Improve the group role reparation logic

wso2-extensions · Jan 9, 2024 · 42dcc55 · 42dcc55
1 parent 2c3a129
commit 42dcc55
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 13 deletions.
diff --git a/components/org.wso2.carbon.identity.scim2.common/pom.xml b/components/org.wso2.carbon.identity.scim2.common/pom.xml
@@ -356,4 +356,4 @@
         </plugins>
     </build>
 
-</project>
+</project>
diff --git a/....common/src/main/java/org/wso2/carbon/identity/scim2/common/utils/AdminAttributeUtil.java b/....common/src/main/java/org/wso2/carbon/identity/scim2/common/utils/AdminAttributeUtil.java
@@ -129,8 +129,12 @@ public static void updateAdminGroup(int tenantId) {
                 // UserCore Util functionality does not append primary domain.
                 roleNameWithDomain = SCIMCommonUtils.getGroupNameWithDomain(roleNameWithDomain);
                 try {
-                    //Validate the SCIM IS is avaialble for Groups.
-                    if (!scimGroupHandler.isGroupExisting(roleNameWithDomain)) {
+                    // Validate the SCIM ID is available for Groups.
+                    if (!scimGroupHandler.isGroupExisting(roleNameWithDomain) &&
+                            ((AbstractUserStoreManager) userStoreManager).isRoleAndGroupSeparationEnabled()) {
+                        // Adding the SCIM attributes to internal roles in user core (ex. Internal/admin).
+                        // This admin role is introduced after the role and group separation was introduced.
+                        // These are mapped to roles in SCIM
                         if (log.isDebugEnabled()) {
                             log.debug(
                                     "Group does not exist, setting scim attribute group value: " + roleNameWithDomain);
@@ -143,17 +147,18 @@ public static void updateAdminGroup(int tenantId) {
                     }
 
                     // Adding the SCIM attributes for admin group
-                    if (((AbstractUserStoreManager) userStoreManager).isRoleAndGroupSeparationEnabled()) {
-                        String groupNameWithDomain = getAdminGroupName(adminRoleName, domainName);
-                        // Validate the SCIM ID is available for groups.
-                        if (userStoreManager.isExistingRole(groupNameWithDomain) && !scimGroupHandler
-                                .isGroupExisting(groupNameWithDomain)) {
-                            if (log.isDebugEnabled()) {
-                                log.debug("Group does not exist, setting scim attributes for group: "
-                                        + groupNameWithDomain);
-                            }
-                            scimGroupHandler.addMandatoryAttributes(groupNameWithDomain);
+                    String groupNameWithDomain = getAdminGroupName(adminRoleName, domainName);
+                    // Validate the SCIM ID is available for groups.
+                    if (userStoreManager.isExistingRole(groupNameWithDomain) && !scimGroupHandler
+                            .isGroupExisting(groupNameWithDomain)) {
+                        // Adding the SCIM attributes to userstore roles in user core (ex. PRIMARY/admin).
+                        // This admin role was available before the role and group separation was introduced.
+                        // These are mapped to groups in SCIM
+                        if (log.isDebugEnabled()) {
+                            log.debug("Group does not exist, setting scim attributes for group: "
+                                    + groupNameWithDomain);
                         }
+                        scimGroupHandler.addMandatoryAttributes(groupNameWithDomain);
                     }
                 } catch (IdentitySCIMException e) {
                     throw new UserStoreException(