I'm adding SCIM support to an application which already has a user directory (with support for groups, including nested such etc).
RFC 6743 defines an attribute of resources called lastModified. That this attribute should change when mutable attributes (like displayName) of the resource changes is pretty obvious but I'm struggling to determine whether it should change when the groups attribute of a resource changes. Such changes does not come from modifying the resource itself, and possibly not even from modifying the groups that the resource is a direct member of (it may be an indirect membership).
So, what do you think? Should the lastModified attribute of a resource (user or group in my case) change when the value of the groups attribute changes? And should the lastModified attribute of a group change if the value of the members attribute changes (and if so, even if the change was not through an actual modification of the group itself but rather a result of a member resource being deleted)?
As per the discussion in scim mailing list[1], I think lastModified attribute update due to dynamic/indirect changes should not be a part of SCIM implementation. It should be handled at the userstore level.
Add a new member to a Group using /Groups endpoint- This may cause to change the groups attribute of a User resource, but it depends on the database query succeeding. Thus, the user's lastModified attribute needs to be updated only after successful Group modification.
Delete a user resource cause to change the members attribute of one or more Group resources. Similar to the first scenario, Group resources' would be changed after a successful user deletion database query.