Ensure all groups/user creates in IAM Identity Store are via SCIM api and populate externalId field

Question

Ensure all groups/user creates in IAM Identity Store are via SCIM api and populate externalId field

ChrisPates opened this issue 6 months ago · comments

Is your feature request related to a problem? Please describe.
To enable, other improvements the creation/update/delete of users and groups needs to be consistently carried out via the SCIM api endpoints and not mixed with the Identity Store API. This will allow sync entities to be differentiated from manually created users. The only partial exception would be where a manually created entity matches an entity to be synced, in which case it would be updated via the SCIM apis and switch from being a manually created entity to a synced one.

Dependancies
#141
#142

Tasks

Beta Give feedback

Read Users.Id & Groups.Id strings from google.golang.org/api/admin/directory/v1
createUsers & createGroups, populate externalId field with .Id string via SCIM
Prefer match. based on id and externalId, then fallback to email/name match
detect users/groups that match (email/name) in the Identity Store and update with the externalId
deletion handling - If Users/Groups with an externalId but it no longer matches an Id in google, but the email/name matches then update with new id, if no match then make for deletion.
Options