Hi, Kevin. Internally it all comes down to what LDAP attribute is used to store corresponding user's data. When you then add claims to some OIDC scope, you are presented with a list of all attributes registered in Gluu (i.e. for which additional metadata was supplied, that will be much lesser subset of all possible attributes defined in Gluu's LDAP schema) to select from. Only those attributes which are registered properly will end up visible in GUI (to use them as OIDC claims may require a bit more tweaking). More about registering new attributes [here](https://gluu.org/docs/ce/3.1.2/admin-guide/attribute/) In your case, as it seems you don't have issues with persisting anything in LDAP tree, it seems all is about which value goes where, and what claim you need to add to a scope "User permission" is stored in "role" LDAP attribute. And I think SCIM may use "oxTrustRole" LDAP attribute to store whatever you set using "roles". Could you provide complete dump of user attributes of an user for which you both set "User permission" through web UI and "roles" via SCIM? Here is how you could dump it: 1. Figure out this user's `uid` attribute 2. Put your LDAP password in `/tmp/.pw` 3. Run next command using your `uid` instead of `XXXXX` and share your output (don't forget to remove all sensitive data, password for example): `# /opt/opendj/bin/ldapsearch -p 1636 -s sub -T -Z -X -D 'cn=directory manager' -j /tmp/.pw -b 'o=gluu' -z 3 '&(uid=XXXXX)'`

Hi, Your command is not outputing anything, on any user... But I don't really get why roles could be stored at different places. In order create new users via SCIM, I started creating a user via oxTrust, add added some roles mannually. I then make a GET request to that user using SCIM, and then use the struture given by this request to build the future POST requests used to automate the user registration. So does that mean that the `roles` attribute return by a GET request is not the same that the `roles` attribute send by POST request?

Hi, Kevin. >Your command is not outputing anything, on any user... That's very strange. It works as intended in my 3.1.2 local instance. Please try next command, it will output just 3 first user entries it will find: `/opt/opendj/bin/ldapsearch -p 1636 -s sub -T -Z -X -D 'cn=directory manager' -j /tmp/.pw -b 'o=gluu' -z 3 '&(uid=*)'` What error does it return when it doesn't work, then? If it returns just nothing (no errors, but not entries found as well), this should mean `uid` you supplied doesn't exist, usually. Can it be you used wrong value(s) for it? >But I don't really get why roles could be stored at different places There may be reasons for this, or it could be a bug. First we need to investigate it and decide whether it's a configuration issues, or we need to inform the dev team.

Here are the 2 users I created for test: This one using a SCIM POST request: ``` dn: inum=@!D049.06C1.EB6E.23F3!0001!A5E7.9654!0000!403C.3D16.4640.5955,ou=people,o=@!D049.06C1.EB6E.23F3!0001!A5E7.9654,o=gluu objectClass: top objectClass: gluuPerson objectClass: gluuCustomPerson oxTrustMetaLocation: /scim/v2/Users/@!D049.06C1.EB6E.23F3!0001!A5E7.9654!0000!403C.3D16.4640.5955 mail: test@from.scim oxCreationTimestamp: 20180312151550.385Z preferredLanguage: fr-fr o: 123456789 oxTrustMetaLastModified: 2018-03-12T15:15:50.383Z givenName: Test oxTrustActive: true emailVerified: 0 oxTrustMetaCreated: 2018-03-12T15:15:50.383Z inum: @!D049.06C1.EB6E.23F3!0001!A5E7.9654!0000!403C.3D16.4640.5955 iname: *person*test@from.scim oxTrustEmail: {"operation":null,"value":"test@from.scim","display":null,"primary":true,"reference":null,"type":"work"} oxTrustExternalId: a06fa068-e9dd-409a-80e0-b4650d28d0bc displayName: Test FromSCIM oxTrustRole: {"operation":null,"value":"ROLE_USER","display":null,"primary":false,"type":null} gluuStatus: active sn: FromSCIM cn: Test FromSCIM locale: fr_FR zoneinfo: Europe/Paris userPassword: {SSHA512}***** uid: test@from.scim ``` This one using oxTrust: ``` dn: inum=@!D049.06C1.EB6E.23F3!0001!A5E7.9654!0000!D95D.63FC.9E02.3234,ou=people,o=@!D049.06C1.EB6E.23F3!0001!A5E7.9654,o=gluu objectClass: eduPerson objectClass: gluuPerson objectClass: top objectClass: gluuCustomPerson mail: test@from.ui oxCreationTimestamp: 20180312152053.259Z givenName: Test inum: @!D049.06C1.EB6E.23F3!0001!A5E7.9654!0000!D95D.63FC.9E02.3234 iname: *person*test@from.ui oxTrustEmail: {"operation":null,"value":"test@from.ui","display":"test@from.ui","primary":true,"reference":null,"type":"other"} displayName: Test FromUI role: ROLE_USER gluuStatus: active sn: FromUI cn: Test FromUI userPassword: {SSHA512}***** uid: test@from.ui ``` And here, the SCIM GET response: ```json { "totalResults": 2, "itemsPerPage": 2, "startIndex": 1, "schemas": [ "urn:ietf:params:scim:api:messages:2.0:ListResponse" ], "Resources": [ { "id": "@!D049.06C1.EB6E.23F3!0001!A5E7.9654!0000!403C.3D16.4640.5955", "externalId": "a06fa068-e9dd-409a-80e0-b4650d28d0bc", "meta": { "created": "2018-03-12T15:15:50.383Z", "lastModified": "2018-03-12T15:15:50.383Z", "location": "https://*****/identity/restv1/scim/v2/Users/@!D049.06C1.EB6E.23F3!0001!A5E7.9654!0000!403C.3D16.4640.5955", "version": null, "resourceType": "User" }, "schemas": [ "urn:ietf:params:scim:schemas:extension:gluu:2.0:User", "urn:ietf:params:scim:schemas:core:2.0:User" ], "userName": "test@from.scim", "name": { "formatted": "Test FromSCIM", "familyName": "FromSCIM", "givenName": "Test", "middleName": null, "honorificPrefix": null, "honorificSuffix": null }, "displayName": "Test FromSCIM", "nickName": null, "profileUrl": null, "title": null, "userType": null, "preferredLanguage": "fr-fr", "locale": "fr_FR", "timezone": "Europe/Paris", "active": true, "password": "Hidden for Privacy Reasons", "emails": [ { "operation": null, "value": "test@from.scim", "display": null, "primary": true, "reference": null, "type": "work" } ], "phoneNumbers": [], "ims": [], "photos": [], "addresses": [], "groups": [], "entitlements": [], "roles": [ { "operation": null, "value": "ROLE_USER", "display": null, "primary": false, "type": null } ], "pairwiseIdentitifers": [], "x509Certificates": [], "urn:ietf:params:scim:schemas:extension:gluu:2.0:User": { "emailVerified": "0", "o": "123456789" } }, { "id": "@!D049.06C1.EB6E.23F3!0001!A5E7.9654!0000!D95D.63FC.9E02.3234", "externalId": null, "meta": { "created": null, "lastModified": null, "location": "https://*****/identity/restv1/scim/v2/Users/@!D049.06C1.EB6E.23F3!0001!A5E7.9654!0000!D95D.63FC.9E02.3234", "version": null, "resourceType": "User" }, "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User" ], "userName": "test@from.ui", "name": { "formatted": "Test FromUI", "familyName": "FromUI", "givenName": "Test", "middleName": null, "honorificPrefix": null, "honorificSuffix": null }, "displayName": "Test FromUi", "nickName": null, "profileUrl": null, "title": null, "userType": null, "preferredLanguage": null, "locale": null, "timezone": null, "active": null, "password": "Hidden for Privacy Reasons", "emails": [ { "operation": null, "value": "test@from.ui", "display": "test@from.ui", "primary": true, "reference": null, "type": "other" } ], "phoneNumbers": [], "ims": [], "photos": [], "addresses": [], "groups": [], "entitlements": [], "roles": [], "pairwiseIdentitifers": [], "x509Certificates": [] } ] } ```