Importing users and groups by using SCIM

You import users and groups by using SCIM connections. You can refresh changes made in the directories to the Decision Center database.

When you are working with SCIM, you first establish a SCIM connection that is used by the application server to authenticate access to Decision Center.

Tip: The SCIM and LDAP connections use the same mechanism to synchronize, so all of their properties use LDAP terminology.

After establishing the connection, you import users and groups from directories and map the groups to the rtsUser role. There are three possibilities for the import:

Manual import

By default, you manually import groups and users, and organize them as you want in Decision Center, independently of the organization. Then, you must manually import any changes to the Decision Center database.

Automatic import

The groups that you filtered through the connection parameters in Connection settings are imported in Decision Center. Users are automatically imported and placed in the groups. The groups and users are organized in the same way as the source directories, and you cannot change this organization.

To enable this mode, start Decision Center applications with the Java™ parameter com.ibm.rules.decisioncenter.ldap.sync.users-and-groups=all.

Semi-automatic import

From the Groups tab, you import the groups that you want from the list of groups that you filtered through the connection parameters in Connection settings. All the users that are members of these groups in the source directories are automatically imported and placed in the groups.

This mode is more flexible than the automatic import because you can refine the list of groups that you want to import to Decision Center.

To enable this mode, start Decision Center applications with the Java parameter com.ibm.rules.decisioncenter.ldap.sync.users-and-groups=users.

Note: To see what is imported by using SCIM, add com.ibm.rules.decisioncenter.userregistry=All to the logger. It displays the executed group and user SCIM requests.

Refreshing SCIM changes to Decision Center

If you enabled automatic or semi-automatic import, changes made in the source directories are automatically refreshed to Decision Center every 2 hours by default. You can configure this refresh period by setting the Java parameter com.ibm.rules.decisioncenter.ldap.sync.refresh.period. The value represents the period between two refreshes in milliseconds.

You can also trigger this refresh manually in the Connection Settings tab.

Note: In semi-automatic mode, if you established more than one connection, you must select all the available source connections before manually refreshing.

After a refresh (either automatic or manual), the groups and users in Decision Center reflect changes that are made in the source directories, for example, a new user or group.

You can also use the Decision Center REST API (ldapSyncUsingPOST) to refresh changes from the source directories to Decision Center. With the REST API, all the connected directories are refreshed.