Groups endpoint reference

Group contract

Groups describe membership topology across directories and SCIM consumers. Operations should avoid race windows by using optimistic conflict detection and membership snapshots.

Membership strategy

• Membership updates treat add/remove as atomic intent operations.
• Nested groups must be normalized before write to prevent cyclical states.
• Diff reports should show both cardinality and member source system.

Recovery and repair

If writes diverge, prefer reconciliation from source-of-truth snapshots and apply a bounded membership diff with operator approval in critical environments.

Group lifecycle transcript

PATCH /v2/Groups/eng-admin
[{ "op": "add", "path": "members", "value": [{ "value": "1234" }] }]
HTTP/1.1 409 CONFLICT
reason: "mutating_nested_group_not_allowed"

Nested group operations should fail before writes when cycle detection cannot guarantee deterministic expansion.