Account resource data model

~~The data model of the Soffid objects is mapped to JSON objects to enable the data transport between client and server.~~

/User

Dictionary table

~~Attribute~~	~~Type~~	~~Required~~	~~Updatable~~	~~Description~~	~~Additional comment~~
id	~~Long~~	~~Yes~~	-	~~Primary key of the user~~
~~userName~~	~~String~~	~~Yes~~	~~Yes~~	~~User name used to identify a user, internal management and access to applications~~	~~User name must be unique~~
~~firstName~~	~~String~~	~~Yes~~	~~Yes~~	~~First name of the user~~
~~lastName~~	~~String~~	~~Yes~~	~~Yes~~	~~First surname~~
~~middleName~~	~~String~~	-	~~Yes~~	~~Used like second surname~~
~~fullName~~	~~String~~	-	-	~~firstName + lastName + middleName~~
~~shortName~~	~~String~~	-	~~Yes~~	~~Mail of the user but without the domain~~	~~The mail is created with the next pattern: shortName + '@' + mailDomain~~
~~createdDate~~	~~Calendar~~	-	-	~~User creation date~~
~~modifiedDate~~	~~Calendar~~	-	-	~~Last modification date of any user attributes~~
~~createdByUser~~	~~String~~	-	-	~~User that has created the user~~
~~modifiedByUser~~	~~String~~	-	-	~~User that has modified the last time attributes of this user~~
~~active~~	~~Boolean~~	-	~~Yes~~	~~User active or disable~~	~~If you avoid this attribute in the create operation by default the value is false~~
~~multiSession~~	~~Boolean~~	-	~~Yes~~	~~Allows some sessions with Soffid ESSO~~	~~When the value is false if the user logs with another session active, the SSO close the previous one~~
~~comments~~	~~String~~	-	~~Yes~~	~~Comments about the user~~
~~userType~~	~~String~~	~~Yes~~	~~Yes~~	~~User type assigned to the user. by default "I"~~	~~New use types could be created in the IAM Console (Administration > Configure Soffid > Global settings > User type)~~
~~profileServer~~	~~String~~	~~Yes~~	~~Yes~~	~~Server which hosts the user profile~~	~~It is linked to Roaming UserProfile on Active Directory~~ ~~Servers are managed in the IAM Console (Administration > Resources > Hosts)~~ ~~In the installation of Soffid a "null" server is created to be used by default~~
~~homeServer~~	~~String~~	~~Yes~~	~~Yes~~	~~Server which hosts the user folder~~	~~It is linked to Home Drive attribute on active directory~~ ~~Servers are managed in the IAM Console (Administration > Resources > Hosts)~~ ~~In the installation of Soffid a "null" server is created to be used by default~~
~~mailServer~~	~~String~~	~~Yes~~	~~Yes~~	~~Server which hosts the user mail~~	~~Servers are managed in the IAM Console (Administration > Resources > Hosts)~~ ~~In the installation of Soffid a "null" server is created to be used by default~~
~~nationalID~~	~~String~~	-	~~Yes~~	~~ID card of the user~~	~~For example the NIF or NIE~~
~~phoneNumber~~	~~String~~	-	~~Yes~~	~~Phone number of the user (company or personal)~~
~~mailAlias~~	~~String~~	-	~~Yes~~	~~Lisf of mails separated by comma~~
~~mailDomain~~	~~String~~	-	~~Yes~~		~~The domain of the mails must be valid~~ ~~Mail domains are managed in the IAM Console (Administration > Resources > Mail Domains)~~
~~primaryGroup~~	~~String~~	~~Yes~~	~~Yes~~	~~ID of the primary group where the user is assigned~~	~~Groups are managed in the IAM Console (Administration > Resources > Groups)~~
~~primaryGroupDescription~~	~~String~~	-	~~Yes~~	~~Description of the primary group where the user is assigned~~	~~Groups are managed in the IAM Console (Administration > Resources > Groups)~~
~~consoleProperties~~	~~ConsoleProperties~~ ~~id (Long)~~ ~~userName (String)~~ ~~lastLoginDate (Calendar)~~ ~~version (String)~~ ~~bookmarks (Collection<String>)~~ ~~preferences (Map)~~ ~~lastIP (String)~~ ~~language (String)~~	-	-	~~Internal properties for the IAM Console~~	~~These properties are created the first time the user access to IAM console~~
~~password~~	~~String~~	-	~~Yes~~	~~Password used with the userName to access applications~~	~~Password is not returned in the searches, is only used in PATCH and PUT methods~~
~~attributes~~	~~Map<String, Object>~~ ~~"attribute" : "value"~~	-	~~Yes~~	~~Additional data assigned to the user~~	~~Attributes are managed in the IAM Console (Administration > Configure Soffid > Global Settings > Metadata)~~ ~~Values are managed in the IAM Console (Administration > Resources > Users)~~
~~meta~~	~~ScimMeta~~ ~~resourceType (String)~~ ~~created (Date)~~ ~~lastModified (Date)~~ ~~location (String)~~	-	-	~~Additional information recommended in SCIM definition:~~ ~~resourceType: Resource requested (in this case "User")~~ ~~created: user creation date~~ ~~lastModified: last modification date of any user attributes~~ ~~location: URL tof the resource (<domain>/webservice/scim/User/<i~~	~~These attributes are returned in the response~~ ~~These attributes are not updatable~~
~~secondaryGroups~~	~~List<JsonSecondaryGroup>~~ ~~id (Long)~~ ~~group (String)~~ ~~groupDescription (String)~~	-	~~Yes~~	~~Secondary groups assigned to the user:~~ ~~id: id of the group~~ ~~group: name of the group (unique)~~ ~~groupDescription: description of the group~~	~~Groups are managed in the IAM Console (Administration > Resources > Groups)~~ ~~Secundary groups are managed in the IAM Console (Administration > Resources > Users)~~
~~accounts~~	~~List<JsonAccount>~~ ~~id (Long)~~ ~~name (String)~~ ~~system (String)~~	-	~~Yes~~	~~Accounts created to the user to access to applications:~~ ~~id: id of the account~~ ~~name: name of the account (unique)~~ ~~system: system to assign access~~	~~Accounts are managed in the IAM Console Administration > Resources > Users, Account tab)~~ ~~Systems are managed in the IAM Console (Administration > Resources > Information Systems)~~

Full JSON example

{
  "lastName": "Smith",
  "createdByUser": "admin",
  "mailServer": "null",
  "mailDomain": "soffid.com",
  "nationalID": "",
  "multiSession": false,
  "modifiedByUser": "admin",
  "id": 1188,
  "homeServer": "null",
  "primaryGroupDescription": "World",
  "primaryGroup": "world",
  "comments": "Sample user",
  "profileServer": "null",
  "secondaryGroups": [
    {
      "groupDescription": "Enterprise",
      "id": 12353,
      "group": "enterprise"
    },
    {
      "groupDescription": "Engineering team",
      "id": 12347,
      "group": "engineering"
    }
  ],
  "active": true,
  "fullName": "John Smith",
  "userName": "jsmith",
  "mailAlias": "jsmith@soffid.com, jsmith.dev@soffid.com",
  "firstName": "John",
  "createdDate": "2017-08-04T15:04:37+02:00",
  "phoneNumber": "666777888",
  "meta": {
    "created": "2017-08-04T15:04:37+02:00",
    "location": "http://<domain>/webservice/scim/User/1188",
    "lastModified": "2017-08-18T16:52:38+02:00",
    "resourceType": "User"
  },
  "modifiedDate": "2017-08-18T16:52:38+02:00",
  "attributes": {
    "employeeId": "1234",
    "position": "Developer"
  },
 "middleName": "",
 "accounts": [
    {
      "system": "soffid",
      "name": "jsmith",
      "id": 12453
    }
  ],
  "userType": "I",
  "shortName": "jsmith"
}

/Group

Dictionary table

~~Attribute~~	~~Type~~	~~Required~~	~~Updatable~~	~~Description~~	~~Additional comment~~
id	~~Long~~	~~Yes~~	-	~~Primary key of the group~~
~~name~~	~~String~~	~~Yes~~	~~Yes~~	~~Name used to identify a group~~	~~Name must be unique~~
~~quota~~	~~String~~	-	~~Yes~~	~~Quota allocated to the shared folder~~
~~description~~	~~String~~	-	~~Yes~~	~~Description of the group~~
~~parentGroup~~	~~String~~	-	~~Yes~~	~~Name of the parent group~~	~~Only the root group doesn't have value.~~ ~~The groups have a tree structure.~~
~~type~~	~~String~~	-	~~Yes~~	~~ID of the organizational unit type~~	~~Organizational units type are managed in the IAM Console (Administration > Configure Soffid > Global Settings > Group Type)~~
~~driveLetter~~	~~String~~	-	~~Yes~~	~~Drive letter used to get access to this group's drive~~	~~This shared folder can be mounted on ESSO hosts by using a startup script~~ ~~Only one character are allowed~~
~~driveServerName~~	~~String~~	-	~~Yes~~	~~File server to store this group's drive~~	~~Only applies when used in combination with shared folder agents and script logons. If specified, a shared folder for this group will be created.~~
~~obsolete~~	~~Boolean~~	-	~~Yes~~
~~organizational~~	~~Boolean~~	-	~~Yes~~
~~section~~	~~String~~	-	~~Yes~~
~~meta~~	~~ScimMeta~~ ~~resourceType (String)~~ ~~created (Date)~~ ~~lastModified (Date)~~ ~~location (String)~~	-	-	~~Additional information recommended in SCIM definition:~~ ~~resourceType: Resource requested (in this case "Group")~~ ~~created: user creation date~~ ~~lastModified: last modification date of any user attributes~~ ~~location: URL tof the resource <domain>/webservice/scim/Group/<id>~~	~~These attributes are returned in the response~~ ~~These attributes are not updatable~~
~~attributes~~	~~Map<String, Object>~~ ~~"attribute" : "value"~~	-	~~Yes~~	~~Additional data assigned to the group~~	~~Attributes are defined in the IAM Console (Administration > Configure Soffid > Global Settings > Metadata)~~ ~~Values are managed in the IAM Console (Administration > Resources > Groups)~~

Full JSON example

{
  "organizational": true,
  "driveLetter": "G",
  "obsolete": true,
  "description": "Enterprise engineering team",
  "section": null,
  "type": null,
  "meta": {
    "location": "http://<domain>/webservice/scim/Group/11345",
    "resourceType": "Group"
  },
  "quota": "0",
  "name": "Engineering team",
  "parentGroup": "enterprise",
  "attributes": {},
  "id": 11345
}

/Account

Dictionary table

Attribute	Type	Required	Updatable	Description	Additional comment
id	Long	Yes	-	Primary key of the account
name	String	Yes	Yes	Name used to identify the account
description	String	-	Yes	Description of the account
type	AccountType	Yes	Yes	Acount Type. Values [ U \| S \| P \| I ]	U=user, S=shared, P=privileged, I=Ignored To create a user type account, a single user must be specified in ownerUsers attribute
system	String	-	Yes	System to assign access	Systems are managed in the IAM Console (Administration > Resources > Information Systems)
lastUpdated	Calendar	-	No	Last time the account has been updated
lastPasswordSet	Calendar	-	No	Last time the password of the account has been setted
passwordExpiration	Calendar	-	No	Expiration date of the password of the account
disabled	boolean	-	Yes	Account active (false) or disabled (true)
passwordPolicy	String	-	No	User type assigned to the account as a user. By default "I"	New user types could be created in the IAM Console (Administration > Configure Soffid > Global Settings > User types)
vaultFolderId	Long	-	No
vaultFolder	String	-	No
inheritNewPermissions	boolean	-	No
loginUrl	String	-	No
attributes	Map<String, Object>	-	Yes	List of values of the metadata attributes of the agente of the account
grantedGroups	Collection<Group>	-	Yes	List of groups assigned to an account
grantedUsers	Collection<User>	-	Yes	List of users assigned to an account
grantedRoles	Collection<Group>	-	Yes	List of roles assigned to an account
managerGroups	Collection<Role>	-	Yes	List of groups assigned to an account as managers
managerUsers	Collection<User>	-	Yes	List of users assigned to an account as managers
managerRoles	Collection<Role>	-	Yes	List of roles assigned to an account as a managers
ownerGroups	Collection<Group>	-	Yes	List of groups assigned to an account as owners
ownerUsers	Collection<User>	-	Yes	List of users assigned to an account as managers
ownerRoles	Collection<Role>	-	Yes	List of roles assigned to an account as managers
password	String	-	Yes	The password of the account
roles	List<Role> id (Long) roleName (String) roleDescription (String) informationSystemName (String) domainValue (String)	-	Yes	List<Role> → list of the roles assigned to the account id: id of the role roleName: role name of the role roleDescription: role description of the role informationSystemName: application where the role is assigned domainValue: domain value (if exists)
meta	ScimMeta resourceType (String) created (Date) lastModified (Date) location (String)	-	-	Additional information recommended in SCIM definition: resourceType: Resource requested (in this case "Account") created: user creation date lastModified: last modification date of any user attributes location: URL to the resource <domain>/webservice/scim/Account/<id>	These attributes are returned in the response These attributes are not updatable

Full JSON example

{
  "description": "Admin Admin",
  "type": "U",
  "inheritNewPermissions": false,
  "disabled": false,
  "id": 69,
  "roles": [
    {
      "role": 30
    }
  ],
  "grantedUsers": []
  "grantedGroups": [],
  "grantedRoles": [],
  "managerGroups": [],
  "managerRoles": [],
  "managerUsers": [],
  "ownerGroups": [],
  "ownerRoles": [],
  "ownerUsers": [],
  "passwordPolicy": "I",
  "system": "soffid",
  "meta": {
    "location": "http://<domain>/webservice/scim/scim2/v1/Account/69",
    "resourceType": "Account"
  },
  "name": "admin",
  "attributes": {},
}

/Application (addon version 1.2.0+)

Dictionary table

~~Attribute~~	~~Type~~	~~Required~~	~~Updatable~~	~~Description~~	~~Additional comment~~
id	~~Long~~	~~Yes~~	-	~~Primary key of the application~~
~~name~~	~~String~~	~~Yes~~	~~Yes~~	~~Name used to identify the application~~
~~description~~	~~String~~	-	~~Yes~~	~~Description of the application~~
~~singleRole~~	~~boolean~~	No	~~Yes~~	~~true to enforce no user has two roles in this application at the same time~~	~~Setting the value to true does not automatically remove currently assigned roles.~~
~~bpmEnforced~~	~~boolean~~	No	~~Yes~~	~~Set to true if the user can request this role through the self service interface~~
~~database~~	~~String~~	No	~~Yes~~	~~Target system~~	~~Free text field~~
~~attributes~~	~~Map<String, Object>~~	-	~~Yes~~	~~Custom application attributes~~	~~Define new custom attributes (Administration > Configure Soffid > Global Settings > Metadata)~~
~~meta~~	~~ScimMeta~~ ~~resourceType (String)~~ ~~location (String)~~	-	-	~~Additional information recommended in SCIM definition:~~ ~~resourceType: Resource requested (in this case "Application")~~ ~~location: URL tof the resource <domain>/webservice/scim/Account/<id>~~	~~These attributes are returned in the response~~ ~~These attributes are not updatable~~

Full JSON example

{
    "description": "Active Directory",
    "singleRole": false,
    "bpmEnforced": false,
    "database": "ad",
    "meta": {
        "location": "http://bubu-thinkpad:8080/webservice/scim/Application/1573127",
        "resourceType": "Application"
    },
    "name": "ad",
    "attributes": {},
    "id": 1573127
}

/Role (addon version 1.2.0+)

Dictionary table

~~Attribute~~	~~Type~~	~~Required~~	~~Updatable~~	~~Description~~	~~Additional comment~~
id	~~Long~~	~~Yes~~	-	~~Primary key of the role~~
~~name~~	~~String~~	~~Yes~~	~~Yes~~	~~Name used to identify the role~~
~~description~~	~~String~~	-	~~Yes~~	~~Description of the role~~
~~system~~	~~String~~	~~Yes~~	~~Yes~~	~~Target system where the role exists~~
~~indirectAsignment~~	~~boolean~~	-	No	~~Flag that warns about roles granted by other roles~~
~~bpmEnforced~~	~~boolean~~	No	~~Yes~~	~~Set to true if the user can request this role through the self service interface~~
~~informationSystemName~~	~~String~~	~~Yes~~	~~Yes~~	~~Application that uses this role~~
~~password~~	~~boolean~~	No	~~Yes~~	~~Set to true if the access to this role is protected by a password~~	~~Usually applies only to Oracle database roles~~
~~enableByDefault~~	~~boolean~~	No	~~Yes~~	~~Set to true if the access to this role is enabled by default~~	~~Usually applies only to Oracle database roles~~
~~domain~~	~~Json object~~	~~Yes~~	~~Yes~~	~~Domain that drives how this role is granted to users.~~	~~Domain attributes:~~ ~~name (SENSE_DOMINI for roles with no domain, another value for custom domains)~~ ~~description: domain description~~ ~~externalCode: application name~~
~~approvalStart~~	~~Date~~	-	No	~~Last change timestamp~~
~~approvalEnd~~	~~Date~~	-	No	~~Approval timestamp~~	~~If no approval definition workflow is defined, it contains the last change timestamp~~
~~attributes~~	~~Map<String, Object>~~	-	-	~~Custom application attributes~~	~~Define new custom attributes in the "additional data" screen.~~
~~ownedRoles~~	~~Collection<RoleGrant>~~	No	~~Yes~~	~~Contains the roles to grant with this role~~	~~Role grant attributes:~~ ~~informationSystem: application name~~ ~~ownerRole: optional~~ ~~owner role id~~ ~~ownerRoleName: optional name of owner role~~ ~~ownerRolDomainValue: domain value of owner role (optional)~~ ~~ownerSystem: optional system of owner role~~ ~~mandatory: true to set the relationship as mandatory~~ ~~enabled: true if the grant is already approved~~ ~~roleName: owned (child) role name~~ ~~system: system of owned (child) role~~ ~~domainValue: domain value for owned (child) role~~
~~granteeGroups~~	~~Collection<RoleGrant>~~	No	~~Yes~~	~~Contains the groups that are granted with the current role~~	~~Role grant attributes:~~ ~~informationSystem: application name~~ ~~ownerGroup: group name~~ ~~mandatory: true to set the relationship as mandatory~~ ~~enabled: true if the grant is already approved~~ ~~roleName: owned (current) role name~~ ~~system: system of owned (current) role~~ ~~domainValue: domain value for owned (current) role~~
~~ownerRoles~~	~~Collection<RoleGrant>~~	No	~~Yes~~	~~Contains the roles that grant the current one~~	~~Role grant attributes:~~ ~~informationSystem: application name~~ ~~ownerRole: optional~~ ~~owner role id~~ ~~ownerRoleName: mandatory name of owner role~~ ~~ownerRolDomainValue: domain value of owner role (optional)~~ ~~ownerSystem: mandatory system of owner role~~ ~~mandatory: true to set the relationship as mandatory~~ ~~enabled: true if the grant is already approvedroleName: owned (current) role name~~ ~~system: system of owned (current) role~~ ~~domainValue: domain value for owned (current) role~~
~~meta~~	~~ScimMeta~~ ~~resourceType (String)~~ ~~location (String)~~	-	-	~~Additional information recommended in SCIM definition:~~ ~~resourceType: Resource requested (in this case "Role")~~ ~~location: URL tof the resource <domain>/webservice/scim/Role/<id>~~	~~These attributes are returned in the response~~ ~~These attributes are not updatable~~

Full JSON example

 {
    "approvalEnd": "2019-11-01T19:22:14+01:00",
    "ownedRoles": [
        {
            "informationSystem": "TEST",
            "ownerRole": 34,
            "roleId": 5794,
            "mandatory": true,
            "enabled": true,
            "ownerSystem": "soffid",
            "system": "soffid",
            "roleName": "TestRole",
            "hasDomain": false,
            "id": 1207155,
            "ownerRoleName": "SOFFID_ADMIN",
            "status": {
                "value": "A"
            }
        },
        {
            "informationSystem": "SOFFID",
            "ownerRole": 34,
            "roleId": 50247,
            "mandatory": true,
            "enabled": true,
            "ownerSystem": "soffid",
            "system": "soffid",
            "roleName": "test2",
            "hasDomain": false,
            "id": 2209016,
            "ownerRoleName": "SOFFID_ADMIN",
            "status": {
                "value": "A"
            }
        }
    ],
    "indirectAssignment": "",
    "description": "SOFFID Administrator",
    "granteeGroups": [],
    "bpmEnforced": false,
    "informationSystemName": "SOFFID",
    "password": false,
    "system": "soffid",
    "ownerRoles": [],
    "meta": {
        "location": "http://bubu-thinkpad:8080/webservice/scim/Role/34",
        "resourceType": "Role"
    },
    "domain": {
        "name": "SENSE_DOMINI",
        "description": ""
    },
    "name": "SOFFID_ADMIN",
    "approvalStart": "2019-11-01T19:22:14+01:00",
    "attributes": {},
    "id": 34,
    "enableByDefault": true
}

Notes about role domains

By default, roles have no security domain (sometimes referred to as scope). When a security domain is assigned to a role, each account-role object is tagged with the proper security domain value. It is allowed to assign one role multiple times to the same user, as long as each assignment is tagged with a different security domain value. For instance, one can create the SOFFID_OU_MANAGER role bound to the GROUPS security domain. Then, you can assign the role SOFFID_OU_MANAGER/Group1 to any user.

~~Four kinds of security domains are available:~~

~~SENSE_DOMAIN: No security domain applies.~~

~~GROUP: A business unit is bound to each grant of this role.~~

~~APPLICATION: A information system is bound to each grant of this role.~~

~~Custom domain: Each application can have its own security domains with arbitrary meanings.~~

~~To set or modify the role domain for a role, one can use the "domain" attribute. This attribute is a complex object composed of a name and a description. Only the name is mandatory.~~

Notes about role inheritance

~~Role inheritance is driven by the ownedRoles, ownerRoles and ownedGroups. Each of these attributes is an array of grants. Each grant has the following attributes:~~

~~ownerRole: id of owner role.~~

~~ownerSystem: name of owner role's system.~~

~~ownerRoleName: name of owner role's name.~~

~~ownerRolDomainValue: security domain of the owner role. If a user is granted with the owner role, and the~~

~~ownerRolDomainValue does not match the grant domain, the inheritance rule does not apply.~~

~~roleId: id of owned role.~~

~~system: name of owned role's system~~

~~roleName: name of owned role's name~~

~~domainValue: security domain of the owned role.~~

~~The role inheritance can vary slightly depending on whether the owned role and the owner role are in the same domain or not:~~

~~Resulting domain value~~	~~Owner role has no domain~~	~~Owner role has a different domain~~	~~Same domain~~
~~Domain value not specified~~	~~Blank~~	~~Blank~~	~~Owner role domain value~~
~~Domain value specified~~	~~Specified value~~	~~Specified value~~	~~Specified value~~