scimitar-rbac 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: b929a00ba99bad2e6348687d9d35a9731efcb4518a0288211b256fa64e7c1617
+  data.tar.gz: c519a80e4dd3b773cb514c66d6ec3e2f155e7c0db1fa7287b6a7d011d14be1c4
+SHA512:
+  metadata.gz: 04ea059854ada6d9b225514ba27ce4d1f52e808b0141cb3e381655a509cd1d173192fa51b13f7c52af65b9182b26ed39c0059eb00f51ecddf14f1787ac5258f0
+  data.tar.gz: a512523bcf0fbee0e2ab07d9cbbd75b211fa5d651c4d0f584e8b335eb973b30851ce044fe795a4fb95841e0d4940ac92a68df7214ba99aece08af0cef935e704

data/README.md

@@ -0,0 +1,170 @@
+# scimitar-rbac
+
+An RBAC (Role-Based Access Control) profile for SCIM v2, built as an extension to the [scimitar](https://github.com/RIPAGlobal/scimitar) gem.
+
+Based on the research paper:
+
+> **Baumer, T., Muller, M., & Pernul, G. (2023).** *System for Cross-Domain Identity Management (SCIM): Survey and Enhancement With RBAC.* IEEE Access, 11, 86872-86894. DOI: [10.1109/ACCESS.2023.3304270](https://doi.org/10.1109/ACCESS.2023.3304270)
+
+## What This Gem Does
+
+The SCIM RFC family (RFC 7642-7644) focuses on identity data (Users, Groups) but only loosely prepares for RBAC. The `roles` and `entitlements` attributes on the User resource are specified in a "freestyle" notation without independent endpoints or the critical Role-to-Entitlement relationship. This leads to vendor-specific implementations that break interoperability.
+
+This gem solves this by adding three first-class SCIM resource types:
+
+| Resource | Endpoint | URN Schema ID |
+|----------|----------|---------------|
+| **Role** | `/Roles` | `urn:ietf:params:scim:schemas:extension:rbac:2.0:Role` |
+| **Entitlement** | `/Entitlements` | `urn:ietf:params:scim:schemas:extension:rbac:2.0:Entitlement` |
+| **Application** | `/Applications` | `urn:ietf:params:scim:schemas:extension:rbac:2.0:Application` |
+
+### RBAC Data Model
+
+```
+          0,n          0,n           0,n
+  User ────── Role ────── Entitlement ────── Application
+               │                │
+           0,n │ RH         0,n │ EH
+               │                │
+              Role          Entitlement
+          (hierarchy)      (hierarchy)
+```
+
+- **Role** — intermediate entity between Users and Entitlements (permissions)
+- **Entitlement** — application-specific permission, belongs to one Application
+- **Application** — target system / Service Provider
+
+Key relationship: **Role ↔ Entitlement** (PA ⊆ P x R) — the assignment that standard SCIM lacks.
+
+## Installation
+
+Add to your Gemfile:
+
+```ruby
+gem "scimitar",      "~> 2.0"
+gem "scimitar-rbac", "~> 0.1"
+```
+
+Then run:
+
+```bash
+bundle install
+rails generate scimitar_rbac:install
+rails db:migrate
+```
+
+## Configuration
+
+### Routes
+
+Add RBAC resource routes to your `config/routes.rb`:
+
+```ruby
+namespace :scim_v2, path: "scim/v2" do
+  mount Scimitar::Engine, at: "/"
+
+  # Standard SCIM resources
+  get    "Users",     to: "scim_v2/users#index"
+  get    "Users/:id", to: "scim_v2/users#show"
+  post   "Users",     to: "scim_v2/users#create"
+  # ...etc
+
+  # RBAC resources (all at once)
+  Scimitar::Rbac::RouteHelper.mount_rbac_routes(self,
+    roles_controller:        "scim_v2/roles",
+    entitlements_controller: "scim_v2/entitlements",
+    applications_controller: "scim_v2/applications"
+  )
+end
+```
+
+### Models
+
+The generator creates `RbacRole`, `RbacEntitlement`, and `RbacApplication` models with the `Scimitar::Resources::Mixin` already configured. Customize the attribute maps to match your domain.
+
+### Controllers
+
+The generator creates controllers inheriting from `Scimitar::ActiveRecordBackedResourcesController`. Override `storage_scope` to add custom filtering:
+
+```ruby
+class ScimV2::RolesController < Scimitar::ActiveRecordBackedResourcesController
+  def storage_class
+    RbacRole
+  end
+
+  def storage_scope
+    RbacRole.where(active: true)
+  end
+end
+```
+
+## SCIM API Examples
+
+### Create a Role
+
+```http
+POST /scim/v2/Roles
+Content-Type: application/scim+json
+
+{
+  "schemas": ["urn:ietf:params:scim:schemas:extension:rbac:2.0:Role"],
+  "displayName": "Billing Administrator",
+  "type": "business",
+  "description": "Full access to billing operations",
+  "entitlements": [
+    { "value": "ent-uuid-1" },
+    { "value": "ent-uuid-2" }
+  ]
+}
+```
+
+### Create an Entitlement
+
+```http
+POST /scim/v2/Entitlements
+Content-Type: application/scim+json
+
+{
+  "schemas": ["urn:ietf:params:scim:schemas:extension:rbac:2.0:Entitlement"],
+  "displayName": "billing:write",
+  "type": "api_scope",
+  "application": { "value": "app-uuid-1" }
+}
+```
+
+### Discover RBAC Resources
+
+```http
+GET /scim/v2/ResourceTypes
+```
+
+Returns Role, Entitlement, and Application alongside standard User and Group resource types.
+
+## Design Principles
+
+Following the paper's guidance, this gem balances three design principles:
+
+1. **Validity** — implements the NIST RBAC standard (Ferraiolo et al., 2001) with proper User-Role-Entitlement relationships, hierarchies, and cardinality constraints
+2. **Simplicity** — minimal overhead, reuses SCIM conventions, no unnecessary resources
+3. **Flexibility** — extensible schemas, custom attributes via SCIM extension mechanism
+
+## Future Extensions
+
+The following resources from the full RBAC profile can be added in future versions:
+
+- **Account** — user's identity within a specific application
+- **SoD** (Separation of Duty) — constraints on mutually exclusive roles/entitlements
+- **Session** — runtime activation of roles and entitlements
+
+## References
+
+- [RFC 7642](https://www.rfc-editor.org/info/rfc7642) — SCIM: Definitions, Overview, Concepts, and Requirements
+- [RFC 7643](https://www.rfc-editor.org/info/rfc7643) — SCIM: Core Schema
+- [RFC 7644](https://www.rfc-editor.org/info/rfc7644) — SCIM: Protocol
+- [Zollner (2022)](https://datatracker.ietf.org/doc/draft-ietf-scim-roles-entitlements/) — SCIM Roles and Entitlements Extension
+- [NIST RBAC](https://doi.org/10.1145/501978.501980) — Proposed NIST Standard for Role-Based Access Control
+- [RBAC4SCIM Swagger](https://rbac4scim.github.io/api) — Reference API prototype from the paper
+
+## License
+
+MIT

data/Rakefile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/lib/generators/scimitar_rbac/install_generator.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+require "rails/generators"
+require "rails/generators/active_record"
+
+module ScimitarRbac
+  # Generates migrations, models, and controllers for RBAC SCIM resources.
+  #
+  # Usage:
+  #   rails generate scimitar_rbac:install
+  #
+  class InstallGenerator < Rails::Generators::Base
+    include ActiveRecord::Generators::Migration
+
+    source_root File.expand_path("templates", __dir__)
+
+    desc "Creates migrations, models, and controllers for SCIM RBAC resources (Role, Entitlement, Application)."
+
+    def create_migration_file
+      migration_template "migration.rb.erb", "db/migrate/create_scimitar_rbac_tables.rb"
+    end
+
+    def create_model_files
+      template "role_model.rb.erb",        "app/models/rbac_role.rb"
+      template "entitlement_model.rb.erb", "app/models/rbac_entitlement.rb"
+      template "application_model.rb.erb", "app/models/rbac_application.rb"
+    end
+
+    def create_controller_files
+      template "roles_controller.rb.erb",        "app/controllers/scim_v2/roles_controller.rb"
+      template "entitlements_controller.rb.erb",  "app/controllers/scim_v2/entitlements_controller.rb"
+      template "applications_controller.rb.erb",  "app/controllers/scim_v2/applications_controller.rb"
+    end
+
+    def display_post_install_message
+      say ""
+      say "SCIM RBAC resources have been generated!", :green
+      say ""
+      say "Next steps:"
+      say "  1. Run migrations:  rails db:migrate"
+      say "  2. Add routes to config/routes.rb:"
+      say ""
+      say "     namespace :scim_v2, path: 'scim/v2' do"
+      say "       mount Scimitar::Engine, at: '/'"
+      say "       Scimitar::Rbac::RouteHelper.mount_rbac_routes(self,"
+      say "         roles_controller:        'scim_v2/roles',"
+      say "         entitlements_controller: 'scim_v2/entitlements',"
+      say "         applications_controller: 'scim_v2/applications'"
+      say "       )"
+      say "     end"
+      say ""
+    end
+
+    private
+
+    def migration_version
+      "[#{ActiveRecord::Migration.current_version}]"
+    end
+  end
+end

data/lib/generators/scimitar_rbac/templates/application_model.rb.erb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+class RbacApplication < ApplicationRecord
+  self.table_name = "rbac_applications"
+
+  has_many :entitlements,
+           class_name:  "RbacEntitlement",
+           foreign_key: :application_id,
+           dependent:   :restrict_with_error
+
+  validates :display_name, presence: true
+
+  # --- SCIM Configuration ---
+
+  def self.scim_resource_type
+    Scimitar::Resources::Rbac::Application
+  end
+
+  def self.scim_attributes_map
+    {
+      id:          :id,
+      externalId:  :external_id,
+      displayName: :display_name,
+      description: :description,
+      active:      :active,
+      entitlements: [
+        {
+          list:  :entitlements,
+          using: { value: :id, display: :display_name }
+        }
+      ]
+    }
+  end
+
+  def self.scim_mutable_attributes
+    nil
+  end
+
+  def self.scim_queryable_attributes
+    {
+      "displayName" => { column: :display_name },
+      "active"      => { column: :active },
+      "externalId"  => { column: :external_id }
+    }
+  end
+
+  def self.scim_timestamps_map
+    {
+      created:      :created_at,
+      lastModified: :updated_at
+    }
+  end
+
+  include Scimitar::Resources::Mixin
+end

data/lib/generators/scimitar_rbac/templates/applications_controller.rb.erb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module ScimV2
+  class ApplicationsController < Scimitar::ActiveRecordBackedResourcesController
+    protected
+
+    def storage_class
+      RbacApplication
+    end
+
+    def storage_scope
+      RbacApplication.all
+    end
+  end
+end

data/lib/generators/scimitar_rbac/templates/entitlement_model.rb.erb

@@ -0,0 +1,114 @@
+# frozen_string_literal: true
+
+class RbacEntitlement < ApplicationRecord
+  self.table_name = "rbac_entitlements"
+
+  # Application reference
+  belongs_to :application,
+             class_name:  "RbacApplication",
+             foreign_key: :application_id,
+             optional:    true
+
+  # Role assignments (PA ⊆ P × R, viewed from the entitlement side)
+  has_many :role_entitlements,
+           class_name:  "RbacRoleEntitlement",
+           foreign_key: :entitlement_id,
+           dependent:   :destroy,
+           inverse_of:  :entitlement
+
+  has_many :roles,
+           through:    :role_entitlements,
+           class_name: "RbacRole"
+
+  # Entitlement hierarchy — parent relationships
+  has_many :parent_links,
+           class_name:  "RbacEntitlementHierarchy",
+           foreign_key: :child_entitlement_id,
+           dependent:   :destroy,
+           inverse_of:  :child_entitlement
+
+  has_many :parent_entitlements,
+           through:     :parent_links,
+           source:      :parent_entitlement,
+           class_name:  "RbacEntitlement"
+
+  # Entitlement hierarchy — child relationships
+  has_many :child_links,
+           class_name:  "RbacEntitlementHierarchy",
+           foreign_key: :parent_entitlement_id,
+           dependent:   :destroy,
+           inverse_of:  :parent_entitlement
+
+  has_many :child_entitlements,
+           through:     :child_links,
+           source:      :child_entitlement,
+           class_name:  "RbacEntitlement"
+
+  validates :display_name, presence: true
+
+  # --- SCIM Configuration ---
+
+  def self.scim_resource_type
+    Scimitar::Resources::Rbac::Entitlement
+  end
+
+  def self.scim_attributes_map
+    {
+      id:          :id,
+      externalId:  :external_id,
+      displayName: :display_name,
+      type:        :entitlement_type,
+      description: :description,
+      limitedAssignmentsPermitted: :limited_assignments_permitted,
+      totalAssignmentsPermitted:   :total_assignments_permitted,
+      application: {
+        value:   :application_id,
+        display: :application_name
+      },
+      roles: [
+        {
+          list:  :roles,
+          using: { value: :id, display: :display_name }
+        }
+      ],
+      parentEntitlements: [
+        {
+          list:  :parent_entitlements,
+          using: { value: :id, display: :display_name }
+        }
+      ],
+      childEntitlements: [
+        {
+          list:  :child_entitlements,
+          using: { value: :id, display: :display_name }
+        }
+      ]
+    }
+  end
+
+  def self.scim_mutable_attributes
+    nil
+  end
+
+  def self.scim_queryable_attributes
+    {
+      "displayName" => { column: :display_name },
+      "type"        => { column: :entitlement_type },
+      "externalId"  => { column: :external_id }
+    }
+  end
+
+  def self.scim_timestamps_map
+    {
+      created:      :created_at,
+      lastModified: :updated_at
+    }
+  end
+
+  include Scimitar::Resources::Mixin
+
+  # Helper for SCIM attribute mapping
+  def application_name
+    application&.display_name
+  end
+end

data/lib/generators/scimitar_rbac/templates/entitlements_controller.rb.erb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module ScimV2
+  class EntitlementsController < Scimitar::ActiveRecordBackedResourcesController
+    protected
+
+    def storage_class
+      RbacEntitlement
+    end
+
+    def storage_scope
+      RbacEntitlement.all
+    end
+  end
+end

data/lib/generators/scimitar_rbac/templates/migration.rb.erb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+class CreateScimitarRbacTables < ActiveRecord::Migration<%= migration_version %>
+  def change
+    # Enable UUID support if using PostgreSQL
+    enable_extension "pgcrypto" unless extension_enabled?("pgcrypto")
+
+    create_table :rbac_applications, id: :uuid do |t|
+      t.string  :external_id
+      t.string  :display_name, null: false
+      t.text    :description
+      t.boolean :active, default: true, null: false
+
+      t.timestamps
+    end
+
+    create_table :rbac_roles, id: :uuid do |t|
+      t.string  :external_id
+      t.string  :display_name,  null: false
+      t.string  :role_type
+      t.text    :description
+      t.integer :limited_assignments_permitted
+      t.integer :total_assignments_permitted
+
+      t.timestamps
+    end
+
+    create_table :rbac_entitlements, id: :uuid do |t|
+      t.string  :external_id
+      t.string  :display_name, null: false
+      t.string  :entitlement_type
+      t.text    :description
+      t.uuid    :application_id
+      t.integer :limited_assignments_permitted
+      t.integer :total_assignments_permitted
+
+      t.timestamps
+    end
+
+    # Role ↔ Entitlement assignments (PA ⊆ P × R)
+    create_table :rbac_role_entitlements, id: :uuid do |t|
+      t.uuid :role_id, null: false
+      t.uuid :entitlement_id, null: false
+
+      t.timestamps
+    end
+
+    # Role hierarchy (RH ⊆ R × R)
+    create_table :rbac_role_hierarchies, id: :uuid do |t|
+      t.uuid :parent_role_id, null: false
+      t.uuid :child_role_id,  null: false
+
+      t.timestamps
+    end
+
+    # Entitlement hierarchy
+    create_table :rbac_entitlement_hierarchies, id: :uuid do |t|
+      t.uuid :parent_entitlement_id, null: false
+      t.uuid :child_entitlement_id,  null: false
+
+      t.timestamps
+    end
+
+    add_index :rbac_applications,    :display_name
+    add_index :rbac_roles,           :display_name
+    add_index :rbac_entitlements,    :display_name
+    add_index :rbac_entitlements,    :application_id
+
+    add_index :rbac_role_entitlements, [:role_id, :entitlement_id], unique: true
+    add_index :rbac_role_entitlements, :entitlement_id
+
+    add_index :rbac_role_hierarchies, [:parent_role_id, :child_role_id], unique: true
+    add_index :rbac_role_hierarchies, :child_role_id
+
+    add_index :rbac_entitlement_hierarchies, [:parent_entitlement_id, :child_entitlement_id],
+              unique: true, name: "idx_rbac_ent_hier_parent_child"
+    add_index :rbac_entitlement_hierarchies, :child_entitlement_id,
+              name: "idx_rbac_ent_hier_child"
+
+    add_foreign_key :rbac_entitlements, :rbac_applications, column: :application_id
+
+    add_foreign_key :rbac_role_entitlements, :rbac_roles,        column: :role_id
+    add_foreign_key :rbac_role_entitlements, :rbac_entitlements, column: :entitlement_id
+
+    add_foreign_key :rbac_role_hierarchies, :rbac_roles, column: :parent_role_id
+    add_foreign_key :rbac_role_hierarchies, :rbac_roles, column: :child_role_id
+
+    add_foreign_key :rbac_entitlement_hierarchies, :rbac_entitlements, column: :parent_entitlement_id
+    add_foreign_key :rbac_entitlement_hierarchies, :rbac_entitlements, column: :child_entitlement_id
+  end
+end

data/lib/generators/scimitar_rbac/templates/role_model.rb.erb

@@ -0,0 +1,105 @@
+# frozen_string_literal: true
+
+class RbacRole < ApplicationRecord
+  self.table_name = "rbac_roles"
+
+  # Entitlement assignments (PA ⊆ P × R)
+  has_many :role_entitlements,
+           class_name:  "RbacRoleEntitlement",
+           foreign_key: :role_id,
+           dependent:   :destroy,
+           inverse_of:  :role
+
+  has_many :entitlements,
+           through:    :role_entitlements,
+           class_name: "RbacEntitlement"
+
+  # Role hierarchy — parent relationships
+  has_many :parent_links,
+           class_name:  "RbacRoleHierarchy",
+           foreign_key: :child_role_id,
+           dependent:   :destroy,
+           inverse_of:  :child_role
+
+  has_many :parent_roles,
+           through:     :parent_links,
+           source:      :parent_role,
+           class_name:  "RbacRole"
+
+  # Role hierarchy — child relationships
+  has_many :child_links,
+           class_name:  "RbacRoleHierarchy",
+           foreign_key: :parent_role_id,
+           dependent:   :destroy,
+           inverse_of:  :parent_role
+
+  has_many :child_roles,
+           through:     :child_links,
+           source:      :child_role,
+           class_name:  "RbacRole"
+
+  validates :display_name, presence: true
+
+  # --- SCIM Configuration ---
+
+  def self.scim_resource_type
+    Scimitar::Resources::Rbac::Role
+  end
+
+  def self.scim_attributes_map
+    {
+      id:          :id,
+      externalId:  :external_id,
+      displayName: :display_name,
+      type:        :role_type,
+      description: :description,
+      limitedAssignmentsPermitted: :limited_assignments_permitted,
+      totalAssignmentsPermitted:   :total_assignments_permitted,
+      entitlements: [
+        {
+          list:  :entitlements,
+          using: { value: :id, display: :display_name }
+        }
+      ],
+      parentRoles: [
+        {
+          list:  :parent_roles,
+          using: { value: :id, display: :display_name }
+        }
+      ],
+      childRoles: [
+        {
+          list:  :child_roles,
+          using: { value: :id, display: :display_name }
+        }
+      ]
+    }
+  end
+
+  def self.scim_mutable_attributes
+    nil
+  end
+
+  def self.scim_queryable_attributes
+    {
+      "displayName" => { column: :display_name },
+      "type"        => { column: :role_type },
+      "externalId"  => { column: :external_id }
+    }
+  end
+
+  def self.scim_timestamps_map
+    {
+      created:      :created_at,
+      lastModified: :updated_at
+    }
+  end
+
+  include Scimitar::Resources::Mixin
+
+  # Computed attribute
+  def total_assignments_used
+    # Override this with actual count logic in your application
+    0
+  end
+end

data/lib/generators/scimitar_rbac/templates/roles_controller.rb.erb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module ScimV2
+  class RolesController < Scimitar::ActiveRecordBackedResourcesController
+    protected
+
+    def storage_class
+      RbacRole
+    end
+
+    def storage_scope
+      RbacRole.all
+    end
+  end
+end

data/lib/scimitar/rbac/complex_types/application_reference.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Scimitar
+  module ComplexTypes
+    module Rbac
+      # Represents a reference to an Application resource.
+      # Used in Entitlement and Account resources to link back
+      # to the target application/service provider.
+      class ApplicationReference < Scimitar::ComplexTypes::Base
+        set_schema Scimitar::Schema::Rbac::ApplicationReference
+      end
+    end
+  end
+end

data/lib/scimitar/rbac/complex_types/entitlement_assignment.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Scimitar
+  module ComplexTypes
+    module Rbac
+      # Represents a structured entitlement (permission) assignment.
+      # Replaces the "freestyle" entitlement notation in SCIM core (RFC 7643)
+      # with a proper reference to an Entitlement resource.
+      class EntitlementAssignment < Scimitar::ComplexTypes::Base
+        set_schema Scimitar::Schema::Rbac::EntitlementAssignment
+      end
+    end
+  end
+end

data/lib/scimitar/rbac/complex_types/hierarchy_member.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Scimitar
+  module ComplexTypes
+    module Rbac
+      # Represents a reference to a parent or child in a role/entitlement
+      # hierarchy. Used for parentRoles, childRoles, parentEntitlements,
+      # and childEntitlements multi-valued attributes.
+      #
+      # Based on the RBAC data model from Baumer et al. (2023), which defines
+      # many-to-many hierarchies RH for roles and entitlements.
+      class HierarchyMember < Scimitar::ComplexTypes::Base
+        set_schema Scimitar::Schema::Rbac::HierarchyMember
+      end
+    end
+  end
+end

data/lib/scimitar/rbac/complex_types/role_assignment.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Scimitar
+  module ComplexTypes
+    module Rbac
+      # Represents a structured role assignment for a User or Account.
+      # Replaces the "freestyle" role notation in SCIM core (RFC 7643)
+      # with a proper reference to a Role resource.
+      class RoleAssignment < Scimitar::ComplexTypes::Base
+        set_schema Scimitar::Schema::Rbac::RoleAssignment
+      end
+    end
+  end
+end

data/lib/scimitar/rbac/engine.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Scimitar
+  module Rbac
+    class Engine < ::Rails::Engine
+      initializer "scimitar_rbac.register_resources" do
+        Rails.application.config.to_prepare do
+          Scimitar::Rbac.register_resources!
+        end
+      end
+    end
+  end
+end

data/lib/scimitar/rbac/resources/application.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module Scimitar
+  module Resources
+    module Rbac
+      # SCIM Resource class for the RBAC Application (target system / SP).
+      class Application < Scimitar::Resources::Base
+        set_schema Scimitar::Schema::Rbac::Application
+
+        def self.endpoint
+          "/Applications"
+        end
+      end
+    end
+  end
+end

data/lib/scimitar/rbac/resources/entitlement.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module Scimitar
+  module Resources
+    module Rbac
+      # SCIM Resource class for the RBAC Entitlement (permission).
+      class Entitlement < Scimitar::Resources::Base
+        set_schema Scimitar::Schema::Rbac::Entitlement
+
+        def self.endpoint
+          "/Entitlements"
+        end
+      end
+    end
+  end
+end

data/lib/scimitar/rbac/resources/role.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module Scimitar
+  module Resources
+    module Rbac
+      # SCIM Resource class for the RBAC Role.
+      class Role < Scimitar::Resources::Base
+        set_schema Scimitar::Schema::Rbac::Role
+
+        def self.endpoint
+          "/Roles"
+        end
+      end
+    end
+  end
+end

data/lib/scimitar/rbac/route_helper.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+module Scimitar
+  module Rbac
+    # Provides a convenience method for mounting RBAC SCIM resource routes
+    # in a Rails application's routes.rb.
+    #
+    # Usage:
+    #
+    #   # config/routes.rb
+    #   Rails.application.routes.draw do
+    #     namespace :scim_v2, path: "scim/v2" do
+    #       mount Scimitar::Engine, at: "/"
+    #
+    #       # Mount standard SCIM resources (Users, Groups) manually...
+    #
+    #       # Mount all RBAC resources at once:
+    #       Scimitar::Rbac::RouteHelper.mount_rbac_routes(self,
+    #         roles_controller:        "scim_v2/roles",
+    #         entitlements_controller: "scim_v2/entitlements",
+    #         applications_controller: "scim_v2/applications"
+    #       )
+    #     end
+    #   end
+    #
+    module RouteHelper
+      # Mount CRUD routes for all RBAC resources.
+      #
+      # @param router [ActionDispatch::Routing::RouteSet] The router (pass `self` from routes.rb)
+      # @param options [Hash] Controller names for each resource
+      # @option options [String] :roles_controller Controller for Roles (e.g., "scim_v2/roles")
+      # @option options [String] :entitlements_controller Controller for Entitlements
+      # @option options [String] :applications_controller Controller for Applications
+      def self.mount_rbac_routes(router, **options)
+        if options[:roles_controller]
+          mount_resource_routes(router, "Roles", options[:roles_controller])
+        end
+
+        if options[:entitlements_controller]
+          mount_resource_routes(router, "Entitlements", options[:entitlements_controller])
+        end
+
+        if options[:applications_controller]
+          mount_resource_routes(router, "Applications", options[:applications_controller])
+        end
+      end
+
+      # Mount standard SCIM CRUD routes for a single resource.
+      #
+      # @param router [ActionDispatch::Routing::RouteSet] The router
+      # @param resource_name [String] The SCIM resource path (e.g., "Roles")
+      # @param controller [String] The controller name (e.g., "scim_v2/roles")
+      def self.mount_resource_routes(router, resource_name, controller)
+        router.instance_exec do
+          get    resource_name,            to: "#{controller}#index"
+          get    "#{resource_name}/:id",   to: "#{controller}#show"
+          post   resource_name,            to: "#{controller}#create"
+          put    "#{resource_name}/:id",   to: "#{controller}#replace"
+          patch  "#{resource_name}/:id",   to: "#{controller}#update"
+          delete "#{resource_name}/:id",   to: "#{controller}#destroy"
+        end
+      end
+    end
+  end
+end

data/lib/scimitar/rbac/schema/application.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module Scimitar
+  module Schema
+    module Rbac
+      # SCIM schema for the Application resource.
+      # Applications represent target systems / Service Providers (SPs).
+      # Entitlements are application-specific (each belongs to one application).
+      class Application < Scimitar::Schema::Base
+        def initialize(options = {})
+          super(
+            name:            "Application",
+            id:              self.class.id,
+            description:     "Represents a target application (service provider) in the RBAC model.",
+            scim_attributes: self.class.scim_attributes
+          )
+        end
+
+        def self.id
+          "urn:ietf:params:scim:schemas:extension:rbac:2.0:Application"
+        end
+
+        def self.scim_attributes
+          @scim_attributes ||= [
+            Scimitar::Schema::Attribute.new(name: "displayName", type: "string", required: true),
+            Scimitar::Schema::Attribute.new(name: "description", type: "string"),
+            Scimitar::Schema::Attribute.new(name: "active",      type: "boolean"),
+
+            Scimitar::Schema::Attribute.new(name: "entitlements", multiValued: true,
+              complexType: Scimitar::ComplexTypes::Rbac::EntitlementAssignment, mutability: "readOnly"),
+          ]
+        end
+      end
+    end
+  end
+end

data/lib/scimitar/rbac/schema/application_reference.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module Scimitar
+  module Schema
+    module Rbac
+      # Schema for the ApplicationReference complex type.
+      # Defines sub-attributes for references to Application resources.
+      class ApplicationReference < Scimitar::Schema::Base
+        def self.scim_attributes
+          @scim_attributes ||= [
+            Scimitar::Schema::Attribute.new(name: "value",   type: "string", required: true),
+            Scimitar::Schema::Attribute.new(name: "display", type: "string", mutability: "readOnly"),
+          ]
+        end
+      end
+    end
+  end
+end

data/lib/scimitar/rbac/schema/entitlement.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module Scimitar
+  module Schema
+    module Rbac
+      # SCIM schema for the Entitlement (permission) resource.
+      # Entitlements represent application-specific permissions, each belonging
+      # to one Application. The Role<->Entitlement relationship is the key
+      # missing link in standard SCIM that this profile addresses.
+      class Entitlement < Scimitar::Schema::Base
+        def initialize(options = {})
+          super(
+            name:            "Entitlement",
+            id:              self.class.id,
+            description:     "Represents an RBAC Entitlement (permission) — an application-specific access right assignable to Roles.",
+            scim_attributes: self.class.scim_attributes
+          )
+        end
+
+        def self.id
+          "urn:ietf:params:scim:schemas:extension:rbac:2.0:Entitlement"
+        end
+
+        def self.scim_attributes
+          @scim_attributes ||= [
+            Scimitar::Schema::Attribute.new(name: "displayName", type: "string", required: true),
+            Scimitar::Schema::Attribute.new(name: "type",        type: "string"),
+            Scimitar::Schema::Attribute.new(name: "description", type: "string"),
+
+            Scimitar::Schema::Attribute.new(name: "application",
+              complexType: Scimitar::ComplexTypes::Rbac::ApplicationReference),
+
+            Scimitar::Schema::Attribute.new(name: "roles", multiValued: true,
+              complexType: Scimitar::ComplexTypes::Rbac::RoleAssignment, mutability: "readOnly"),
+
+            Scimitar::Schema::Attribute.new(name: "parentEntitlements", multiValued: true,
+              complexType: Scimitar::ComplexTypes::Rbac::HierarchyMember),
+
+            Scimitar::Schema::Attribute.new(name: "childEntitlements",  multiValued: true,
+              complexType: Scimitar::ComplexTypes::Rbac::HierarchyMember, mutability: "readOnly"),
+
+            Scimitar::Schema::Attribute.new(name: "limitedAssignmentsPermitted", type: "integer"),
+            Scimitar::Schema::Attribute.new(name: "totalAssignmentsPermitted",   type: "integer"),
+            Scimitar::Schema::Attribute.new(name: "totalAssignmentsUsed",        type: "integer", mutability: "readOnly"),
+          ]
+        end
+      end
+    end
+  end
+end

data/lib/scimitar/rbac/schema/entitlement_assignment.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Scimitar
+  module Schema
+    module Rbac
+      # Schema for the EntitlementAssignment complex type.
+      # Replaces the "freestyle" entitlement notation in SCIM core (RFC 7643)
+      # with structured sub-attributes referencing an Entitlement resource.
+      class EntitlementAssignment < Scimitar::Schema::Base
+        def self.scim_attributes
+          @scim_attributes ||= [
+            Scimitar::Schema::Attribute.new(name: "value",   type: "string", required: true),
+            Scimitar::Schema::Attribute.new(name: "display", type: "string", mutability: "readOnly"),
+            Scimitar::Schema::Attribute.new(name: "type",    type: "string"),
+          ]
+        end
+      end
+    end
+  end
+end

data/lib/scimitar/rbac/schema/hierarchy_member.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Scimitar
+  module Schema
+    module Rbac
+      # Schema for the HierarchyMember complex type.
+      # Defines the sub-attributes for role/entitlement hierarchy references.
+      class HierarchyMember < Scimitar::Schema::Base
+        def self.scim_attributes
+          @scim_attributes ||= [
+            Scimitar::Schema::Attribute.new(name: "value",   type: "string", required: true),
+            Scimitar::Schema::Attribute.new(name: "display", type: "string", mutability: "readOnly"),
+            Scimitar::Schema::Attribute.new(name: "type",    type: "string", mutability: "readOnly"),
+          ]
+        end
+      end
+    end
+  end
+end

data/lib/scimitar/rbac/schema/role.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+module Scimitar
+  module Schema
+    module Rbac
+      # SCIM schema for the Role resource as defined in the RBAC profile
+      # for SCIM (Baumer et al., 2023).
+      #
+      # Roles are the central RBAC entity, serving as an intermediate between
+      # Users and Entitlements (permissions). The schema supports:
+      #
+      # - Core RBAC: User <-> Role <-> Entitlement assignments
+      # - Hierarchical RBAC: Role hierarchies via parentRoles/childRoles
+      # - Constrained RBAC: Cardinality constraints on assignments
+      class Role < Scimitar::Schema::Base
+        def initialize(options = {})
+          super(
+            name:            "Role",
+            id:              self.class.id,
+            description:     "Represents an RBAC Role — an intermediate entity between Users and Entitlements (permissions).",
+            scim_attributes: self.class.scim_attributes
+          )
+        end
+
+        def self.id
+          "urn:ietf:params:scim:schemas:extension:rbac:2.0:Role"
+        end
+
+        def self.scim_attributes
+          @scim_attributes ||= [
+            Scimitar::Schema::Attribute.new(name: "displayName", type: "string", required: true),
+            Scimitar::Schema::Attribute.new(name: "type",        type: "string"),
+            Scimitar::Schema::Attribute.new(name: "description", type: "string"),
+
+            Scimitar::Schema::Attribute.new(name: "users",        multiValued: true,
+              complexType: Scimitar::ComplexTypes::ReferenceMember, mutability: "readOnly"),
+
+            Scimitar::Schema::Attribute.new(name: "entitlements", multiValued: true,
+              complexType: Scimitar::ComplexTypes::Rbac::EntitlementAssignment),
+
+            Scimitar::Schema::Attribute.new(name: "parentRoles",  multiValued: true,
+              complexType: Scimitar::ComplexTypes::Rbac::HierarchyMember),
+
+            Scimitar::Schema::Attribute.new(name: "childRoles",   multiValued: true,
+              complexType: Scimitar::ComplexTypes::Rbac::HierarchyMember, mutability: "readOnly"),
+
+            Scimitar::Schema::Attribute.new(name: "limitedAssignmentsPermitted", type: "integer"),
+            Scimitar::Schema::Attribute.new(name: "totalAssignmentsPermitted",   type: "integer"),
+            Scimitar::Schema::Attribute.new(name: "totalAssignmentsUsed",        type: "integer", mutability: "readOnly"),
+          ]
+        end
+      end
+    end
+  end
+end

data/lib/scimitar/rbac/schema/role_assignment.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Scimitar
+  module Schema
+    module Rbac
+      # Schema for the RoleAssignment complex type.
+      # Replaces the "freestyle" role notation in SCIM core (RFC 7643)
+      # with structured sub-attributes referencing a Role resource.
+      class RoleAssignment < Scimitar::Schema::Base
+        def self.scim_attributes
+          @scim_attributes ||= [
+            Scimitar::Schema::Attribute.new(name: "value",   type: "string", required: true),
+            Scimitar::Schema::Attribute.new(name: "display", type: "string", mutability: "readOnly"),
+            Scimitar::Schema::Attribute.new(name: "type",    type: "string"),
+          ]
+        end
+      end
+    end
+  end
+end

data/lib/scimitar/rbac/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Scimitar
+  module Rbac
+    VERSION = "0.1.0"
+  end
+end

data/lib/scimitar/rbac.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+require "scimitar"
+
+require_relative "rbac/version"
+require_relative "rbac/route_helper"
+
+module Scimitar
+  module Rbac
+    class Error < StandardError; end
+
+    # URN prefix for RBAC extension schemas
+    URN_PREFIX = "urn:ietf:params:scim:schemas:extension:rbac:2.0"
+
+    # Eagerly load all RBAC components. Called after Rails and scimitar
+    # are fully initialized (via Engine initializer or manually).
+    def self.load!
+      return if @loaded
+
+      # Complex type schemas (must be loaded before the complex types
+      # that reference them and before resource schemas that use them)
+      require_relative "rbac/schema/hierarchy_member"
+      require_relative "rbac/schema/role_assignment"
+      require_relative "rbac/schema/entitlement_assignment"
+      require_relative "rbac/schema/application_reference"
+
+      # Complex types (must be loaded before resource schemas that reference them)
+      require_relative "rbac/complex_types/hierarchy_member"
+      require_relative "rbac/complex_types/role_assignment"
+      require_relative "rbac/complex_types/entitlement_assignment"
+      require_relative "rbac/complex_types/application_reference"
+
+      # Resource schemas
+      require_relative "rbac/schema/role"
+      require_relative "rbac/schema/entitlement"
+      require_relative "rbac/schema/application"
+
+      # Resources
+      require_relative "rbac/resources/role"
+      require_relative "rbac/resources/entitlement"
+      require_relative "rbac/resources/application"
+
+      @loaded = true
+    end
+
+    # Register all RBAC resources with the Scimitar engine.
+    # Called automatically by the Rails engine, or can be called manually.
+    def self.register_resources!
+      load!
+
+      [
+        Scimitar::Resources::Rbac::Role,
+        Scimitar::Resources::Rbac::Entitlement,
+        Scimitar::Resources::Rbac::Application
+      ].each do |resource|
+        unless Scimitar::Engine.custom_resources.include?(resource)
+          Scimitar::Engine.add_custom_resource(resource)
+        end
+      end
+    end
+
+    # Reset load state — useful for testing
+    # @api private
+    def self.reset!
+      @loaded = false
+    end
+  end
+end
+
+# Auto-load Engine for Rails integration
+require_relative "rbac/engine" if defined?(Rails::Engine)

metadata

@@ -0,0 +1,109 @@
+--- !ruby/object:Gem::Specification
+name: scimitar-rbac
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Ahmed Gasanov
+bindir: bin
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: scimitar
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '9.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '9.0'
+description: |
+  Extends the scimitar gem with Role-Based Access Control (RBAC) resources
+  for SCIM v2, based on the NIST RBAC standard and the Baumer et al. research
+  paper "SCIM: Survey and Enhancement With RBAC" (IEEE Access, 2023).
+  Provides Role, Entitlement, and Application SCIM resource types with full
+  schema definitions, enabling standardized RBAC data exchange via SCIM.
+email:
+- spryffee@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- README.md
+- Rakefile
+- lib/generators/scimitar_rbac/install_generator.rb
+- lib/generators/scimitar_rbac/templates/application_model.rb.erb
+- lib/generators/scimitar_rbac/templates/applications_controller.rb.erb
+- lib/generators/scimitar_rbac/templates/entitlement_model.rb.erb
+- lib/generators/scimitar_rbac/templates/entitlements_controller.rb.erb
+- lib/generators/scimitar_rbac/templates/migration.rb.erb
+- lib/generators/scimitar_rbac/templates/role_model.rb.erb
+- lib/generators/scimitar_rbac/templates/roles_controller.rb.erb
+- lib/scimitar/rbac.rb
+- lib/scimitar/rbac/complex_types/application_reference.rb
+- lib/scimitar/rbac/complex_types/entitlement_assignment.rb
+- lib/scimitar/rbac/complex_types/hierarchy_member.rb
+- lib/scimitar/rbac/complex_types/role_assignment.rb
+- lib/scimitar/rbac/engine.rb
+- lib/scimitar/rbac/resources/application.rb
+- lib/scimitar/rbac/resources/entitlement.rb
+- lib/scimitar/rbac/resources/role.rb
+- lib/scimitar/rbac/route_helper.rb
+- lib/scimitar/rbac/schema/application.rb
+- lib/scimitar/rbac/schema/application_reference.rb
+- lib/scimitar/rbac/schema/entitlement.rb
+- lib/scimitar/rbac/schema/entitlement_assignment.rb
+- lib/scimitar/rbac/schema/hierarchy_member.rb
+- lib/scimitar/rbac/schema/role.rb
+- lib/scimitar/rbac/schema/role_assignment.rb
+- lib/scimitar/rbac/version.rb
+homepage: https://github.com/spryffee/scimitar-rbac
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/spryffee/scimitar-rbac
+  source_code_uri: https://github.com/spryffee/scimitar-rbac
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.2.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.6.9
+specification_version: 4
+summary: RBAC profile for SCIM, built on top of the scimitar gem.
+test_files: []