Hello. I'm in the process of developing a client for SCIM and came across an issue where I am unable to remove the last member(s) of a group. # The problem Modifying a group through SCIM ``PATCH`` operations generally seems to work as intended. However, when I attempt to remove members from a group, which would result in the group membership list being empty, the operation seems to not be executed. This is regardless of whether there is a single member of the group, or multiple, but the operation would remove all the remaining members. Gluu Server does not report an error when this happens, it simply sends back a response containing the unmodified group. # Example This is an illustration of the problem. Suppose we have a group ``TestGroup`` with ID ``<group_inum>`` with a few members ``` User 1 <user1_inum> User 2 <user2_inum> User 3 <user3_inum> ``` I then send a ``PATCH`` request to the Gluu Server to remove all three members ``` PATCH identity/restv1/scim/v2/Groups/<group_inum> Content-Type: application/json Authorization: Bearer <some_token> { "schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ], "Operations": [ { "op": "remove", "path": "members[value eq \"<user1_inum>\"]" }, { "op": "remove", "path": "members[value eq \"<user2_inum>\"]" }, { "op": "remove", "path": "members[value eq \"<user3_inum>\"]" } ] } ``` And Gluu Server responds with a ``200 OK`` with the following data ``` { "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:Group" ], "id": "<group_inum>", "meta": { "resourceType": "Group", "created": "2018-11-27T07:42:22.515Z", "lastModified": "2018-11-28T08:26:39.802Z", "location": "https://example.com/identity/restv1/scim/v2/Groups/<group_inum>" }, "displayName": "TestGroup", "members": [ { "value": "<user1_inum>", "type": "User", "display": "User 1", "$ref": "https://example.com/identity/restv1/scim/v2/Users/<user1_inum>" }, { "value": "<user2_inum>", "type": "User", "display": "User 2", "$ref": "https://example.com/identity/restv1/scim/v2/Users/<user2_inum>" }, { "value": "<user3_inum>", "type": "User", "display": "User 3", "$ref": "https://example.com/identity/restv1/scim/v2/Users/<user3_inum>" } ] } ``` And, in Gluu Server, the group membership is not updated either, still retaining all three users as members. So, it is not just wrong data being returned. If I perform the above with only two of the three users for removal, the operation completes successfully, removing the two users from the group and returning the correct data. I will still not be able to remove the remaining single user using a second request. ## Additional - Remove all users from group Building on top of the above, I also attempted to remove all users from the group, figuring that I might be able to build a workaround, but this also seems to not complete the operation properly. Assume the same group and users as above. The request sent ``` PATCH identity/restv1/scim/v2/Groups/<group_inum> Content-Type: application/json Authorization: Bearer <some_token> { "schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ], "Operations": [ { "op": "remove", "path": "members" } ] } ``` Returns the same ``200 OK`` response as the above example for removal of individual users. Am I doing anything wrong here? I've tried following RFC7644 as closely as possible.