Excludes roles in scim API list calls to reduce load on databricks scim service (#2181)

shreyas-goenka · web-flow · commit cb2f98b42c44 · 2023-04-03T15:26:48.000Z
* Exclude roles in scim API list calls

* more test fixes
diff --git a/exporter/exporter_test.go b/exporter/exporter_test.go
@@ -340,7 +340,7 @@ func TestImportingUsersGroupsSecretScopes(t *testing.T) {
 			},
 			{
 				Method:   "GET",
-				Resource: "/api/2.0/preview/scim/v2/ServicePrincipals?filter=applicationId%20eq%20%27spn%27",
+				Resource: "/api/2.0/preview/scim/v2/ServicePrincipals?excludedAttributes=roles&filter=applicationId%20eq%20%27spn%27",
 				Response: scim.User{ID: "321", DisplayName: "spn", ApplicationID: "spn",
 					Groups: []scim.ComplexValue{
 						{Display: "admins", Value: "a", Ref: "Groups/a", Type: "direct"},
@@ -394,7 +394,7 @@ func TestImportingUsersGroupsSecretScopes(t *testing.T) {
 			},
 			{
 				Method:   "GET",
-				Resource: "/api/2.0/preview/scim/v2/Users?filter=userName%20eq%20%27test%40test.com%27",
+				Resource: "/api/2.0/preview/scim/v2/Users?excludedAttributes=roles&filter=userName%20eq%20%27test%40test.com%27",
 				Response: scim.UserList{
 					Resources: []scim.User{
 						{ID: "123", DisplayName: "test@test.com", UserName: "test@test.com"},
@@ -1275,7 +1275,7 @@ func TestImportingUser(t *testing.T) {
 			{
 				Method:       "GET",
 				ReuseRequest: true,
-				Resource:     "/api/2.0/preview/scim/v2/Users?filter=userName%20eq%20%27me%27",
+				Resource:     "/api/2.0/preview/scim/v2/Users?excludedAttributes=roles&filter=userName%20eq%20%27me%27",
 				Response: scim.UserList{
 					Resources: []scim.User{
 						{
@@ -1601,7 +1601,7 @@ func TestImportingDLTPipelines(t *testing.T) {
 			},
 			{
 				Method:   "GET",
-				Resource: "/api/2.0/preview/scim/v2/Users?filter=userName%20eq%20%27user%40domain.com%27",
+				Resource: "/api/2.0/preview/scim/v2/Users?excludedAttributes=roles&filter=userName%20eq%20%27user%40domain.com%27",
 				Response: scim.UserList{
 					Resources: []scim.User{
 						{ID: "123", DisplayName: "user@domain.com", UserName: "user@domain.com"},
diff --git a/exporter/importables_test.go b/exporter/importables_test.go
@@ -444,7 +444,7 @@ func TestUserSearchFails(t *testing.T) {
 		{
 			ReuseRequest: true,
 			Method:       "GET",
-			Resource:     "/api/2.0/preview/scim/v2/Users?filter=userName%20eq%20%27dbc%27",
+			Resource:     "/api/2.0/preview/scim/v2/Users?excludedAttributes=roles&filter=userName%20eq%20%27dbc%27",
 			Status:       404,
 			Response:     apierr.NotFound("nope"),
 		},
@@ -473,7 +473,7 @@ func TestSpnSearchFails(t *testing.T) {
 		{
 			ReuseRequest: true,
 			Method:       "GET",
-			Resource:     "/api/2.0/preview/scim/v2/ServicePrincipals?filter=applicationId%20eq%20%27dbc%27",
+			Resource:     "/api/2.0/preview/scim/v2/ServicePrincipals?excludedAttributes=roles&filter=applicationId%20eq%20%27dbc%27",
 			Status:       404,
 			Response:     apierr.NotFound("nope"),
 		},
@@ -502,7 +502,7 @@ func TestSpnSearchSuccess(t *testing.T) {
 		{
 			ReuseRequest: true,
 			Method:       "GET",
-			Resource:     "/api/2.0/preview/scim/v2/ServicePrincipals?filter=applicationId%20eq%20%27dbc%27",
+			Resource:     "/api/2.0/preview/scim/v2/ServicePrincipals?excludedAttributes=roles&filter=applicationId%20eq%20%27dbc%27",
 			Response: scim.UserList{Resources: []scim.User{
 				{ID: "321", DisplayName: "spn", ApplicationID: "dbc"},
 			}},
@@ -556,7 +556,7 @@ func TestUserImportSkipNonDirectGroups(t *testing.T) {
 		{
 			ReuseRequest: true,
 			Method:       "GET",
-			Resource:     "/api/2.0/preview/scim/v2/Users?filter=userName%20eq%20%27dbc%27",
+			Resource:     "/api/2.0/preview/scim/v2/Users?excludedAttributes=roles&filter=userName%20eq%20%27dbc%27",
 			Response: scim.UserList{
 				Resources: []scim.User{
 					{
diff --git a/exporter/util.go b/exporter/util.go
@@ -200,7 +200,7 @@ func (ic *importContext) cacheGroups() error {
 	if len(ic.allGroups) == 0 {
 		log.Printf("[INFO] Caching groups in memory ...")
 		groupsAPI := scim.NewGroupsAPI(ic.Context, ic.Client)
-		g, err := groupsAPI.Filter("")
+		g, err := groupsAPI.Filter("", true)
 		if err != nil {
 			return err
 		}
diff --git a/scim/data_group_test.go b/scim/data_group_test.go
@@ -18,7 +18,7 @@ func TestDataSourceGroup(t *testing.T) {
 		Fixtures: []qa.HTTPFixture{
 			{
 				Method:   "GET",
-				Resource: "/api/2.0/preview/scim/v2/Groups?filter=displayName%20eq%20%27ds%27",
+				Resource: "/api/2.0/preview/scim/v2/Groups?excludedAttributes=roles&filter=displayName%20eq%20%27ds%27",
 				Response: GroupList{
 					Resources: []Group{
 						{
@@ -29,11 +29,6 @@ func TestDataSourceGroup(t *testing.T) {
 									Value: "allow-cluster-create",
 								},
 							},
-							Roles: []ComplexValue{
-								{
-									Value: "a",
-								},
-							},
 							Members: []ComplexValue{
 								{
 									Ref:   "Users/1112",
@@ -57,6 +52,43 @@ func TestDataSourceGroup(t *testing.T) {
 					},
 				},
 			},
+			{
+				Method:   "GET",
+				Resource: "/api/2.0/preview/scim/v2/Groups/eerste",
+				Response: Group{
+					DisplayName: "ds",
+					ID:          "eerste",
+					Entitlements: []ComplexValue{
+						{
+							Value: "allow-cluster-create",
+						},
+					},
+					Roles: []ComplexValue{
+						{
+							Value: "a",
+						},
+					},
+					Members: []ComplexValue{
+						{
+							Ref:   "Users/1112",
+							Value: "1112",
+						},
+						{
+							Ref:   "ServicePrincipals/1113",
+							Value: "1113",
+						},
+						{
+							Ref:   "Groups/1114",
+							Value: "1114",
+						},
+					},
+					Groups: []ComplexValue{
+						{
+							Value: "abc",
+						},
+					},
+				},
+			},
 			{
 				Method:   "GET",
 				Resource: "/api/2.0/preview/scim/v2/Groups/abc",
diff --git a/scim/data_service_principal_test.go b/scim/data_service_principal_test.go
@@ -12,7 +12,7 @@ func TestDataServicePrincipalReadByAppId(t *testing.T) {
 		Fixtures: []qa.HTTPFixture{
 			{
 				Method:   "GET",
-				Resource: "/api/2.0/preview/scim/v2/ServicePrincipals?filter=applicationId%20eq%20%27abc%27",
+				Resource: "/api/2.0/preview/scim/v2/ServicePrincipals?excludedAttributes=roles&filter=applicationId%20eq%20%27abc%27",
 				Response: UserList{
 					Resources: []User{
 						{
@@ -56,7 +56,7 @@ func TestDataServicePrincipalReadNotFound(t *testing.T) {
 		Fixtures: []qa.HTTPFixture{
 			{
 				Method:   "GET",
-				Resource: "/api/2.0/preview/scim/v2/ServicePrincipals?filter=applicationId%20eq%20%27abc%27",
+				Resource: "/api/2.0/preview/scim/v2/ServicePrincipals?excludedAttributes=roles&filter=applicationId%20eq%20%27abc%27",
 				Response: UserList{},
 			},
 		},
@@ -74,7 +74,7 @@ func TestDataServicePrincipalReadError(t *testing.T) {
 		Fixtures: []qa.HTTPFixture{
 			{
 				Method:   "GET",
-				Resource: "/api/2.0/preview/scim/v2/ServicePrincipals?filter=applicationId%20eq%20%27abc%27",
+				Resource: "/api/2.0/preview/scim/v2/ServicePrincipals?excludedAttributes=roles&filter=applicationId%20eq%20%27abc%27",
 				Status:   500,
 			},
 		},
diff --git a/scim/data_service_principals_test.go b/scim/data_service_principals_test.go
@@ -12,7 +12,7 @@ func TestDataServicePrincipalsReadByDisplayName(t *testing.T) {
 		Fixtures: []qa.HTTPFixture{
 			{
 				Method:   "GET",
-				Resource: "/api/2.0/preview/scim/v2/ServicePrincipals?filter=displayName%20co%20%27def%27",
+				Resource: "/api/2.0/preview/scim/v2/ServicePrincipals?excludedAttributes=roles&filter=displayName%20co%20%27def%27",
 				Response: UserList{
 					Resources: []User{
 						{
@@ -46,7 +46,7 @@ func TestDataServicePrincipalsReadNotFound(t *testing.T) {
 		Fixtures: []qa.HTTPFixture{
 			{
 				Method:   "GET",
-				Resource: "/api/2.0/preview/scim/v2/ServicePrincipals?filter=displayName%20co%20%27def%27",
+				Resource: "/api/2.0/preview/scim/v2/ServicePrincipals?excludedAttributes=roles&filter=displayName%20co%20%27def%27",
 				Response: UserList{},
 			},
 		},
@@ -64,7 +64,7 @@ func TestDataServicePrincipalsReadNoFilter(t *testing.T) {
 		Fixtures: []qa.HTTPFixture{
 			{
 				Method:   "GET",
-				Resource: "/api/2.0/preview/scim/v2/ServicePrincipals?",
+				Resource: "/api/2.0/preview/scim/v2/ServicePrincipals?excludedAttributes=roles",
 				Response: UserList{
 					Resources: []User{
 						{
@@ -98,7 +98,7 @@ func TestDataServicePrincipalsReadError(t *testing.T) {
 		Fixtures: []qa.HTTPFixture{
 			{
 				Method:   "GET",
-				Resource: "/api/2.0/preview/scim/v2/ServicePrincipals?filter=displayName%20co%20%27def%27",
+				Resource: "/api/2.0/preview/scim/v2/ServicePrincipals?excludedAttributes=roles&filter=displayName%20co%20%27def%27",
 				Status:   500,
 			},
 		},
diff --git a/scim/data_user_test.go b/scim/data_user_test.go
@@ -16,7 +16,7 @@ func TestDataSourceUser(t *testing.T) {
 		Fixtures: []qa.HTTPFixture{
 			{
 				Method:   "GET",
-				Resource: "/api/2.0/preview/scim/v2/Users?filter=userName%20eq%20%27ds%27",
+				Resource: "/api/2.0/preview/scim/v2/Users?excludedAttributes=roles&filter=userName%20eq%20%27ds%27",
 				Response: UserList{
 					Resources: []User{
 						{
@@ -53,15 +53,15 @@ func TestDataSourceUserGerUser(t *testing.T) {
 		},
 		{
 			Method:   "GET",
-			Resource: "/api/2.0/preview/scim/v2/Users?filter=userName%20eq%20%27searching_error%27",
+			Resource: "/api/2.0/preview/scim/v2/Users?excludedAttributes=roles&filter=userName%20eq%20%27searching_error%27",
 			Status:   404,
 			Response: apierr.APIError{
 				Message: "searching_error",
 			},
 		},
 		{
 			Method:   "GET",
-			Resource: "/api/2.0/preview/scim/v2/Users?filter=userName%20eq%20%27empty_search%27",
+			Resource: "/api/2.0/preview/scim/v2/Users?excludedAttributes=roles&filter=userName%20eq%20%27empty_search%27",
 			Response: UserList{},
 		},
 	}, func(ctx context.Context, client *common.DatabricksClient) {
diff --git a/scim/groups.go b/scim/groups.go
@@ -39,27 +39,32 @@ func (a GroupsAPI) Read(groupID string) (group Group, err error) {
 }
 
 // Filter returns groups matching the filter
-func (a GroupsAPI) Filter(filter string) (GroupList, error) {
+func (a GroupsAPI) Filter(filter string, includeRoles bool) (GroupList, error) {
 	var groups GroupList
 	req := map[string]string{}
 	if filter != "" {
 		req["filter"] = filter
 	}
+	if !includeRoles {
+		// We exclude roles to reduce load on the scim service
+		req["excludedAttributes"] = "roles"
+	}
 	err := a.client.Scim(a.context, http.MethodGet, "/preview/scim/v2/Groups", req, &groups)
 	return groups, err
 }
 
 func (a GroupsAPI) ReadByDisplayName(displayName string) (group Group, err error) {
-	groupList, err := a.Filter(fmt.Sprintf("displayName eq '%s'", displayName))
+	groupList, err := a.Filter(fmt.Sprintf("displayName eq '%s'", displayName), false)
 	if err != nil {
 		return
 	}
 	if len(groupList.Resources) == 0 {
 		err = fmt.Errorf("cannot find group: %s", displayName)
 		return
 	}
-	group = groupList.Resources[0]
-	return
+	// We GET the group again to fetch any fields that were excluded the first
+	// time around
+	return a.Read(groupList.Resources[0].ID)
 }
 
 func (a GroupsAPI) Patch(groupID string, r patchRequest) error {
diff --git a/scim/resource_group_test.go b/scim/resource_group_test.go
@@ -354,7 +354,7 @@ func TestCreateForceOverwriteCannotListGroups(t *testing.T) {
 	qa.HTTPFixturesApply(t, []qa.HTTPFixture{
 		{
 			Method:   "GET",
-			Resource: "/api/2.0/preview/scim/v2/Groups?filter=displayName%20eq%20%27abc%27",
+			Resource: "/api/2.0/preview/scim/v2/Groups?excludedAttributes=roles&filter=displayName%20eq%20%27abc%27",
 			Status:   417,
 			Response: apierr.APIError{
 				Message: "cannot find group",
@@ -376,7 +376,7 @@ func TestCreateForceOverwriteFindsAndSetsGroupID(t *testing.T) {
 	qa.HTTPFixturesApply(t, []qa.HTTPFixture{
 		{
 			Method:   "GET",
-			Resource: "/api/2.0/preview/scim/v2/Groups?filter=displayName%20eq%20%27abc%27",
+			Resource: "/api/2.0/preview/scim/v2/Groups?excludedAttributes=roles&filter=displayName%20eq%20%27abc%27",
 			Response: GroupList{
 				Resources: []Group{
 					{
@@ -392,6 +392,13 @@ func TestCreateForceOverwriteFindsAndSetsGroupID(t *testing.T) {
 				ID: "123",
 			},
 		},
+		{
+			Method:   "GET",
+			Resource: "/api/2.0/preview/scim/v2/Groups/123",
+			Response: Group{
+				ID: "123",
+			},
+		},
 		{
 			Method:   "PUT",
 			Resource: "/api/2.0/preview/scim/v2/Groups/123",
diff --git a/scim/resource_service_principal.go b/scim/resource_service_principal.go
@@ -45,6 +45,8 @@ func (a ServicePrincipalsAPI) Filter(filter string) (u []User, err error) {
 	if filter != "" {
 		req["filter"] = filter
 	}
+	// We exclude roles to reduce load on the scim service
+	req["excludedAttributes"] = "roles"
 	err = a.client.Scim(a.context, http.MethodGet, "/preview/scim/v2/ServicePrincipals", req, &sps)
 	if err != nil {
 		return
diff --git a/scim/resource_service_principal_test.go b/scim/resource_service_principal_test.go
@@ -555,7 +555,7 @@ func TestCreateForceOverwriteCannotListServicePrincipals(t *testing.T) {
 	qa.HTTPFixturesApply(t, []qa.HTTPFixture{
 		{
 			Method:   "GET",
-			Resource: fmt.Sprintf("/api/2.0/preview/scim/v2/ServicePrincipals?filter=applicationId%%20eq%%20%%27%s%%27", appID),
+			Resource: fmt.Sprintf("/api/2.0/preview/scim/v2/ServicePrincipals?excludedAttributes=roles&filter=applicationId%%20eq%%20%%27%s%%27", appID),
 			Status:   417,
 			Response: apierr.APIError{
 				Message: "cannot find service principal",
@@ -578,7 +578,7 @@ func TestCreateForceOverwriteCannotListAccServicePrincipals(t *testing.T) {
 	qa.HTTPFixturesApply(t, []qa.HTTPFixture{
 		{
 			Method:   "GET",
-			Resource: fmt.Sprintf("/api/2.0/preview/scim/v2/ServicePrincipals?filter=applicationId%%20eq%%20%%27%s%%27", appID),
+			Resource: fmt.Sprintf("/api/2.0/preview/scim/v2/ServicePrincipals?excludedAttributes=roles&filter=applicationId%%20eq%%20%%27%s%%27", appID),
 			Response: UserList{
 				TotalResults: 0,
 			},
@@ -600,7 +600,7 @@ func TestCreateForceOverwriteFindsAndSetsServicePrincipalID(t *testing.T) {
 	qa.HTTPFixturesApply(t, []qa.HTTPFixture{
 		{
 			Method:   "GET",
-			Resource: fmt.Sprintf("/api/2.0/preview/scim/v2/ServicePrincipals?filter=applicationId%%20eq%%20%%27%s%%27", appID),
+			Resource: fmt.Sprintf("/api/2.0/preview/scim/v2/ServicePrincipals?excludedAttributes=roles&filter=applicationId%%20eq%%20%%27%s%%27", appID),
 			Response: UserList{
 				Resources: []User{
 					{
diff --git a/scim/resource_user_test.go b/scim/resource_user_test.go
@@ -604,7 +604,7 @@ func TestCreateForceOverwriteCannotListUsers(t *testing.T) {
 	qa.HTTPFixturesApply(t, []qa.HTTPFixture{
 		{
 			Method:   "GET",
-			Resource: "/api/2.0/preview/scim/v2/Users?filter=userName%20eq%20%27me%40example.com%27",
+			Resource: "/api/2.0/preview/scim/v2/Users?excludedAttributes=roles&filter=userName%20eq%20%27me%40example.com%27",
 			Status:   417,
 			Response: apierr.APIErrorBody{
 				Message: "cannot find user",
@@ -626,7 +626,7 @@ func TestCreateForceOverwriteCannotListAccUsers(t *testing.T) {
 	qa.HTTPFixturesApply(t, []qa.HTTPFixture{
 		{
 			Method:   "GET",
-			Resource: "/api/2.0/preview/scim/v2/Users?filter=userName%20eq%20%27me%40example.com%27",
+			Resource: "/api/2.0/preview/scim/v2/Users?excludedAttributes=roles&filter=userName%20eq%20%27me%40example.com%27",
 			Response: UserList{
 				TotalResults: 0,
 			},
@@ -647,7 +647,7 @@ func TestCreateForceOverwriteFindsAndSetsID(t *testing.T) {
 	qa.HTTPFixturesApply(t, []qa.HTTPFixture{
 		{
 			Method:   "GET",
-			Resource: "/api/2.0/preview/scim/v2/Users?filter=userName%20eq%20%27me%40example.com%27",
+			Resource: "/api/2.0/preview/scim/v2/Users?excludedAttributes=roles&filter=userName%20eq%20%27me%40example.com%27",
 			Response: UserList{
 				Resources: []User{
 					{
@@ -689,7 +689,7 @@ func TestCreateForceOverwriteFindsAndSetsAccID(t *testing.T) {
 	qa.HTTPFixturesApply(t, []qa.HTTPFixture{
 		{
 			Method:   "GET",
-			Resource: "/api/2.0/preview/scim/v2/Users?filter=userName%20eq%20%27me%40example.com%27",
+			Resource: "/api/2.0/preview/scim/v2/Users?excludedAttributes=roles&filter=userName%20eq%20%27me%40example.com%27",
 			Response: UserList{
 				Resources: []User{
 					{
diff --git a/scim/users.go b/scim/users.go
@@ -38,6 +38,8 @@ func (a UsersAPI) Filter(filter string) (u []User, err error) {
 	if filter != "" {
 		req["filter"] = filter
 	}
+	// We exclude roles to reduce load on the scim service
+	req["excludedAttributes"] = "roles"
 	err = a.client.Scim(a.context, http.MethodGet, "/preview/scim/v2/Users", req, &users)
 	if err != nil {
 		return
diff --git a/scim/users_test.go b/scim/users_test.go

Original file line number	Diff line number	Diff line change
`@@ -200,7 +200,7 @@ func (ic *importContext) cacheGroups() error {`
`200`	`200`	`if len(ic.allGroups) == 0 {`
`201`	`201`	`log.Printf("[INFO] Caching groups in memory ...")`
`202`	`202`	`groupsAPI := scim.NewGroupsAPI(ic.Context, ic.Client)`
`203`		`- g, err := groupsAPI.Filter("")`
	`203`	`+ g, err := groupsAPI.Filter("", true)`
`204`	`204`	`if err != nil {`
`205`	`205`	`return err`
`206`	`206`	`}`
Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@ func TestDataServicePrincipalsReadByDisplayName(t *testing.T) {`
`12`	`12`	`Fixtures: []qa.HTTPFixture{`
`13`	`13`	`{`
`14`	`14`	`Method: "GET",`
`15`		`- Resource: "/api/2.0/preview/scim/v2/ServicePrincipals?filter=displayName%20co%20%27def%27",`
	`15`	`+ Resource: "/api/2.0/preview/scim/v2/ServicePrincipals?excludedAttributes=roles&filter=displayName%20co%20%27def%27",`
`16`	`16`	`Response: UserList{`
`17`	`17`	`Resources: []User{`
`18`	`18`	`{`
`@@ -46,7 +46,7 @@ func TestDataServicePrincipalsReadNotFound(t *testing.T) {`
`46`	`46`	`Fixtures: []qa.HTTPFixture{`
`47`	`47`	`{`
`48`	`48`	`Method: "GET",`
`49`		`- Resource: "/api/2.0/preview/scim/v2/ServicePrincipals?filter=displayName%20co%20%27def%27",`
	`49`	`+ Resource: "/api/2.0/preview/scim/v2/ServicePrincipals?excludedAttributes=roles&filter=displayName%20co%20%27def%27",`
`50`	`50`	`Response: UserList{},`
`51`	`51`	`},`
`52`	`52`	`},`
`@@ -64,7 +64,7 @@ func TestDataServicePrincipalsReadNoFilter(t *testing.T) {`
`64`	`64`	`Fixtures: []qa.HTTPFixture{`
`65`	`65`	`{`
`66`	`66`	`Method: "GET",`
`67`		`- Resource: "/api/2.0/preview/scim/v2/ServicePrincipals?",`
	`67`	`+ Resource: "/api/2.0/preview/scim/v2/ServicePrincipals?excludedAttributes=roles",`
`68`	`68`	`Response: UserList{`
`69`	`69`	`Resources: []User{`
`70`	`70`	`{`
`@@ -98,7 +98,7 @@ func TestDataServicePrincipalsReadError(t *testing.T) {`
`98`	`98`	`Fixtures: []qa.HTTPFixture{`
`99`	`99`	`{`
`100`	`100`	`Method: "GET",`
`101`		`- Resource: "/api/2.0/preview/scim/v2/ServicePrincipals?filter=displayName%20co%20%27def%27",`
	`101`	`+ Resource: "/api/2.0/preview/scim/v2/ServicePrincipals?excludedAttributes=roles&filter=displayName%20co%20%27def%27",`
`102`	`102`	`Status: 500,`
`103`	`103`	`},`
`104`	`104`	`},`
Original file line number	Diff line number	Diff line change
`@@ -39,27 +39,32 @@ func (a GroupsAPI) Read(groupID string) (group Group, err error) {`
`39`	`39`	`}`
`40`	`40`
`41`	`41`	`// Filter returns groups matching the filter`
`42`		`-func (a GroupsAPI) Filter(filter string) (GroupList, error) {`
	`42`	`+func (a GroupsAPI) Filter(filter string, includeRoles bool) (GroupList, error) {`
`43`	`43`	`var groups GroupList`
`44`	`44`	`req := map[string]string{}`
`45`	`45`	`if filter != "" {`
`46`	`46`	`req["filter"] = filter`
`47`	`47`	`}`
	`48`	`+ if !includeRoles {`
	`49`	`+ // We exclude roles to reduce load on the scim service`
	`50`	`+ req["excludedAttributes"] = "roles"`
	`51`	`+ }`
`48`	`52`	`err := a.client.Scim(a.context, http.MethodGet, "/preview/scim/v2/Groups", req, &groups)`
`49`	`53`	`return groups, err`
`50`	`54`	`}`
`51`	`55`
`52`	`56`	`func (a GroupsAPI) ReadByDisplayName(displayName string) (group Group, err error) {`
`53`		`- groupList, err := a.Filter(fmt.Sprintf("displayName eq '%s'", displayName))`
	`57`	`+ groupList, err := a.Filter(fmt.Sprintf("displayName eq '%s'", displayName), false)`
`54`	`58`	`if err != nil {`
`55`	`59`	`return`
`56`	`60`	`}`
`57`	`61`	`if len(groupList.Resources) == 0 {`
`58`	`62`	`err = fmt.Errorf("cannot find group: %s", displayName)`
`59`	`63`	`return`
`60`	`64`	`}`
`61`		`- group = groupList.Resources[0]`
`62`		`- return`
	`65`	`+ // We GET the group again to fetch any fields that were excluded the first`
	`66`	`+ // time around`
	`67`	`+ return a.Read(groupList.Resources[0].ID)`
`63`	`68`	`}`
`64`	`69`
`65`	`70`	`func (a GroupsAPI) Patch(groupID string, r patchRequest) error {`
Original file line number	Diff line number	Diff line change
`@@ -45,6 +45,8 @@ func (a ServicePrincipalsAPI) Filter(filter string) (u []User, err error) {`
`45`	`45`	`if filter != "" {`
`46`	`46`	`req["filter"] = filter`
`47`	`47`	`}`
	`48`	`+ // We exclude roles to reduce load on the scim service`
	`49`	`+ req["excludedAttributes"] = "roles"`
`48`	`50`	`err = a.client.Scim(a.context, http.MethodGet, "/preview/scim/v2/ServicePrincipals", req, &sps)`
`49`	`51`	`if err != nil {`
`50`	`52`	`return`