- Products & services Products & services
- Resources ResourcesCustomer resources
- Customer resources
- Customer support Find more information about engaging support and get help
- Services guide Find more information about working with Services teams
- Free resources Leverage our free tools and trainings
- Modernize to Identity Security Cloud Transition to the cloud for advanced capabilities and a future-ready security posture
Learning- Learning
- Identity University Get technical training to ensure a successful implementation
- SailPoint professional certifications & credentials Advance your career or validate your identity security knowledge
- SailPoint recertification program Get recertified by demonstrating ongoing learning
- Training onboarding guide Make of the most of training with our step-by-step guide
- Training FAQs Find answers to common training questions
- Community Community
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Compass
- :
- Discuss
- :
- Community Wiki
- :
- IdentityIQ Wiki
- :
- Plugin custom REST API - Filter data visibility based on requester's scope
Options
- Article History
- Subscribe to RSS Feed
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Content to Moderator
Plugin custom REST API - Filter data visibility based on requester's scope
Plugin custom REST API - Filter data visibility based on requester's scope
Symptoms
OOTB SCIM is not restricting the requester around the data visibility. The plugin will use the requesters scope and restricts the data visibility.
Solution
Plugin created for Custom REST API with Scoping Support
The functionality/flow is below:
- Created a REST end point for reading user data (http://localhost:8080/identityiq/plugin/rest/RESTSCIMExtension/users)
- A capability/SPRight (UserListResourceExtendedSCIMExecutor) is created for authorizing access to this end point
- A scope (EmailDomainMatch) is created to return the list of users based on the requester's domain match
- Enabled the OAuth API Authentication for his custom end point
The above Scope/SPRight can be further extended to address your use cases/needs appropriately.
Enable OAuth 2 Clients for Authentication as explained in the below community forum or refer the attached APIAuthenticationSetup.docx
Refer the attached OAuthClientSOP.java.txt for invoking this Custom REST end point using OAuth Authentication.Note: The users are restricted to execute other SCIM APIs as below unless and until user has the SCIMExecutor capability://Scenario: 401 without SCIMExecutor Capability
//HttpGet httpGet = new HttpGet("http://localhost:8080/identityiq/scim/v2/Applications/c0a8568d76851514817685f79c3e000b");
//Scenario: Custom REST end point required Capability is UserListResourceExtendedSCIMExecutor
HttpGet httpGet = new HttpGet("http://localhost:8080/identityiq/plugin/rest/RESTSCIMExtension/users");
Version history
Revision #:
3 of 3
Last update:
May 16, 2026
09:51 AM
Updated by:
© 2026 SailPoint Technologies, Inc. All Rights Reserved.