Grant an unmanaged app to a group
POST {{HOST}}/admin/v1/Grants
Groups don't have access to Apps. Groups have GRANTS of Apps. Users who are members of a Group to which an App has been granted have access to the App.
Fulfillment of a Grant of a ManagedApp to a Group doesn't require an Identity Connector Framework Connector (ICF).
Oracle Identity Cloud Service fulfills a Grant-to-Group by "expanding" it into a Grant-to-User for each User who is a member of that Group.
As members are added to (or removed from) the Group, Oracle Identity Cloud Service creates (or deletes) a Grant-to-User for each member.
Fulfillment of a Grant of an UnmanagedApp to a Group would be handled in the same way (by expanding it to a Grant-to-User for each member), unless that a Grant of an UnmanagedApp specifies an AppRole.
Fulfillment of Grant of an AppRole to a Group doesn't expand the Grant-to-Group into a Grant-to-User for each member (although technically fulfillment could do this). Because Oracle Identity Cloud Service maintains internally the members of each AppRole, fulfillment simply adds that Group as a member of the AppRole.
Technically, this is far more efficient than adding each member of the Group as a member of the AppRole. If that Group is already a member of that AppRole, this is a NO-OP.
See https://docs.oracle.com/en/cloud/paas/identity-cloud/rest-api/appmgmtrelationships.html for more information on understanding application management relationships between Apps, AppRoles, Users, and Groups.
Request Body
{"grantee"=>{"type"=>"Group", "value"=>"{{groupid}}"}, "app"=>{"value"=>"{{appid}}"}, "entitlement"=>{"attributeName"=>"appRoles", "attributeValue"=>"{{approleid}}"}, "grantMechanism"=>"ADMINISTRATOR_TO_GROUP", "schemas"=>["urn:ietf:params:scim:schemas:oracle:idcs:Grant"]}
HEADERS
| Key | Datatype | Required | Description |
|---|---|---|---|
Authorization | string | ||
Content-Type | string |
RESPONSES
status: Created
{"grantee":{"type":"Group","value":"e1331b077f0f4bfd8041a16147ceaf1a","$ref":"https://bravoe.identity.internal.oracle.com/admin/v1/Groups/e1331b077f0f4bfd8041a16147ceaf1a"},"app":{"value":"87c33734696c495da7772648b3e67616","$ref":"https://bravoe.identity.internal.oracle.com/admin/v1/Apps/87c33734696c495da7772648b3e67616"},"grantMechanism":"ADMINISTRATOR_TO_GROUP","schemas":["urn:ietf:params:scim:schemas:oracle:idcs:Grant"],"id":"e6bc9c4fb89e4337b853648d9c38483a","isFulfilled":false,"grantor":{"type":"App","value":"c4b20a6b16e24fec9e3e18322c997297","$ref":"https://bravoe.identity.internal.oracle.com/admin/v1/Apps/c4b20a6b16e24fec9e3e18322c997297"},"meta":{"created":"2019-03-25T09:10:15.063Z","lastModified":"2019-03-25T09:10:15.063Z","resourceType":"Grant","location":"https://bravoe.identity.internal.oracle.com/admin/v1/Grants/e6bc9c4fb89e4337b853648d9c38483a"},"idcsCreatedBy":{"value":"c4b20a6b16e24fec9e3e18322c997297","type":"App","display":"Demo","$ref":"https://bravoe.identity.internal.oracle.com/admin/v1/Apps/c4b20a6b16e24fec9e3e18322c997297"},"idcsLastModifiedBy":{"value":"c4b20a6b16e24fec9e3e18322c997297","type":"App","display":"Demo","$ref":"https://bravoe.identity.internal.oracle.com/admin/v1/Apps/c4b20a6b16e24fec9e3e18322c997297"}}