Grant an unmanaged app to a group
POST {{HOST}}/admin/v1/Grants
Groups don't have access to Apps. Groups have GRANTS of Apps. Users who are members of a Group to which an App has been granted have access to the App.
Fulfillment of a Grant of a ManagedApp to a Group doesn't require an Identity Connector Framework Connector (ICF).
Oracle Identity Cloud Service fulfills a Grant-to-Group by "expanding" it into a Grant-to-User for each User who is a member of that Group.
As members are added to (or removed from) the Group, Oracle Identity Cloud Service creates (or deletes) a Grant-to-User for each member.
Fulfillment of a Grant of an UnmanagedApp to a Group would be handled in the same way (by expanding it to a Grant-to-User for each member), unless that a Grant of an UnmanagedApp specifies an AppRole.
Fulfillment of Grant of an AppRole to a Group doesn't expand the Grant-to-Group into a Grant-to-User for each member (although technically fulfillment could do this). Because Oracle Identity Cloud Service maintains internally the members of each AppRole, fulfillment simply adds that Group as a member of the AppRole.
Technically, this is far more efficient than adding each member of the Group as a member of the AppRole. If that Group is already a member of that AppRole, this is a NO-OP.
See https://docs.oracle.com/en/cloud/paas/identity-cloud/rest-api/appmgmtrelationships.html for more information on understanding application management relationships between Apps, AppRoles, Users, and Groups.
Request Body
{"grantee"=>{"type"=>"Group", "value"=>"{{groupid}}"}, "app"=>{"value"=>"{{appid}}"}, "entitlement"=>{"attributeName"=>"appRoles", "attributeValue"=>"{{approleid}}"}, "grantMechanism"=>"ADMINISTRATOR_TO_GROUP", "schemas"=>["urn:ietf:params:scim:schemas:oracle:idcs:Grant"]}
HEADERS
| Key | Datatype | Required | Description |
|---|---|---|---|
Authorization | string | ||
Content-Type | string |