I was looking into the IdentityIQ SCIM API and was wondering if there was a way to exclude some attributes that are dynamically calculated and returned in the API response. The SCIMConfiguration object was completely blanked during debugging, yet, for example, in the /Accounts API, objects are still populated based on the application account schema.
Please see the example image of the Object I would like to exclude some attributes from - i.e. If I wanted to exclude ONLY the Location how could this be achieved?
Additional Notes: AccountID is the nativeIdentity and DisplayName is the displayName.
Yes you can use attributes parameter to filter out the attributes and just get nativeIdentity,displayName , active etc. using APIs.
I believe it may not be possible to filter it on attributes showing up under urn:ietf:params:scim:schemas:sailpoint:1.0:Application:Schema:<Your APP NAME>:account
If you have created any searchable extended account attributes by extending the account schema from Global Settings → Account Mappings then you can use the same attributes filter to just pull those extended account attributes.
In my case I have the extended attribute named accDept which is mapped to an attribute on application account schema and can be fetched using attributes parameter as shown below:
Thank you for your response.
I have already done something similar, but what I am actually looking for is to do the restriction within IdentityIQ itself. For example on the Users API, you can remove attributes in the SCIMConfiguration Object and on the API Layer, we would not see them.
For the Accounts API that dynamically calculated object is not present in the SCIMConfiguration Object hence I was wondering if there was a way to exclude it. I understand filtering can be used, but this would have to be done in an externally facing system which would have to be called when invoking the IdentityIQ API.