Problem Statement
Liferay’s current SCIM implementation focuses on provisioning Users and Groups, which works well for identity synchronization.
However, in many IAM implementations (including ours), authorization is not group-based. Instead, access is driven by application roles or entitlements.
Because of this, teams are forced to:
-
Introduce IAM-managed groups purely as a workaround for authorization, or
-
Rely on custom role-mapping logic outside of SCIM
Both approaches add operational complexity and reduce alignment with modern IAM models.
Proposed Enhancement
Add support for SCIM Roles and/or Entitlements to enable role-based authorization provisioning in Liferay without relying on group-to-role mappings.
Ideally, this would support:
-
Consuming
rolesand/orentitlementsattributes from SCIM (per the SCIM core schema and Roles & Entitlements extension) -
Mapping SCIM roles/entitlements directly to Liferay Roles
-
Allowing customers to configure this mapping declaratively (similar to how group mappings are handled today)
Why This Matters
-
Many enterprises use roles/entitlements as first-class authorization constructs
-
Reduces the need for “IAM-only” groups that don’t reflect true authorization intent
-
Aligns Liferay SCIM capabilities with modern IAM platforms (Okta, Entra ID, Ping, etc.)
-
Enables cleaner, more maintainable role-based access control (RBAC) models
-
Improves interoperability with standards-based SCIM implementations
Expected Outcome
With this enhancement, customers could:
-
Use SCIM as a single source of truth for both identity and authorization
-
Provision Liferay access using roles/entitlements, not just groups
-
Avoid overloading group concepts when they are not part of the IAM authorization model
References