by) 396the corresponding request. This is straightforward for most requests. The status and batch 397operations present the only subtleties. 398 A status request asks for the status of another operation that the provider is already executing 399 asynchronously. See “Synchronous and asynchronous operations” below. A status response 400 has status and error attributes that tell the requestor what happened to the status request itself. 401 However, the response to a successful status operation also contains a nested response that 402 tells what has happened to the operation that the provider is executing asynchronously. 403 A batch request contains nested requests (each of which describes an operation). The 404 response to a batch request contains nested responses (each of which corresponds to a 405 request that was nested in the batch request). See “Individual and batch requests” below.

4063.1.2.1 Status (normative)

407A provider’s response MUST specify “status” as one of the following values: ‘success’, 408‘failure’ or ‘pending’.

1907212bb8d0cf1f11a2b881ca263fc19f.doc Page 15 of 158 409 A response that specifies “status=’success’” 410 indicates that the provider has completed the requested operation. 411 In this case, the response contains any result of the operation 412 and the response MUST NOT specify “error” (see below).

413 A response that specifies “status=’failure’” 414 indicates that the provider could not complete the requested operation. 415 In this case, the response MUST specify an appropriate value of “error” (see below).

416 A response that specifies “status=’pending’” 417 indicates that the provider will execute the requested operation asynchronously 418 (see “Synchronous and asynchronous operations” below). 419 In this case, the response acknowledges the request and contains the “requestID” value 420 that identifies the asynchronous operation.

4213.1.2.2 Error (normative)

422A response that specifies “status=’failure’” MUST specify an appropriate value of “error”:

423 A response that specifies “error=’malformedRequest’” 424 indicates that the provider could not interpret the request. 425 This includes, but is not limited to, parse errors.

426 A response that specifies “error=’unsupportedOperation’” 427 indicates that the provider does not support the operation that the request specified.

428 A response that specifies “error=’unsupportedIdentifierType’” 429 indicates that the provider does not support the type of identifier specified in the request.

430 A response that specifies “error=’noSuchIdentifier’” 431 indicates that the provider (supports the type of identifier specified in the request, 432 but the provider) cannot find the object to which an identifier refers.

433 A response that specifies “error=’unsupportedExecutionMode’” 434 indicates that the provider does not support the requested mode of execution.

435 A response that specifies “error=’invalidContainment’” 436 indicates that the provider cannot add the specified object to the specified container. 437 - The request may not specify a valid container--especially if the request specifies 438 as the container an object on the target (rather than the target itself). 439 The target schema implicitly or explicitly declares each supported schema entity. 440 An explicit declaration of a supported schema entity specifies whether an instance 441 of that schema entity may contain other objects. 442 - The request may have specified a container that is not valid for the specified object. 443 The target (or a system or application that underlies the target) may restrict the types of 444 objects that the provider can add to the specified container. The target (or a system or 445 application that underlies the target) may restrict the containers to which the provider can 446 add the specified object.

447 A response that specifies “error=’customError’” indicates that the provider has 448 encountered an error that none of the standard error code values describes. 449 In this case, the provider’s response SHOULD provide error information in a format that is 450 available to the requestor. SPMLv2 does not specify the format of a custom error.

2007212bb8d0cf1f11a2b881ca263fc19f.doc Page 16 of 158 4513.1.3 Synchronous and asynchronous operations

452A provider may execute a requested operation either synchronously or asynchronously. 453 Synchronous: operation before response. If a provider executes a requested operation 454 synchronously, the provider completes the requested operation before the provider returns a 455 response to the requestor. The response will include the status and any error or result. 456 Asynchronous: response before operation. If a provider executes a requested operation 457 asynchronously, the provider returns to the requestor a response (that indicates that the 458 operation will be executed asynchronously) before the provider executes the requested 459 operation. The response will specify “status=’pending’” and will specify a “requestID” 460 value that the requestor must use in order to cancel the asynchronous operation or (in order to) 461 obtain the status or results of the asynchronous operation.

462 - If a request specifies “requestID”, then the provider’s response to that request will 463 specify the same “requestID” value. 464 Requestor Provider REQUEST requestID=1

RESPONSE requestID=1 status=”pending”

465 - If the request omits “requestID”, then the provider’s response to that will specify a 466 “requestID” value that is generated by the provider. 467 Requestor REQUEST Provider

RESPONSE requestID=9 status=”pending”

468A requestor may specify the execution mode for an operation in its request or (a requestor may 469omit the execution mode and thus) allow the provider to decide the execution mode (for the 470requested operation). If the requestor specifies an execution mode that the provider cannot support 471for the requested operation, then the provider will fail the request.

4723.1.3.1 ExecutionMode attribute

473A requestor uses the optional “executionMode” attribute of an SPML request to specify that the 474provider must execute the specified operation synchronously or (to specify that the provider must 475execute the specified operation) asynchronously. If a requestor omits the “executionMode” 476attribute from an SPML request, the provider decides whether to execute the requested operation 477synchronously or (to execute the requested operation) asynchronously.

4783.1.3.2 Async Capability

479A provider uses the Async Capability that is defined as part of SPMLv2 to tell any requestor that the 480provider supports asynchronous execution of requested operations on objects contained by that 481target. A target may further refine this declaration to apply only to specific types of objects (i.e., for a 482specific subset of supported schema entities) on the target. 483SPMLv2’s Async Capability also defines two operations that a requestor may use to manage other 484operations that a provider is executing asynchronously:

2107212bb8d0cf1f11a2b881ca263fc19f.doc Page 17 of 158 485 A ‘status’ operation allows a requestor to check the status (and optionally results) of an 486 operation (or of all operations) 487 A ‘cancel’ operation asks the provider to stop executing an operation. 488For more information, see the Async Capability section.

4893.1.3.3 Determining execution mode

490By default, a requestor allows a provider to decide whether to execute a requested operation 491synchronously or asynchronously. A requestor that needs the provider to execute a requested 492operation in a particular manner must specify this in the request. Each subsection that follows 493describes one of the four possibilities: 494 Requestor specifies synchronous execution 495 Requestor specifies asynchronous execution 496 Provider chooses synchronous execution 497 Provider chooses asynchronous execution 498The following subsections normatively apply to every SPMLv2 operation unless the normative text 499that describes an operation specifies otherwise.

5003.1.3.3.1 Requestor specifies synchronous execution (normative)

501A requestor MAY specify that an operation must execute synchronously. A requestor that wants the 502provider to execute an operation synchronously MUST specify 503“executionMode=‘synchronous’“ in the SPML request. 504If a requestor specifies that an operation must be executed synchronously and the provider cannot 505execute the requested operation synchronously, then the provider MUST fail the operation. If a 506provider fails an operation because the provider cannot execute the operation synchronously, then 507the provider’s response MUST specify “status=’failed’” and 508“error=’unsupportedExecutionMode’”. 509If a requestor specifies that an operation must be executed synchronously and the provider does 510not fail the request, then the provider implicitly agrees to execute the requested operation 511synchronously. The provider MUST acknowledge the request with a response that contains any 512status and any error or output of the operation. The provider’s response MUST NOT specify 513“status=’pending’”. The provider’s response MUST specify either “status='success'” or 514“status=’failed’”.

515 If the provider’s response specifies “status=’failed’”, then the provider’s response must 516 have an “error” attribute.

517 If the provider’s response specifies “status='success'”, then the provider’s response MUST 518 contain any additional results (i.e., output) of the completed operation.

5193.1.3.3.2 Requestor specifies asynchronous execution (normative)

520A requestor may specify that an operation must execute asynchronously. A requestor that wants 521the provider to execute an operation asynchronously MUST specify 522“executionMode=‘asynchronous’” in the SPML request. 523If a requestor specifies that an operation must be executed asynchronously and the provider cannot 524execute the requested operation asynchronously, then the provider MUST fail the operation. If the 525provider fails the operation because the provider cannot execute the operation asynchronously,

2207212bb8d0cf1f11a2b881ca263fc19f.doc Page 18 of 158 526then the provider’s response MUST specify “status=’failed’” and (the provider’s response 527MUST specify) “error=’unsupportedExecutionMode’”. 528If a requestor specifies that an operation must be executed asynchronously and the provider does 529not fail the request, then the provider implicitly agrees to execute the requested operation 530asynchronously. The provider MUST acknowledge the request with a synchronous response that 531indicates that the operation will execute asynchronously. The provider’s response MUST specify 532“status=’pending’” and (the provider’s response MUST specify) “requestID=’’”.

533 If the request specifies a “requestID” value, then the provider’s response MUST specify the 534 same “requestID” value.

535 If the request omits “requestID”, then the provider’s response MUST specify a 536 “requestID” value that uniquely identifies the requested operation within the namespace of 537 the provider. 538If the provider’s response indicates that the requested operation will execute asynchronously, the 539requestor may continue with other processing. If the requestor wishes to obtain the status and 540results of the requested operation (or to cancel the requested operation), the requestor MUST use 541the “requestID” value that is returned in the provider’s response to identify the operation. 542See also the sections entitled “Async Capability” and “Results of asynchronous operations 543(normative)”.

5443.1.3.3.3 Provider chooses synchronous execution (normative)

545A requestor MAY allow the provider to decide whether to execute a requested operation 546synchronously or asynchronously. A requestor that wants to let the provider decide the type of 547execution for an operation MUST omit the “executionMode” attribute of the SPML request. 548If a requestor lets the provider decide the type of execution for an operation and the provider 549chooses to execute the requested operation synchronously, then the provider’s response MUST 550indicate that the requested operation was executed synchronously. The provider’s response MUST 551NOT specify “status=’pending’”. The provider’s response MUST specify either 552“status='success'” or “status=’failed’”.

553 If the provider’s response specifies “status=’failed’”, then the provider’s response must 554 have an “error” attribute.

555 If the provider’s response specifies “status='success'”, then the provider’s response MUST 556 contain any additional results (i.e., output) of the completed operation.

5573.1.3.3.4 Provider chooses asynchronous execution (normative)

558A requestor MAY allow a provider to decide whether to execute a requested operation 559synchronously or asynchronously. A requestor that wants to let the provider decide the type of 560execution for an operation MUST omit the “executionMode” attribute of the SPML request. 561If a requestor lets the provider decide the type of execution for an operation and the provider 562chooses to execute the requested operation asynchronously, then the provider’s response must 563indicate that the the requested operation will execute asynchronously. The provider MUST 564acknowledge the request with a response that indicates that the operation will execute 565asynchronously. The provider’s response MUST specify “status=’pending’” and (the provider’s 566response MUST specify) “requestID=’’”.

2307212bb8d0cf1f11a2b881ca263fc19f.doc Page 19 of 158 567 If the request specifies a “requestID” value, then the provider’s response MUST specify the 568 same “requestID” value.

569 If the request omits “requestID”, then the provider’s response MUST specify a 570 “requestID” value that uniquely identifies the requested operation within the namespace of 571 the provider. 572If the provider’s response indicates that the requested operation will execute asynchronously, the 573requestor may continue with other processing. If the requestor wishes to obtain the status and 574results of the requested operation (or to cancel the requested operation), the requestor MUST use 575the “requestID” value that is returned in the provider’s response to identify the operation. 576See also the sections entitled “Async Capability” and “Results of asynchronous operations 577(normative)”.

5783.1.3.4 Results of asynchronous operations (normative)

579A provider that supports asynchronous execution of requested operations MUST maintain the 580status and results of each asynchronously executed operation during the period of time that the 581operation is executing and for some reasonable period of time after the operation completes. 582Maintaining this information allows the provider to respond to status requests. 583A provider that supports asynchronous execution of requested operations SHOULD publish out-of- 584band (i.e., make available to requestors in a manner that is not specified by this document) any limit 585on the how long after the completion of an asynchronous operation the provider will keep the status 586and results of that operation.

5873.1.4 Individual and batch requests

588A requestor generally requests each operation individually. SPMLv2 also defines a capability to 589batch requests. If the provider supports this batch capability, a requestor may group any number of 590requests (e.g., requests to ‘add’, ‘modify’ or ‘delete’) into a single request. 591Individual. The SPMLv2 core protocol allows a requestor to ask a provider to execute an individual 592operation. Each request that is part of the SPMLv2 Core XSD asks a provider to perform a single 593operation. 594Batch. SPMLv2 defines ‘batch’ as an optional operation that allows a requestor to combine any 595number of requests into a single request. See the Batch Capability section.

2407212bb8d0cf1f11a2b881ca263fc19f.doc Page 20 of 158 5963.2 Identifiers

597SPMLv2 uses several different types of identifiers.

598 An instance of {xsd:string} identifies a target. 599 A target identifier must be unique within the (namespace of the) provider.

600 An instance of {xsd:ID} identifies a request or an operation.

601 An instance of {PSOIdentifierType} identifies an object on a target. 602 An instance of {PSOIdentifierType} combines a target identifier with an object identifier. 603 The target identifier MUST be unique within the (namespace of the) provider. 604 The object identifier MUST be unique within the (namespace of the) target.

6053.2.1 RequestID (normative)

606RequestID in a request. A requestor SHOULD specify a reasonably unique value for the 607“requestID” attribute in each request. A requestID value need not be globally unique. A 608requestID value needs only to be sufficiently unique to identify each outstanding request. (That is, a 609requestor SHOULD specify as the value of “requestID” in each SPML request a value that is 610sufficiently unique to identify each request for which the requestor has not yet received the 611corresponding response.) 612A requestor that uses a transport protocol that is synchronous (such as SOAP/HTTP) MAY omit 613“requestID”. The synchronous nature of the transport protocol exchange itself ensures that the 614requestor can match the provider’s response to the request. (The provider’s response will contain 615any requestID that is necessary—for example, because the provider executes the requested 616operation asynchronously. See “RequestID in a response” immediately below.) 617RequestID in a response. A provider’s response to a request that specifies “requestID” MUST 618specify the same “requestID” value.

619A provider’s response to a request that does not specify a value for “requestID” MAY omit the 620“requestID” attribute UNLESS the provider executes the requested operation asynchronously.

2507212bb8d0cf1f11a2b881ca263fc19f.doc Page 21 of 158 621If the provider executes asynchronously (the operation that was described by) a request that 622omitted “requestID”, then the provider MUST generate a value that uniquely identifies the 623operation to the provider and (the provider MUST) specify this value as the value of the 624“requestID” attribute in the provider’s response. (This allows the requestor to cancel or to obtain 625the status of the operation that the provider is executing asynchronously. See Async Capability.)

6263.2.2 Target Identifier (normative)

627Each of a provider’s targets has a string identifier. Within a provider’s listTargets response, the 628“targetID” attribute of each element specifies this identifier.

629TargetId is unique within provider. Each in a provider’s 630MUST specify a value for “targetID” that uniquely identifies the target within the namespace of 631the provider. 632Wherever targetID occurs in a request or in a response, the targetID must correspond to one of 633the provider’s targets. (That is, the value of any “targetID” attribute that a request specifies or 634(that a request) indirectly contains MUST match the value of the “targetID” attribute that a 635 element in the provider’s specifies.) 636If a request contains an invalid targetID, the provider’s response MUST specify 637“error=’noSuchIdentifier’”.

6383.2.3 PSO Identifier (normative)

639PSO Identifier must be unique. A provider MUST ensure that each object’s PSO-ID is unique 640(within the namespace of the provider). Since every instance of {PSOIdentifierType} also 641specifies the target that contains the object (see the next topic immediately below), the value that 642identifies an object must be unique within the namespace of the target.

643TargetID. Any instance of {PSOIdentifierType} MAY specify “targetID”.

644 If the provider's contains only one , 645 then an instance of {PSOIdentifierType} MAY omit "targetID".

646 If the provider's contains more than one , 647 then any instance of {PSOIdentifierType} MUST specify "targetID". 648 The value of “targetID” MUST identify a valid target. (That is, the value of “targetID” 649 MUST match the “targetID” of a in the provider’s . 650 See the section entitled “Target Identifier (normative)” above.)

651containerID. Any instance of {PSOIdentifierType} MAY contain at most one 652. Any MUST identify an existing object that exists on the target. 653(That is, the content of any in an instance of {PSOIdentifierType} MUST 654match the of an object that exists on a target. In addition, the value of any "targetID" 655attribute in the element MUST match the value of the "targetID" attribute of the 656instance of {PSOIdentifierType} that contains the .)

657ID. Any instance of {PSOIdentifierType} MAY specify “ID”. This depends on the profile that 658the requestor and provider have agreed to use. 659 The DSML Profile and the XML Schema Profile both specify that an instance of 660 {PSOIdentifierType} MUST specify "ID". The value of “ID” MUST uniquely identify an 661 object within the namespace of the target that “targetID” specifies.

2607212bb8d0cf1f11a2b881ca263fc19f.doc Page 22 of 158 662 Another profile may specify that an instance of {PSOIdentifierType} MAY omit "ID".

663Content depends on profile. The content of an instance of {PSOIdentifierType} depends on 664the profile that a requestor and provider agree to use. 665 Both the DSML profile and the XML Schema Profile specify that an instance of 666 {PSOIdentifierType} MUST have an "ID" attribute (see the topic immediately above). 667 Neither the DSML profile nor the XML Schema Profile specifies the content of an instance of 668 {PSOIdentifierType}.

669 Another profile may specify the content of an instance of {PSOIdentifierType}. 670Caution: PSO Identifier is mutable. A provider MAY change the PSO-ID for an object. For 671example, moving an organizational unit (OU) beneath a new parent within a directory service will 672change the distinguished name (DN) of the organizational unit. If the provider exposes the 673directory service DN as the object’s PSO-ID, then this operation will change the object’s PSO-ID. 674Recommend immutable PSO Identifier. A provider SHOULD expose an immutable value (such 675as a globally unique identifier or “guid”) as the PSO-ID for each object.

2707212bb8d0cf1f11a2b881ca263fc19f.doc Page 23 of 158 6763.3 Selection

6773.3.1 QueryClauseType

678SPMLv2 defines a {QueryClauseType} that is used to select objects. Each instance of 679{QueryClauseType} represents a selection criterion.

680{QueryClauseType} specifies no element or attribute. This type is a semantic marker. 681 Any capability may define elements of (types that extend) QueryClauseType. These 682 queryClauses allow a requestor to search for objects based on capability-specific data. 683 (For example, the SPML Reference Capability defines a element that 684 enables a requestor to query for objects that have a specific reference. 685 The SPML Suspend Capability defines an element that enables a requestor to 686 query for objects that are enabled or disabled.) 687 An instance of {SelectionType}, which extends {QueryClauseType}, may filter a set of 688 objects. {SelectionType} may also be used to specify a particular element or attribute of an 689 object. See the section entitled “SelectionType” below. 690 The SPMLv2 Search Capability defines three logical operators that indicate how a provider 691 should combine selection criteria. Each logical operator is an instance of 692 {LogicalOperatorType}, which extends {QueryClauseType}. 693 See the section entitled “Logical Operators” below.

6943.3.2 Logical Operators

695The SPMLv2 Search Capability defines three logical operators that indicate how a provider should 696combine selection criteria. 697 The logical operator specifies a conjunct 698 (that is, the is true if and only if every selection criterion that the contains is true). 699 The logical operator specifies a disjunct 700 (that is, the is true if any selection criterion that the contains is true). 701 The logical operator specifies negation 702 (that is, the is true if and only if the selection criterion that the contains is false.)

7033.3.3 SelectionType

704SPMLv2 defines a {SelectionType} that is used in two different ways: 705 An instance of {SelectionType} may specify an element or attribute of an object. 706 For example, the of a specifies the part of an object that a 707 modify operation (or a bulkModify operation) will change. 708 An instance of {SelectionType} may filter a set of objects. 709 For example, a may contain a element:

806 A requestor that wants the provider to search only the object identified by 807 MUST specify “scope=’pso’”. (NOTE: It is an error to specify "scope='pso'" in a 808 that does not contain . The target is not an object.) 809 See the section below entitled “SearchQueryType Errors (normative)”. 810 A requestor that wants the provider to search only direct descendants of the target or (that 811 wants to search only direct descendants) of the object specified by MUST 812 specify “scope=’oneLevel’”. 813 A requestor that wants the provider to search any direct or indirect descendant of the target or 814 (that wants to search any direct or indirect descendant) of the object specified by 815 MUST specify “scope=’subTree’”.

816Open content. A MUST contain (as open content) exactly one instance of a type that 817extends {QueryClauseType}.

818 Any capability may define elements of (a type that extends) {QueryClauseType}. These 819 elements allow a requestor to select objects based on capability-defined data. 820 See the section entitled "QueryClauseType" above.

821 A

7907212bb8d0cf1f11a2b881ca263fc19f.doc Page 75 of 158 path=”/Person/email=’[email protected]’”/> 2100In the following example, a requestor asks a provider to remove the “owner” of any account that is 2101currently owned by “joebob”. The requestor uses as a selection criterion the query 2102clause that the Reference Capability defines. 2103NOTE: The logic required to modify a reference may depend on the cardinality that is defined for 2104that type of reference. See Reference Capability below.

21083.5.4.2 bulkDelete

2109The subset of the Bulk Capability XSD that is most relevant to the bulkDelete operation follows.

8007212bb8d0cf1f11a2b881ca263fc19f.doc Page 76 of 158 type="spmlbulk:BulkDeleteRequestType”/>

2120recursive. A MAY have a “recursive” attribute that indicates 2121whether the provider should delete the specified object along with any other object it contains. 2122(Unless the specifies “recursive=’true’”, a provider will not delete 2123an object that contains other objects.)

21243.5.4.2.2 Response (normative)

2125A provider that receives a from a requestor that the provider trusts must 2126examine the content of the . If the request is valid, the provider MUST 2127delete every object that matches the specified (if the provider can possibly do so).

2128recursive. A provider MUST NOT delete any object that contains other objects unless the 2129 specifies “recursive=’true’”.

2130 If the specifies “recursive=’true’”, 2131 then the provider MUST delete every object that matches the specified query 2132 along with any object that a matching object (directly or indirectly) contains.

2133 If the specifies “recursive=’false’” 2134 (or if the omits the “recursive” attribute”) 2135 and at least one object that matches the specified query contains another object, 2136 then the provider MUST NOT delete any of the objects that match the specified query. 2137 In this case, the provider’s response must return an error (see below).

2138Response. The provider MUST return to the requestor an .

2139Status. The must contain a “status” attribute that indicates whether 2140the provider successfully deleted every object that matched the specified query. See “Status 2141(normative)” for values of this attribute. 2142 If the provider successfully deleted every object that matched the specified query, the 2143 MUST specify “status=’success’”. 2144 If the provider encountered an error in selecting any object that matched the specified query or 2145 (if the provider encountered an error) in deleting any of the selected objects, the 2146 MUST specify “status=’failure’”.

8107212bb8d0cf1f11a2b881ca263fc19f.doc Page 77 of 158 2147Error. If the provider was unable to delete every object that matched the specified query, then the 2148 MUST have an “error” attribute that characterizes the failure. See 2149“Error (normative)” for values of this attribute. 2150The section entitled "SearchQueryType Errors (normative)" describes errors specific to a request 2151that contains a . Also see the section entitled “SelectionType Errors (normative)”. 2152If at least one object that matches the specified query contains another object 2153and the does NOT specify “recursive=’true’”, 2154then the provider’s response should specify “error=’invalidContainment’”.

21553.5.4.2.3 Examples (non-normative)

2156In the following example, a requestor asks a provider to delete every Person with an email address 2157matching [email protected]. 2791The provider returns a . The “status” attribute of the 2792indicates that the provider successfully executed the search operation. [email protected] 2793In the following example, a requestor asks a provider to search for every account that is currently 2794owned by “joebob”. The requestor uses the “returnData” attribute to specify that the provider should 2795return only schema-defined data for each matching object. 2796The provider returns a . The “status” attribute of the 2797indicates that the provider successfully executed the search operation.

10607212bb8d0cf1f11a2b881ca263fc19f.doc Page 102 of 158 27983.5.7.2 iterate

2799The iterate operation obtains the next set of objects from the result set that the provider selected for 2800a search operation. (See the description of the search operation above.) 2801The subset of the Search Capability XSD that is most relevant to the iterate operation follows.

2802An iterateRequest receives an iterateResponse. A requestor supplies the that is 2803output from a as input to an . A provider returns an 2804 in response to each . An has 2805the same structure as a .

2806The will contain at least one element that represents a matching 2807object. If more matching objects are available to return, then the will also 2808contain an . The requestor can use this in another 2809 to retrieve more of the matching objects. 2810Iterate is not batchable. For reasons of scale, neither ‘search’ nor ‘iterate’ should be nested in a 2811batch request. When a search query matches matches more objects than the provider can place 2812directly in the response, the provider must temporarily store the remaining objects. Storing the 2813remaining objects allows allows the requestor to iterate the remaining objects, but also requires the

10707212bb8d0cf1f11a2b881ca263fc19f.doc Page 103 of 158 2814provider to commit resources. See the “Resource Considerations” topic earlier in this Search 2815Capability section. 2816Batch responses also tend to be large. Batch operations are typically asynchronous, so storing the 2817results of asynchronous batch operations imposes on providers a resource burden similar to that of 2818search results. Allowing a requestor to nest a search request or an iterate request within a batch 2819request would aggravate the resource problem, requiring a provider to store more information in 2820larger chunks for a longer amount of time. 2821The iterate operation must be executed synchronously. The provider is already queuing the 2822search set (every object beyond those returned in the first search response), so it is unreasonable 2823for a requestor to ask the provider to queue the results of a request for the next item in the search 2824set. 2825Furthermore, asynchronous iteration would complicate the provider’s maintenance of the search 2826set. Since a provider could never know that the requestor had processed the results of an 2827asynchronous iteration, the provider would not know when to increment its position in the search 2828set. In order to support asynchronous iteration both correctly and generally, a provider would have 2829to maintain a version of every search set for each iteration of that search set.

28303.5.7.2.1 Request (normative)

2831A requestor MUST send an to a provider in order to obtain any additional 2832objects that matched a previous but that the provider has not yet returned to 2833the requestor. (That is, matching objects that were not contained in the response to that 2834 and that have not yet been contained in any response to an 2835 associated with that .)

2836Execution. An MUST NOT specify “executionMode=‘asynchronous’”. 2837A requestor MUST specify “executionMode=‘synchronous’” or (a requestor MUST) omit the 2838“executionMode” attribute of the . See Determining execution type.

2839iterator. An MUST contain exactly one element. A requestor 2840MUST specify the from a as input to an .

2842A provider that receives a from a requestor that the provider trusts must 2843examine the content of the . If the request is valid, the provider MUST return 2844(the XML that represents) the next object in the status set that the represents. 2845Execution. The provider MUST execute the iterate operation synchronously (if the provider 2846executes the iterate operation at all). See the section entitled “Determining execution type”.

2847Response. The provider MUST return to the requestor an .

2848Status. The must contain a “status” attribute that indicates whether the 2849provider successfully returned the next object from the status set that the represents. 2850See “Status (normative)” for values of this attribute. 2851 If the provider successfully returned (the XML that represents) the next object from the status 2852 set that the represents, then the MUST specify 2853 “status=’success’”.

10807212bb8d0cf1f11a2b881ca263fc19f.doc Page 104 of 158 2854 If the provider encountered an error in returning (the XML that represents) the next object from 2855 the status set that the represents, then the MUST specify 2856 “status=’failure’”.

2857Pso. The MAY contain any number of elements.

2858 If the specifies “status=’success’” and at least one object remains 2859 (in the status set that the represents), then the MUST contain 2860 at least one element that contains the (XML representation of the) next matching object.

2861 If the specifies “status=’success’” and no object remains (in the 2862 status set that the represents), then the MUST NOT contain a 2863 element.

2864 If the specifies “status=’failure’”, then the 2865 MUST NOT contain a element.

2866PSO and ReturnData. Each contains the subset of (the XML representation of) a requested 2867object that the “returnData” attribute of the original specified. By default, 2868each contains the entire (XML representation of an) object.

2869 A element MUST contain a element. 2870 The element MUST contain the identifier of the requested object. 2871 See the section entitled “PSO Identifier (normative)”.

2872 A element MAY contain a element. 2873 - If the specified “returnData=’identifier’”, 2874 then the MUST NOT contain a element. 2875 - Otherwise, if the specified “returnData=’data’” 2876 or (if the specified) “returnData=’everything’” 2877 or (if the ) omitted the “returnData” attribute 2878 then the element MUST contain the XML representation of the object. 2879 This XML must be valid according to the schema of the target for the schema entity of 2880 which the newly created object is an instance.

2881 A element MAY contain any number of elements. Each 2882 element contains an item of capability-specific data that is associated 2883 with the newly created object (for example, a reference to another object). 2884 - If the specified “returnData=’identifier’” 2885 or (if the specified) “returnData=’data’” 2886 then the MUST NOT contain a element. 2887 - Otherwise, if the specified “returnData=’everything’” 2888 or (if the ) omitted the “returnData” attribute, 2889 then the MUST contain a element for each item of capability- 2890 specific data that is associated with the requested object 2891 (and that is specific to a capability that the target supports for the schema entity of which 2892 the requested object is an instance).

2893PSO capability-specific data and IncludeDataForCapability. A MUST 2894include (as sub-elements of each ) any capability-specific data that is 2895associated with the matching object and for which all of the following are true:

2896 The contains a .

10907212bb8d0cf1f11a2b881ca263fc19f.doc Page 105 of 158 2897 The original specified “returnData=’everything’” or (the 2898 ) omitted the “returnData” attribute. 2899 The schema for the target declares that the target supports the capability (for the schema entity 2900 of which each matching object is an instance).

2901 The original contained an element that 2902 specified the capability to which the data are specific or the original 2903 contained no element.

2904A SHOULD NOT include (as sub-elements of each 2905) any capability-specific data for which any of the above is not true.

2906iterator. A to an MAY contain at most one 2907 element.

2908 If the specifies “status=’success’” and the search response contains 2909 the last of the objects that matched the that was specified in the original 2910 , then the MUST NOT contain an .

2911 If the specifies “status=’success’” and the provider still has more 2912 matching objects that have not yet been returned to the requestor, then the 2913 MUST contain exactly one .

2914 If the specifies “status=’failure’”, then the 2915 MUST NOT contain an .

2916iterator ID. An MUST have an “ID” attribute.

2917The value of the “ID” attribute uniquely identifies the within the namespace of the 2918provider. The “ID” attribute allows the provider to map each token to the status set of 2919the requestor’s and to any state that records the requestor’s iteration within that status 2920set.

2921The “ID” attribute is (intended to be) opaque to the requestor. A requestor cannot ‘lookup’ an 2922. A requestor cannot specify the “ID” of an in an .

2923Error. If the specifies “status=’failure’”, then the 2924MUST have an “error” attribute that characterizes the failure. See “Error (normative)” for values 2925of this attribute.

2926The MUST specify an appropriate value of “error” if any of the following is 2927true:

2928 If the provider does not recognize the in an as representing 2929 a status set.

2930 If the provider does not recognize the in an as representing 2931 any status set that the provider currently maintains.

2932The MAY specify an appropriate value of “error” if any of the following is 2933true:

2934 If an contains an that is not the most recent version of the 2935 . If the provider has returned to the requestor a more recent that 2936 represents the same search result set, then the provider MAY reject the older . 2937 (A provider that changes the ID—for example, to encode the state of iteration within a search 2938 result set—may be sensitive to this.)

11007212bb8d0cf1f11a2b881ca263fc19f.doc Page 106 of 158 29393.5.7.2.3 Examples (non-normative)

2940In order to illustrate the ‘iterate’ operation, we first need a search operation that returns more than 2941one object. In the following example, a requestor asks a provider to search for every Person with an 2942email address that starts with the letter “j”. 3045The provider returns a . The “status” attribute of the 3046indicates that the provider successfully executed the search operation. The 3047contains two elements that represent the first matching objects. [email protected] [email protected] 3048The requestor decides that the two objects in the initial will suffice, and does 3049not intend to retrieve any more matching objects (in the result set for the search). The requestor 3050supplies the from the as input to the 3051. 3052The provider returns a in response to the 3053. The “status” attribute of the 3054indicates that the provider successfully released the search result.

30563.5.8 Suspend Capability

3057The Suspend Capability is defined in a schema associated with the following XML namespace: 3058urn:oasis:names:tc:SPML:2:0:suspend. This document includes the Suspend Capability 3059XSD as Appendix H. 3060The Suspend Capability defines three operations: ‘suspend’, ‘resume’ and ‘active’. 3061 The ‘suspend’ operation disables an object (immediately or on a specified date). 3062 The ‘resume’ operation re-enables an object (immediately or on a specified date). 3063 The ‘active’ operation tests whether an object is currently suspended. 3064The ‘suspend’ operation disables an object persistently (rather than transiently). The suspend 3065operation is intended to revoke the privileges of an account, for example, while the authorized user 3066of the account is on vacation. 3067The ‘resume’ operation re-enables an object persistently. One might use the resume operation to 3068restore privileges for an account, for example, when the authorized user of the account returns from 3069vacation. 3070A provider that supports the ‘suspend’, ‘resume’ and ‘active’ operations for a target SHOULD 3071declare that the target supports the Suspend Capability. A provider that does not support all of 3072‘suspend’, ‘resume’ and ‘active’ MUST NOT declare that the target supports the Suspend 3073Capability. 3074NOTE: Both the suspend and resume operations are idempotent. Are requestor should be able to 3075suspend (or to resume) the same object multiple times without error.

3076Search. A requestor can search for objects based on enabled state using the query 3077clause. The {IsActiveType} extends {QueryClauseType}, which indicates that an instance 3078of {IsActiveType} can be used to select objects. An clause matches an object if 3079and only if the object is currently enabled. In order to select disabled objects, a requestor would 3080combine this clause with the logical operator . See the section entitled “Selection”.

30813.5.8.1 suspend

3082The suspend operation enables a requestor to disable an object. 3083The subset of the Suspend Capability XSD that is most relevant to the suspend operation follows.

3085A requestor MUST send a to a provider in order to (ask the provider to) 3086disable an existing object. 3087Execution. A requestor MAY specify a type of execution for a ‘suspend’ operation. See 3088Determining execution type.

3089psoID. A MUST contain exactly one element. A element 3090MUST identify an object that exists on a target that is exposed by the provider. See the section 3091entitled "PSO Identifier (normative)".

3092EffectiveDate. A MAY specify an “effectiveDate”. Any 3093“effectiveDate” value MUST be expressed in UTC form, with no time zone component. 3094A requestor or a provider SHOULD NOT rely on time resolution finer than milliseconds. 3095A requestor MUST NOT generate time instants that specify leap seconds.

3097A provider that receives a from a requestor that the provider trusts MUST 3098examine the content of the . If the request is valid and if the specified object 3099exists, then the provider MUST disable the object that is specified by the .

3100If the specifies an “effectiveDate”, the provider MUST enable the 3101specified object as of that date.

3102 If the “effectiveDate” of the is in the past, then 3103 the provider MUST do one of the following: 3104 - The provider MAY disable the specified object immediately. 3105 - The provider MAY return an error. (The provider’s response SHOULD indicate that the 3106 request failed because the effective date is past.)

3107 If the “effectiveDate” of the is in the future, then 3108 - The provider MUST NOT disable the specified object until that future date and time. 3109 - The provider MUST disable the specified object at that future date and time 3110 (unless a subsequent request countermands this request). 3111Execution. If an does not have an execution attribute, the provider MUST 3112choose a type of execution for the requested operation. See the section entitled “Determining 3113execution type”.

3114Response. The provider must return to the requestor a . The 3115 must have a “status” attribute that indicates whether the provider 3116successfully disabled the specified object. See “Status (normative)” for values of this attribute.

3117Error. If the provider cannot create the requested object, the must contain 3118an error attribute that characterizes the failure. See “Error (normative)” for values of this attribute. 3119The provider MUST return an error if any of the following is true:

3120 The contains a for an object that does not exist.

3121 The specifies an “effectiveDate” that is not valid.

11707212bb8d0cf1f11a2b881ca263fc19f.doc Page 113 of 158 3122The provider MAY return an error if any of the following is true:

3123 The specifies an “effectiveDate” that is in the past. 3124The provider MUST NOT return an error when (the operation would otherwise succeed and) the 3125object is already disabled. In this case, the response should specify “status=’success’”.

3127In the following example, a requestor asks a provider to suspend an existing Person object. 3128The provider returns an element. The “status” attribute of the 3129 element indicates that the provider successfully disabled the specified 3130object. 3131In the following example, a requestor asks a provider to suspend an existing account. 3132The provider returns a . The “status” attribute of the 3133 indicates that the provider successfully disabled the specified account.

31343.5.8.2 resume

3135The resume operation enables a requestor to re-enable an object that has been suspended. (See 3136the description of the suspend operation above.) 3137The subset of the Suspend Capability XSD that is most relevant to the resume operation follows.

3139A requestor MUST send a to a provider in order to (ask the provider to) re- 3140enable an existing object.

11807212bb8d0cf1f11a2b881ca263fc19f.doc Page 114 of 158 3141Execution. A requestor MAY specify a type of execution for a ‘resume’ operation. See Determining 3142execution type.

3143psoID. A MUST contain exactly one element. A element 3144MUST identify an object that exists on a target (that is supported by the provider). See the section 3145entitled "PSO Identifier (normative)".

3146EffectiveDate. A MAY specify an “effectiveDate”. Any 3147“effectiveDate” value MUST be expressed in UTC form, with no time zone component. 3148A requestor or a provider SHOULD NOT rely on time resolution finer than milliseconds. 3149A requestor MUST NOT generate time instants that specify leap seconds.

3151A provider that receives a from a requestor that the provider trusts MUST 3152examine the content of the . If the request is valid and if the specified object 3153exists, then the provider MUST enable the object that is specified by the .

3154If the specifies an “effectiveDate”, the provider MUST enable the 3155specified object as of that date.

3156 If the “effectiveDate” of the is in the past, then 3157 the provider MUST do one of the following: 3158 - The provider MAY enable the specified object immediately. 3159 - The provider MAY return an error. (The provider’s response SHOULD indicate that the 3160 request failed because the effective date is past.)

3161 If the “effectiveDate” of the is in the future, then 3162 - The provider MUST NOT enable the specified object until that future date and time. 3163 - The provider MUST enable the specified object at that future date and time 3164 (unless a subsequent request countermands this request). 3165Execution. If an does not have an execution attribute, the provider MUST 3166choose a type of execution for the requested operation. See the section entitled “Determining 3167execution type”.

3168Response. The provider must return to the requestor a . The 3169 must have a “status” attribute that indicates whether the provider 3170successfully enabled the specified object. See “Status (normative)” for values of this attribute.

3171Error. If the provider cannot enable the requested object, the must contain 3172an error attribute that characterizes the failure. See “Error (normative)” for values of this attribute. 3173The provider MUST return an error if any of the following is true:

3174 The contains a for an object that does not exist.

3175 The specifies an “effectiveDate” that is not valid. 3176The provider MAY return an error if any of the following is true:

3177 The specifies an “effectiveDate” that is in the past. 3178The provider MUST NOT return an error when (the operation would otherwise succeed and) the 3179object is already enabled. In this case, the response should specify “status=’success’”.

11907212bb8d0cf1f11a2b881ca263fc19f.doc Page 115 of 158 31803.5.8.2.3 Examples (non-normative)

3181In the following example, a requestor asks a provider to resume an existing Person object. 3182The provider returns a element. The “status” attribute of the 3183 element indicates that the provider successfully disabled the specified object. 3184In the following example, a requestor asks a provider to resume an existing account. 3185The provider returns a . The “status” attribute of the 3186 indicates that the provider successfully enabled the specified account.

31873.5.8.3 active

3188The active operation enables a requestor to determine whether a specified object has been 3189suspended. (See the description of the suspend operation above.) 3190The subset of the Suspend Capability XSD that is most relevant to the active operation follows.

3192A requestor MUST send an to a provider in order to (ask the provider to) 3193determine whether the specified object is enabled (active) or disabled.

12007212bb8d0cf1f11a2b881ca263fc19f.doc Page 116 of 158 3194Execution. A requestor MAY specify a type of execution for an active operation. See Determining 3195execution type.

3196psoID. A MUST contain exactly one element. A element 3197MUST identify an object that exists on a target that is exposed by the provider. See the section 3198entitled "PSO Identifier (normative)".

3200A provider that receives a from a requestor that the provider trusts MUST 3201examine the content of the . If the request is valid and if the specified object 3202exists, then the provider MUST disable the object that is specified by the .

3203Execution. If an does not have an execution attribute, the provider MUST 3204choose a type of execution for the requested operation. See the section entitled “Determining 3205execution type”.

3206Response. The provider must return to the requestor an . The 3207 must have a “status” attribute that indicates whether the provider 3208successfully determined whether the specified object is enabled (i.e. active). See “Status 3209(normative)” for values of this attribute.

3210active. An MAY have an “active” attribute that indicates whether the 3211specified object is suspended. An that specifies “status=’success’” 3212MUST have an “active” attribute.

3213 If the specified object is suspended, the MUST specify 3214 “active=’false’”.

3215 If the specified object is not suspended, the MUST specify 3216 “active=’false’”. 3217Error. If the provider cannot determine whether the requested object is suspended, the 3218 must contain an “error” attribute that characterizes the failure. See “Error 3219(normative)” for values of this attribute. 3220The provider MUST return an error if any of the following is true:

3221 The contains a that specifies an object that does not exist.

3223In the following example, a requestor asks a provider whether a Person object is active. 3224The provider returns an element. The “status” attribute of the 3225 element indicates that the provider successfully completed the requested 3226operation. The “active” attribute of the indicates that the specified object is 3227active. 3228In the following example, a requestor asks a provider whether an account is active.

12107212bb8d0cf1f11a2b881ca263fc19f.doc Page 117 of 158 3229The provider returns an . The “status” attribute of the 3230 indicates that the provider successfully completed the requested operation. 3231The “active” attribute of the indicates that the specified object is active.

12207212bb8d0cf1f11a2b881ca263fc19f.doc Page 118 of 158 32323.6 Custom Capabilities 3233The features of SPMLv2 that allow the PSTC to define optional operations as part of standard 3234capabilities are open mechanisms that will work for anyone. An individual provider (or any third 3235party) can define a custom capability that integrates with SPMLv2. Whoever controls the 3236namespace of the capability controls the extent to which it can be shared. Each provider 3237determines which capabilities are supported for which types of objects on which types of targets. 3238The SPMLv2 capability mechanism is extensible. Any party may define additional capabilities. A 3239provider declares its support for a custom capability in exactly the same way that it declares support 3240for a standard capability: as a target element. 3241The standard capabilities that SPMLv2 defines will not address all needs. Contributors may define 3242additional custom capabilities. 3243Since the schema for each capability is defined in a separate namespace, a custom capability will 3244not ordinarily conflict with a standard capability that is defined as part of SPMLv2, nor will a custom 3245capability ordinarily conflict with another custom capability. In order for a custom capability B to 3246conflict with another capability A, capability B would have to import the namespace of capability A 3247and redeclare a schema element from capability A. Such a conflict is clearly intentional and a 3248provider can easily avoid such a conflict by not declaring support for capability B. 3249Also see the section below entitled “Conformance”.

32504 Conformance (normative)

32514.1 Core operations and schema are mandatory

3252A conformant provider MUST support the elements, attributes, and types defined in the SPMLv2 3253Core XSD. This includes all the core operations and protocol behavior.

3254Schema syntax for the SPMLv2 core operations is defined in a schema that is associated with the 3255following XML namespace: urn:oasis:names:tc:SPML:2:0. This document includes the Core 3256XSD as Appendix A.

32574.2 Standard capabilities are optional

3258A conformant provider SHOULD support the schema and operations defined by each standard 3259capability of SPMLv2. 3260A conformant provider MUST NOT expose an operation that competes with (i.e., whose functions 3261overlap those of) an operation defined by a standard capability of SPMLv2 3262UNLESS all of the following are true: 3263 The provider MUST define the competing operation in a custom capability. 3264 Every target (and every schema entity on a target) that supports the provider’s custom 3265 capability MUST also support the standard capability.

32664.3 Custom capabilities

3267A conformant provider MUST use the custom capability mechanism of SPMLv2 to expose any 3268operation beyond those specified by the core and standard capabilities of SPMLv2. 3269A conformant provider MAY support any custom capability that conforms to SPMLv2. 3270Custom capabilities must conform. Any operation that a custom capability defines MUST be 3271defined as a request-response pair such that all of the following are true:

3272 The request type (directly or indirectly) extends {RequestType}

3273 The response type is {ResponseType} or (the response type directly or indirectly) extends 3274 {ResponseType}. 3275Custom capabilities should not conflict. Since each custom capability is defined in its own 3276namespace, an element or attribute in the XML schema that is associated with a custom capability 3277SHOULD NOT not conflict with (i.e., SHOULD NOT redefine and SHOULD NOT otherwise change 3278the definition of) any element or attribute in any other namespace: 3279 A custom capability MUST NOT conflict with the Core XSD of SPMLv2. 3280 A custom capability MUST NOT conflict with any standard capability of SPMLv2. 3281 A custom capability SHOULD NOT conflict with another custom capability.

32825 Security and privacy considerations

3283This section identifies scenarios that compromise security and privacy. Scenarios such as these 3284should be considered when implementing an SPML-based system. This section is purely 3285informative. Each implementer must evaluate the risks and select appropriate safeguards.

32865.1 Threat model

3287We assume here that an adversary has access to the communication channel between the SPML 3288requestor and provider and is able to interpret, insert, delete and modify messages or parts of 3289messages.

32905.1.1 Unauthorized disclosure

3291SPML does not specify any inherent mechanisms for confidentiality of the messages exchanged 3292between actors. Therefore, an adversary could observe the messages in transit. Disclosure of the 3293information contained in SPML messages may constitute a violation of certain security policies. 3294Disclosure of provisioning data may have significant repercussions. In the commercial sector, the 3295consequences of unauthorized disclosure of personal data may range from public embarrassment 3296of the corporation to imprisonment of and large fines for its officers. Statutory penalties are 3297especially high in the case of medical or financial data. 3298Confidentiality mechanisms (see below) address unauthorized disclosure.

32995.1.2 Message Replay

3300A message replay attack is one in which an adversary records and replays legitimate messages 3301between SPML actors. This attack may lead to denial of service, impersonation, or simply out-of- 3302date information. 3303An implementer must use message “freshness” mechanisms in order to prevent replay attacks. 3304Note that message encryption does not mitigate a replay attack since an attacker merely replays 3305(and does not need to understand) the message.

33065.1.2.1 Message insertion

3307A message insertion attack is one in which an adversary inserts messages in the sequence of 3308messages between SPML actors. 3309The solution to a message insertion attack is to use mutual authentication and a message 3310sequence integrity mechanism between the actors. It should be noted that just using SSL mutual 3311authentication is not sufficient. SSL mutual authentication proves only that the other party is the one 3312identified by the subject of the X.509 certificate. In order to be effective, it is necessary to confirm 3313that the certificate subject is authorized to send the message.

33145.1.2.2 Message deletion

3315A message deletion attack is one in which the adversary deletes messages in the sequence of 3316messages between SPML actors. Message deletion may lead to denial of service. However, a

12707212bb8d0cf1f11a2b881ca263fc19f.doc Page 121 of 158 3317properly designed SPML system should not trigger false provisioning on as the status of a message 3318deletion attack. 3319The solution to a message deletion attack is to use a message integrity mechanism between the 3320actors.

33215.1.2.3 Message modification 3322If an adversary can intercept a message and change its contents, then the adversary may be able 3323to alter a provisioning request. Message integrity mechanisms can prevent a message modification 3324attack from succeeding.

33255.2 Safeguards

33265.2.1 Authentication

3327Authentication provides the means for one party in a transaction to determine the identity of the 3328other party in the transaction. Authentication may be unilateral (in one direction) or it may be 3329bilateral (on both sides). 3330Given the sensitive nature of many provisioning requests and systems it is important for a 3331requestor (client) to authenticate the provider (server). Otherwise, there is a risk that an adversary 3332could act as a provider, leading to a possible security violation. 3333It is equally important for a provider to authenticate the requestor, to assess the level of trust 3334between them and to determine whether the requestor is authorized to request each operation. 3335Many different techniques may be used to provide authentication, such as co-located code, a 3336private network, a VPN or digital signatures. Authentication may also be performed as part of the 3337communication protocol that is used to exchange the requests. When authentication is performed 3338as part of the protocol, authentication may be performed for each session or for each message.

33395.2.2 Confidentiality

3340Confidentiality mechanisms ensure that only the desired recipients can read the contents of a 3341message. The primary concern is confidentiality during transmission.

33425.2.2.1 Communication confidentiality

3343In some environments it is deemed good practice to treat all data within a provisioning domain as 3344confidential. In other environments certain parts of the service schema and required attributes may 3345be published. Regardless of the approach, the security of the provisioning system as a whole 3346should not depend in any way on the secrecy of the service, on the secrecy of the service’s 3347provider, nor on the secrecy of the service’s request data schema. 3348Any security concern or requirement related to transmitting or exchanging SPML documents lies 3349outside the scope of the SPML standard. Ensuring the integrity and confidentiality of provisioning 3350requests is generally important, but the implementer must determine which mechanisms are 3351appropriate for each implementation environment. 3352A confidentiality mechanism, such as SSL, can provide communications confidentiality. However, a 3353point-to-point scheme like SSL may lead to other vulnerabilities if one of the end-points is 3354compromised.

12807212bb8d0cf1f11a2b881ca263fc19f.doc Page 122 of 158 33555.2.2.2 Trust model

3356Discussions of authentication, integrity and confidentiality mechanisms necessarily assume an 3357underlying trust model: how can one actor come to believe that a given key is uniquely associated 3358with a specific, identified actor so that the key can be used to encrypt data for that actor or verify 3359signatures (or other integrity structures) from that actor? Many different types of trust model exist, 3360including strict hierarchies, distributed authorities, the Web, the bridge and so on.

33615.2.2.3 Privacy

3362It is important to be aware that any transactions that occur in an SPML model system may contain 3363private and secure information about the actors. Selection and use of privacy mechanisms 3364appropriate to a given environment are outside the scope of this specification. The decisions 3365regarding whether, how and when to deploy such mechanisms is left to the implementers 3366associated with the environment.

3367Appendix A. Core XSD

13107212bb8d0cf1f11a2b881ca263fc19f.doc Page 124 of 158 use="optional"/>

13707212bb8d0cf1f11a2b881ca263fc19f.doc Page 130 of 158 3369Appendix B. Async Capability XSD

13907212bb8d0cf1f11a2b881ca263fc19f.doc Page 132 of 158 3371Appendix C. Batch Capability XSD

Elements that extend spml:RequestType

Elements that extend spml:ResponseType

14107212bb8d0cf1f11a2b881ca263fc19f.doc Page 134 of 158 3373Appendix D. Bulk Capability XSD

14307212bb8d0cf1f11a2b881ca263fc19f.doc Page 136 of 158 3375Appendix E. Password Capability XSD

14507212bb8d0cf1f11a2b881ca263fc19f.doc Page 138 of 158 3377Appendix F. Reference Capability XSD

14707212bb8d0cf1f11a2b881ca263fc19f.doc Page 140 of 158 3379Appendix G. Search Capability XSD

15007212bb8d0cf1f11a2b881ca263fc19f.doc Page 143 of 158 3380Appendix H. Suspend Capability XSD

15207212bb8d0cf1f11a2b881ca263fc19f.doc Page 145 of 158 3382Appendix I. Document References 3383 [ARCHIVE-1] OASIS Provisioning Services Technical Committee, email archive, 3384 http://www.oasis- 3385 open.org/apps/org/workgroup/provision/email/archives/index. 3386 html, OASIS PS-TC

3388 [DS] IETF/W3C, W3C XML Signatures, http://www.w3.org/Signature/, 3389 W3C/IETF

3391 [DSML] OASIS Directory Services Markup TC, DSML V2.0 Specification, 3392 http://www.oasis- 3393 open.org/apps/org/workgroup/dsml/documents.php, OASIS 3394 DS-TC

3396 [GLOSSARY] OASIS Provisioning Services TC, Glossary of Terms, 3397 http://www.oasis- 3398 open.org/apps/org/workgroup/provision/download.php/???, 3399 OASIS PS-TC

3401 [RFC2119] S. Bradner., Key words for use in RFCs to Indicate Requirement 3402 Levels, http://www.ietf.org/rfc/rfc2119.txt, IETF

3404 [SAML] OASIS Security Services TC, XMLTitle, http://www.oasis- 3405 open.org/apps/org/workgroup/sstc/documents.php, OASIS 3406 SS-TC

3408 [SPML-Bind]] OASIS Provisioning Services TC, SPML V1.0 Protocol Bindings, 3409 http://www.oasis- 3410 open.org/apps/org/workgroup/provision/download.php/1816/d 3411 raft-pstc-bindings-03.doc, OASIS PS-TC

3413 [SPML-REQ] OASIS Provisioning Services Technical Committee, Requirements, 3414 http://www.oasis- 3415 open.org/apps/org/workgroup/provision/download.php/2277/d 3416 raft-pstc-requirements-01.doc, OASIS PS-TC

3418 [SPML-UC] OASIS Provisioning Services Technical Committee, SPML V1.0 3419 Use Cases, http://www.oasis- 3420 open.org/apps/org/workgroup/provision/download.php/988/drf 3421 at-spml-use-cases-05.doc, OASIS PS-TC

3423 [SPMLv2-Profile-DSML] OASIS Provisioning Services Technical Committee, SPMLv2 3424 DSMLv2 Profile, OASIS PS-TC

3426 [SPMLv2-Profile-XSD ] OASIS Provisioning Services Technical Committee, SPML V2 XSD 3427 Profile, OASIS PS-TC

3429 [SPMLv2-REQ] OASIS Provisioning Services Technical Committee, Requirements, 3430 , OASIS PS-TC

15307212bb8d0cf1f11a2b881ca263fc19f.doc Page 146 of 158 3432 [SPMLv2-ASYNC] OASIS Provisioning Services Technical Committee, XML Schema 3433 Definitions for Async Capability of SPMLv2, OASIS PS-TC

3435 [SPMLv2-BATCH] OASIS Provisioning Services Technical Committee, XML Schema 3436 Definitions for Batch Capability of SPMLv2, OASIS PS-TC

3438 [SPMLv2-BULK] OASIS Provisioning Services Technical Committee, XML Schema 3439 Definitions for Bulk Capability of SPMLv2, OASIS PS-TC

3441 [SPMLv2-CORE] OASIS Provisioning Services Technical Committee, XML Schema 3442 Definitions for Core Operations of SPMLv2, , OASIS PS-TC

3444 [SPMLv2-PASS] OASIS Provisioning Services Technical Committee, XML Schema 3445 Definitions for Password Capability of SPMLv2, , OASIS PS-TC

3447 [SPMLv2-REF] OASIS Provisioning Services Technical Committee, XML Schema 3448 Definitions for Reference Capability of SPMLv2, , OASIS PS-TC

3450 [SPMLv2-SEARCH] OASIS Provisioning Services Technical Committee, XML Schema 3451 Definitions for Search Capability of SPMLv2, , OASIS PS-TC

3453 [SPMLv2-UC] OASIS Provisioning Services Technical Committee., SPML V2.0 3454 Use Cases, , OASIS PS-TC

3456 [XSD] W3C Schema WG ., W3C XML Schema, 3457 http://www.w3.org/TR/xmlschema-1/ W3C

3459 3460

3461Appendix J. Acknowledgments

3462The following individuals were voting members of the Provisioning Services committee at the time 3463that this version of the specification was issued: 3464List Members Here: 3465 3466

3468Appendix K. Notices

3469OASIS takes no position regarding the validity or scope of any intellectual property or other rights 3470that might be claimed to pertain to the implementation or use of the technology described in this 3471document or the extent to which any license under such rights might or might not be available; 3472neither does it represent that it has made any effort to identify any such rights. Information on 3473OASIS's procedures with respect to rights in OASIS specifications can be found at the OASIS 3474website. Copies of claims of rights made available for publication and any assurances of licenses to 3475be made available, or the result of an attempt made to obtain a general license or permission for 3476the use of such proprietary rights by implementors or users of this specification, can be obtained 3477from the OASIS Executive Director. 3478OASIS invites any interested party to bring to its attention any copyrights, patents or patent 3479applications, or other proprietary rights which may cover technology that may be required to 3480implement this specification. Please address the information to the OASIS Executive Director. 3481Copyright © OASIS Open 2004. All Rights Reserved. 3482This document and translations of it may be copied and furnished to others, and derivative works 3483that comment on or otherwise explain it or assist in its implementation may be prepared, copied, 3484published and distributed, in whole or in part, without restriction of any kind, provided that the above 3485copyright notice and this paragraph are included on all such copies and derivative works. However, 3486this document itself may not be modified in any way, such as by removing the copyright notice or 3487references to OASIS, except as needed for the purpose of developing OASIS specifications, in 3488which case the procedures for copyrights defined in the OASIS Intellectual Property Rights 3489document must be followed, or as required to translate it into languages other than English. 3490The limited permissions granted above are perpetual and will not be revoked by OASIS or its 3491successors or assigns. 3492This document and the information contained herein is provided on an “AS IS” basis and OASIS 3493DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO 3494ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY 3495RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A 3496PARTICULAR PURPOSE

3497Appendix L. Revision history

16007212bb8d0cf1f11a2b881ca263fc19f.doc Page 150 of 158 Rev Date By What Whom D- 20041001 Editor 0.1 Rough Draft. 01 D- 20041019 Editor Review Schema section. 01 Minor corrections to draft XSD. D- 20041026 Editor Define a Batch capability. 01 (Batch operation is no longer part of the core) D- 20041026 Editor Rework asynchronous execution. 01 1) By default, execution type is unspecified. 2) Requestor can specify asynchronous execution for ANY operation except cancel and status. Provider must execute as specified (or fail the request if unable to do so). 3) Provider can convert a request (for any operation except cancel and status) that does not specify synchronous execution to asynchronous execution (e.g., if workflow makes this necessary) 4) Provider returns requestID for any operation that the provider executes asynchronously. 5) Define Async Capability (so provider can indicate whether it supports asynchronous execution). May also contain cancel and status operations. D- 20041029 Editor Retention limit for results of async operations 01 does not rise to the level of specification. D- 20041102 Editor Review Introduction and Concepts sections. 01 1) Do not use Java to explain Capability 2) Target schema cannot contain DSML (because DSML deprecates schema); we mean “DSML binding for SPMLv2”. 3) Make clear that a target is not a provider (but is instead a container of objects that a provider manages) D- 20041115 Gerry Review Protocol section. 01 Woods 1) Remove language stating that the requestID value SHOULD be globally unique so that the value will not conflict with any other requestID value that the requestor may receive from any provider.” 2) Describe single-operation requests as ‘individual’ requests rather than ‘singleton’ requests. 3) PSO-IDs are required only to be unique within provider (rather than

16107212bb8d0cf1f11a2b881ca263fc19f.doc Page 151 of 158 globally unique). 4) ListTargets MUST be synchronous (previously said SHOULD). 5) Removed repetition of “open content” in listTargets/schema section. 6) Cleaned up listTargets example: - Remove XML Processing Instructions - Capability identifiers are namespaces - Status code values are no longer fully qualified D- 20041116 Editor Distributed draft Protocol/Async Capability section. 01 D- 20041118 Editor Distributed draft Protocol/Batch Capability section. 01 D- 20041129 Editor Distributed draft Protocol/Bulk, Password, Reference, Search and 01 Suspend Capability sections. D- 20041201 Editor Removed Schema section. Since each protocol section includes 01 relevant schema snippets (and normatively describes both request and response for every operation), schema section was redundant (and not worth 40-60 pages). D- 20041205 Editor Pasted in Draft 9 Schema snippets. Moved each complete schema 02 section into an appendix. Indicated pending and proposed XSD changes with red font and sometimes strikethrough. Renamed capabilityParameter to capabilityData. Renamed ObjectClassRefType to SchemaEntityRefType. Added sub-element to psoType. Modify operation may now return entire . D- 20041207 Editor Pasted in Draft 10 Schema snippets. Updated text to reflect issues 03 resolved in Draft 10. Abstract: Specification no longer defines schema. Audience: Pointed each audience to one section. Restored mention of appendix. Concepts: Merge Target subsection into Target subsection of DomainModel. Domain Model: Note that Gerry will send UML to replace ERD. Rename RA to requestor, PSP to provider, PST to target. Remove Terms subsection since it is no longer needed. Protocol: removed subsection regarding Profiles. Profiles now described only in Concepts. Renamed “DSML Schema” to “SPML1.0 Schema” and “DSML Profile” to “SPML1.0 Profile”. D- 20041209 Editor Protocol: added Conversational Flow section within 03 Request/Response Model. Recommended requestID. Determining execution type: renamed to “Determining execution

16207212bb8d0cf1f11a2b881ca263fc19f.doc Page 152 of 158 mode”. Added bullet-pointed list of the four possibilities. SelectionType: Added subsection to describe “SelectionType processing in a Response (normative).” Delete: Say that Provider MUST ignore capability-specific data. D- 20041210 Editor Pasted in Draft 11 XSD files into Appendices. 03 Updated snippets for Protocol Request/Response model and Synchronous and Asynchronous Operations. D- 20041214 Editor ListTargets: pasted in Draft 11 XSD snippets. 03 Added discussion of SchemaEntityRefType#isContainer. Added discussion of SchemaType#ref element Added discussion of capabilities element wrapping capability. Add: pasted in Draft 11 XSD snippets. Added discussion of AddRequestType#returns. Renamed “parentId” to “containerID” (per Draft 11) AddResponseType#pso content depends on “returns” D- 20041216 Editor Lookup: pasted in Draft 11 XSD snippets. 03 Added discussion of LookupRequestType#returns. LookupResponseType#pso content depends on “returns” Lookup examples illustrate “returns” attribute. Moved Conformance before Security and Privacy Considerations. D- 20050112 Editor Pasted in remaining Draft 11 XSD snippets. 03 Discussed “returns” attribute and its effect on content for: Modify, Search, Iterate.

Discussed for Search.

Discussed “recursive” attribute for Delete. D- 20050215 Editor Updated to Draft 13 XSD. 03 Updated OASIS Notices for 2005.

Explained (in the non-normative section that introduces the Async Capability) why the cancel and status operations must be synchronous.

Explained (in the non-normative section that introduces the Search Capability) why the iterate operation must be synchronous.

Specified that neither suspend nor resume should return an error when the object is already in the desired state. Explained (in the non- normative section that introduces the Suspend Capability) that the suspend and resume operations are idempotent. D- 20050225 Editor Removed Glossary appendix. Add Reference to [GLOSSARY] as a 03 separate document.

Removed Requirements appendix. Add Reference to [SPMLv2-REQ] as a separate document.

16307212bb8d0cf1f11a2b881ca263fc19f.doc Page 153 of 158 D- 20050308 Editor Removed Editor’s note in 3.4.1.2.2. Per agreement on #40 in 04 draft_13_xsd_issues.txt, schema declares valid containers. Invalid content is an exception.

Documented “Status and Error Codes” as a general feature of the protocol. (This replaces references to normative Schema sections.)

D- 20050325 Editor Explained (in the non-normative section that introduces each) why the 04 listTargets, batch, search, iterate, cancel and status operations are not batchable. Stated (in the normative section that describes the batch request) that these operations must not be nested within a batch request.

D- 20050326 Editor Updated schema appendices, schema snippets and examples to XSD 04 version 15. D- 20050404 Editor Updated names of XSD Profile and DSMLv2 Profile documents. 05 Renamed “SPML1.0 Profile” (back) to “DSMLv2 Profile”. Clarified that content of schema element takes precedence over any reference to a schema URN or URL. Removed from the Concepts section most of the language that referred to SPML 1.0. Removed statement that SPMLv2 continues to supports SPML1.0 as a profile. Now say only that DSMLv2 profile supports a similar schema model. Added normative sub-section specific to Status (and normative subsection specific to Error) within “Status and Error codes”. Reworded “Conversational flow” section to avoid the word “blocking”. Removed some language (including the introductory paragraph) that suggested order that does not exist over a connectionless protocol.

Mentioned that modify can change PSO-ID in non-normative section that introduces the modify operation. Discussed adding and modifying a reference in modify Examples.

D- 20050404 Editor Use ‘http://www.w3.org/TR/xpath20’ as namespaceURI for Xpath. 06 Illustrate targetID as an attribute (with additions and strikethroughs). Removed namespace qualifier from status values (e.g., “success”). Correct miscellaneous errors in examples (noted by Rami Elron). Assume top-level elements bulkModifyResponse and bulkDeleteResponse of type spml:ResponseType. Assume top-level element iterateResponse of type

16407212bb8d0cf1f11a2b881ca263fc19f.doc Page 154 of 158 SearchResponseType.

D- 20050516 Editor Remove Editor’s note: “Darran will send UML to replace ERD”. 07 Updated Jeff Bohren’s email address (throughout). Update text to discuss targetID and containerID as attributes (rather than elements). Applies also to baseTargetID and baseContainerID within SearchQueryType. Applies also to targetID and ID in PSOIdentifierType. #13. Discuss Complex References within Reference Capability section. Explain that capabilities cannot apply to references, and explain that a provider may model each complex relationship as a PSO. Use RacfGroupMembership to illustrate two approaches: 1) independent relationship objects and 2) bound relationship objects. Move elements outside the element that is open content of the element. Updated Appendices and XML snippets to XSD version 16. #15: Correct Jeff Bohren’s company affiliation (was OpenNetworks, now BMC). #15: Correct Gerry Woods’ company affiliation (was IBM, now SOA Software). Miscellanous changes (spec issues #17, 18, 19, 20, 23, 24). #17: Removed example of monotonically increasing integer with rollover as reasonably unique requestID. #18, #20 Removed third person references to “The PSTC…”. #19 Described listTargets as “discovery” operation (rather than as a “bootstrap” operation). #9: Rewrite “Conversational Flow” section. Initially revised, then subsequently removed diagrams of orderly alternation and multiple outstanding requests. Updated text of “RequestID (normative)” to explain that a requestor using a synchronous transport protocol may omit requestID. Update to XSD 17. Request/response element pairs. #70: Discuss effectiveDate for suspend/resume requests. #5: Remove note regarding a “registry” of custom capabilities. #21: Globally change psoId to psoID, targetId to targetID, and containerId to containerID. #71: Discuss QueryClauseType and Logical Operators. Factor discussion of SearchQueryType into an upfront section. Enhance Reference Capability to discuss query clause. Enhance Suspend Capability to discuss query clause.

D- 20050517 Editor Update to XSD 18: 08 (65). SchemaEntityRefType: add targetID attribute.

16507212bb8d0cf1f11a2b881ca263fc19f.doc Page 155 of 158 (67): AddRequestType#targetID: was element now attribute. (67): PSOIdentifierType: containerID now element. (67): TargetType: targetID is now attribute. (71): Define LogicalOperatorType. (67): SearchQueryType: targetID is now attribute. - Move maxReturn from SearchQueryType to SearchRequestType - HasReferenceType now has individual components of reference. Update to XSD 19: - AddRequestType: remove xsd choice. #10: ListTargetsResponse#Capability topic now specifies that any declaration of the reference capability must contain at least one reference definition. #11: ListTargetsResponse#ResourceDefinition canReferTo topic now specifies that any element must specify “targetID” if the contains more than one . In general, targetID may be omitted if a provider exposes only one target. In general, targetID must be specified if a provider exposes multiple targets (except where document structure clearly implies targetID--e.g., where a target contains a supportedSchemaEntity). Reorganized “Complex References” section. Devoted a subsection to each of the three approaches. Added sample ListTargetsResponse for ReferenceData approach. Corrected sample schema in ListTargetsResponse for all three approaches. The content of an instance of PSOIdentifierType depends on the profile that the requestor and provider have agreed to use.

D- 20050523 Editor Update to XSD 20: 09 (81) PSOIdentifierType#containerID now minOccurs=0. (84) Remove maxReturn from SearchQueryType. (88) LookupRequestType#psoID now has default cardinality. Change effectiveDate from “datetime” to “dateTime”. #28. Remove undefined 'isContainer' attribute from 'Organization' and 'OrganizationalUnit' in content within example. (This attribute was intended to occur only in declarations.) #27. Enhanced normative description of 'effectiveDate' attribute of and . Regenerated Table Of Contents. #32 Listed Martin Raepple (SAP), Cory Williams (IBM), and Ian Glazer (IBM) as Contributors. #29 Fix ReferenceDefinition elements closed prematurely in listTargetsResponse example. #30: Change status='succeeded' to status='success'. #33: Globally replace "Capability Schema" with "Capability XSD". Globally replace "Core Schema" with "Core XSD". Change title of

16607212bb8d0cf1f11a2b881ca263fc19f.doc Page 156 of 158 2.1.3.1 from "Schema" to "Target Schema". #39 Added a “Resource Considerations” topic within the Search Capability section. The text within the “Search is not batchable” and “Iterate is not batchable” topics now refers to this “Resource Considerations” topic. Update to XSD 21: (89) Remove CHOICE from SearchQueryType. Rename maxReturn to maxSelect. (85) Rename toPSOID to toPsoID. (86) Rename basePSOID to basePsoID. #41. Correct modification examples to use namespaceURI and path to specify replacement of entire elements (not attributes). #43. Reword section on Batch as a Logical Unit of Work. Rename topic from “A batch is not a logical unit of work” to “No transactional semantics”. #44. Remove references to BatchableRequestType. #46. Make clear that RACF Group Membership is an example of a Complex Reference, not an official part of the Reference Capability. - Rename the topic from “RACF Group Membership” to “Example: RACF Group Membership” - Change the font on the RacfGroupMembership XSD to Arial. - RacfGroupMembershipType should NOT extend spml:ExtensibleType. #47. Empty search result contains no iterator. #51. Iterator element in IterateRequest iterator needs only ID attribute (not count or totalCount). #54. Remove the last remaining reference to capability “registry”. #14. Assume ReferenceDefinitionType contains any number of referenceDataType elements of type SchemaEntityRefType. Discuss referenceDataType within ReferenceDefinition section of Reference Capability. Add “ReferenceDefinition referenceDataType” topic within listTargetsResponse section. D- 20050607 Editor #57. Correct examples: psoID#objectID should be psoID#ID. 10 #14, #56. Remove red font from referenceDataType discussion. #56 Remove red font and strikethrough font (including editor’s notes for issues #6, #7, and #8). Update to XSD 22: #53. Remove Iterator#count and #totalCount. SearchResponse must return error='insufficientResources' if search result exceeds a limit on the provider's part. #55. Add a section within SearchCapability that describes the closeIterator operation. Update to XSD 23: - closeIteratorResponseType is now of type spml:ResponseType

16707212bb8d0cf1f11a2b881ca263fc19f.doc Page 157 of 158 (rather than spmlsearch:SearchResponseType). - allow cardinality to default to IterateRequestType#iterator. - allow cardinality to default for CloseIteratorRequestType#iterator.

#49. Update normative text to reflect removal of ReturnDataType#none. Affects several "PSO and ReturnData" topics.