Application resource data model
The data model of the Soffid objects is mapped to JSON objects to enable the data transport between client and server.
/User
Dictionary table
Attribute | Type | Required | Updatable | Description | Additional comment |
id |
Long |
Yes |
- |
Primary key of the user |
|
userName |
String |
Yes |
Yes |
User name used to identify a user, internal management and access to applications |
User name must be unique |
firstName |
String |
Yes |
Yes |
First name of the user |
|
lastName |
String |
Yes |
Yes |
First surname |
|
middleName |
String |
- |
Yes |
Used like second surname |
|
fullName |
String |
- |
- |
firstName + lastName + middleName |
|
shortName |
String |
- |
Yes |
Mail of the user but without the domain |
The mail is created with the next pattern: shortName + '@' + mailDomain |
createdDate |
Calendar |
- |
- |
User creation date |
|
modifiedDate |
Calendar |
- |
- |
Last modification date of any user attributes |
|
createdByUser |
String |
- |
- |
User that has created the user |
|
modifiedByUser |
String |
- |
- |
User that has modified the last time attributes of this user |
|
active |
Boolean |
- |
Yes |
User active or disable |
If you avoid this attribute in the create operation by default the value is false |
multiSession |
Boolean |
- |
Yes |
Allows some sessions with Soffid ESSO |
When the value is false if the user logs with another session active, the SSO close the previous one |
comments |
String |
- |
Yes |
Comments about the user |
|
userType |
String |
Yes |
Yes |
User type assigned to the user. by default "I" |
New use types could be created in the IAM Console (Administration > Configure Soffid > Global settings > User type) |
profileServer |
String |
Yes |
Yes |
Server which hosts the user profile |
It is linked to Roaming UserProfile on Active Directory Servers are managed in the IAM Console (Administration > Resources > Hosts) In the installation of Soffid a "null" server is created to be used by default |
homeServer |
String |
Yes |
Yes |
Server which hosts the user folder |
It is linked to Home Drive attribute on active directory Servers are managed in the IAM Console (Administration > Resources > Hosts) In the installation of Soffid a "null" server is created to be used by default |
mailServer |
String |
Yes |
Yes |
Server which hosts the user mail |
Servers are managed in the IAM Console (Administration > Resources > Hosts) In the installation of Soffid a "null" server is created to be used by default |
nationalID |
String |
- |
Yes |
ID card of the user |
For example the NIF or NIE |
phoneNumber |
String |
- |
Yes |
Phone number of the user (company or personal) |
|
mailAlias |
String |
- |
Yes |
Lisf of mails separated by comma |
|
mailDomain |
String |
- |
Yes |
|
The domain of the mails must be valid Mail domains are managed in the IAM Console (Administration > Resources > Mail Domains) |
primaryGroup |
String |
Yes |
Yes |
ID of the primary group where the user is assigned |
Groups are managed in the IAM Console (Administration > Resources > Groups) |
primaryGroupDescription |
String |
- |
Yes |
Description of the primary group where the user is assigned |
Groups are managed in the IAM Console (Administration > Resources > Groups) |
consoleProperties |
ConsoleProperties
|
- |
- |
Internal properties for the IAM Console |
These properties are created the first time the user access to IAM console |
password |
String |
- |
Yes |
Password used with the userName to access applications |
Password is not returned in the searches, is only used in PATCH and PUT methods |
attributes |
Map<String, Object>
|
- |
Yes |
Additional data assigned to the user |
Attributes are managed in the IAM Console (Administration > Configure Soffid > Global Settings > Metadata) Values are managed in the IAM Console (Administration > Resources > Users) |
meta |
ScimMeta
|
- |
- |
Additional information recommended in SCIM definition:
|
These attributes are returned in the response These attributes are not updatable |
secondaryGroups |
List<JsonSecondaryGroup>
|
- |
Yes |
Secondary groups assigned to the user:
|
Groups are managed in the IAM Console (Administration > Resources > Groups) Secundary groups are managed in the IAM Console (Administration > Resources > Users) |
accounts |
List<JsonAccount> id (Long) name (String) system (String) |
- |
Yes |
Accounts created to the user to access to applications:
|
Accounts are managed in the IAM Console Administration > Resources > Users, Account tab) Systems are managed in the IAM Console (Administration > Resources > Information Systems) |
Full JSON example
{
"lastName": "Smith",
"createdByUser": "admin",
"mailServer": "null",
"mailDomain": "soffid.com",
"nationalID": "",
"multiSession": false,
"modifiedByUser": "admin",
"id": 1188,
"homeServer": "null",
"primaryGroupDescription": "World",
"primaryGroup": "world",
"comments": "Sample user",
"profileServer": "null",
"secondaryGroups": [
{
"groupDescription": "Enterprise",
"id": 12353,
"group": "enterprise"
},
{
"groupDescription": "Engineering team",
"id": 12347,
"group": "engineering"
}
],
"active": true,
"fullName": "John Smith",
"userName": "jsmith",
"mailAlias": "jsmith@soffid.com, jsmith.dev@soffid.com",
"firstName": "John",
"createdDate": "2017-08-04T15:04:37+02:00",
"phoneNumber": "666777888",
"meta": {
"created": "2017-08-04T15:04:37+02:00",
"location": "http://<domain>/webservice/scim/User/1188",
"lastModified": "2017-08-18T16:52:38+02:00",
"resourceType": "User"
},
"modifiedDate": "2017-08-18T16:52:38+02:00",
"attributes": {
"employeeId": "1234",
"position": "Developer"
},
"middleName": "",
"accounts": [
{
"system": "soffid",
"name": "jsmith",
"id": 12453
}
],
"userType": "I",
"shortName": "jsmith"
}
/Group
Dictionary table
Attribute | Type | Required | Updatable | Description | Additional comment |
id |
Long |
Yes |
- |
Primary key of the group |
|
name |
String |
Yes |
Yes |
Name used to identify a group |
Name must be unique |
quota |
String |
- |
Yes |
Quota allocated to the shared folder |
|
description |
String |
- |
Yes |
Description of the group |
|
parentGroup |
String |
- |
Yes |
Name of the parent group |
Only the root group doesn't have value. The groups have a tree structure. |
type |
String |
- |
Yes |
ID of the organizational unit type |
Organizational units type are managed in the IAM Console (Administration > Configure Soffid > Global Settings > Group Type) |
driveLetter |
String |
- |
Yes |
Drive letter used to get access to this group's drive |
This shared folder can be mounted on ESSO hosts by using a startup script Only one character are allowed |
driveServerName |
String |
- |
Yes |
File server to store this group's drive |
Only applies when used in combination with shared folder agents and script logons. If specified, a shared folder for this group will be created. |
obsolete |
Boolean |
- |
Yes |
|
|
organizational |
Boolean |
- |
Yes |
|
|
section |
String |
- |
Yes |
|
|
meta |
ScimMeta
|
- |
- |
Additional information recommended in SCIM definition:
|
These attributes are returned in the response These attributes are not updatable |
attributes |
Map<String, Object>
|
- |
Yes |
Additional data assigned to the group |
Attributes are defined in the IAM Console (Administration > Configure Soffid > Global Settings > Metadata) Values are managed in the IAM Console (Administration > Resources > Groups) |
Full JSON example
{
"organizational": true,
"driveLetter": "G",
"obsolete": true,
"description": "Enterprise engineering team",
"section": null,
"type": null,
"meta": {
"location": "http://<domain>/webservice/scim/Group/11345",
"resourceType": "Group"
},
"quota": "0",
"name": "Engineering team",
"parentGroup": "enterprise",
"attributes": {},
"id": 11345
}
/Account
Dictionary table
Attribute | Type | Required | Updatable | Description | Additional comment |
id |
Long |
Yes |
- |
Primary key of the account |
|
name |
String |
Yes |
Yes |
Name used to identify the account |
|
description |
String |
- |
Yes |
Description of the account |
|
type |
AccountType |
Yes |
Yes |
Acount Type. Values [ U | S | P | I ] |
U=user, S=shared, P=privileged, I=Ignored To create a user type account, a single user must be specified in ownerUsers attribute |
system |
String |
- |
Yes |
System to assign access |
Systems are managed in the IAM Console (Administration > Resources > Information Systems) |
lastUpdated |
Calendar |
- |
No |
Last time the account has been updated |
|
lastPasswordSet |
Calendar |
- |
No |
Last time the password of the account has been setted |
|
passwordExpiration |
Calendar |
- |
No |
Expiration date of the password of the account |
|
disabled |
boolean |
- |
Yes |
Account active (false) or disabled (true) |
|
passwordPolicy |
String |
- |
No |
User type assigned to the account as a user. By default "I" |
New user types could be created in the IAM Console (Administration > Configure Soffid > Global Settings > User types) |
vaultFolderId |
Long |
- |
No |
|
|
vaultFolder |
String |
- |
No |
|
|
inheritNewPermissions |
boolean |
- |
No |
|
|
loginUrl |
String |
- |
No |
|
|
attributes |
Map<String, Object> |
- |
Yes |
List of values of the metadata attributes of the agente of the account |
|
grantedGroups |
Collection<Group> |
- |
Yes |
List of groups assigned to an account |
|
grantedUsers |
Collection<User> |
- |
Yes |
List of users assigned to an account |
|
grantedRoles |
Collection<Group> |
- |
Yes |
List of roles assigned to an account |
|
managerGroups |
Collection<Role> |
- |
Yes |
List of groups assigned to an account as managers |
|
managerUsers |
Collection<User> |
- |
Yes |
List of users assigned to an account as managers |
|
managerRoles |
Collection<Role> |
- |
Yes |
List of roles assigned to an account as a managers |
|
ownerGroups |
Collection<Group> |
- |
Yes |
List of groups assigned to an account as owners |
|
ownerUsers |
Collection<User> |
- |
Yes |
List of users assigned to an account as managers |
|
ownerRoles |
Collection<Role> |
- |
Yes |
List of roles assigned to an account as managers |
|
password |
String |
- |
Yes |
The password of the account |
|
roles |
List<Role>
|
- |
Yes |
List<Role> → list of the roles assigned to the account
|
|
meta |
ScimMeta
|
- |
- |
Additional information recommended in SCIM definition:
|
These attributes are returned in the response These attributes are not updatable |
Full JSON example
{
"description": "Admin Admin",
"type": "U",
"inheritNewPermissions": false,
"disabled": false,
"id": 69,
"roles": [
{
"role": 30
}
],
"grantedUsers": []
"grantedGroups": [],
"grantedRoles": [],
"managerGroups": [],
"managerRoles": [],
"managerUsers": [],
"ownerGroups": [],
"ownerRoles": [],
"ownerUsers": [],
"passwordPolicy": "I",
"system": "soffid",
"meta": {
"location": "http://<domain>/webservice/scim/Account/69",
"resourceType": "Account"
},
"name": "admin",
"attributes": {},
}
/Application (addon version 1.2.0+)
Dictionary table
Attribute | Type | Required | Updatable | Description | Additional comment |
id |
Long |
Yes |
- |
Primary key of the application |
|
name |
String |
Yes |
Yes |
Name used to identify the application |
|
description |
String |
- |
Yes |
Description of the application |
|
singleRole |
boolean |
No |
Yes |
true to enforce no user has two roles in this application at the same time |
Setting the value to true does not automatically remove currently assigned roles. |
bpmEnforced |
boolean |
No |
Yes |
Set to true if the user can request this role through the self service interface |
|
database |
String |
No |
Yes |
Target system |
Free text field |
attributes |
|
- |
Yes |
Custom application attributes |
Define new custom attributes (Administration > Configure Soffid > Global Settings > Metadata) |
meta |
ScimMeta
|
- |
- |
Additional information recommended in SCIM definition:
|
These attributes are returned in the response These attributes are not updatable |
Full JSON example
{
"description": "Active Directory",
"singleRole": false,
"bpmEnforced": false,
"database": "ad",
"meta": {
"location": "http://bubu-thinkpad:8080/webservice/scim/Application/1573127",
"resourceType": "Application"
},
"name": "ad",
"attributes": {},
"id": 1573127
}
/Role (addon version 1.2.0+)
Dictionary table
Attribute | Type | Required | Updatable | Description | Additional comment |
id |
Long |
Yes |
- |
Primary key of the role |
|
name |
String |
Yes |
Yes |
Name used to identify the role |
|
description |
String |
- |
Yes |
Description of the role |
|
system |
String |
Yes |
Yes |
Target system where the role exists |
|
indirectAsignment |
boolean |
- |
No |
Flag that warns about roles granted by other roles |
|
bpmEnforced |
boolean |
No |
Yes |
Set to true if the user can request this role through the self service interface |
|
informationSystemName |
String |
Yes |
Yes |
Application that uses this role |
|
password |
boolean |
No |
Yes |
Set to true if the access to this role is protected by a password |
Usually applies only to Oracle database roles |
enableByDefault |
boolean |
No |
Yes |
Set to true if the access to this role is enabled by default |
Usually applies only to Oracle database roles |
domain |
Json object |
Yes |
Yes |
Domain that drives how this role is granted to users. |
Domain attributes:
|
approvalStart |
Date |
- |
No |
Last change timestamp |
|
approvalEnd |
Date |
- |
No |
Approval timestamp |
If no approval definition workflow is defined, it contains the last change timestamp |
attributes |
Map<String, Object> |
- |
- |
Custom application attributes |
Define new custom attributes in the "additional data" screen. |
ownedRoles |
Collection<RoleGrant> |
No |
Yes |
Contains the roles to grant with this role |
Role grant attributes:
|
granteeGroups |
Collection<RoleGrant>
|
No |
Yes |
Contains the groups that are granted with the current role |
Role grant attributes:
|
ownerRoles |
Collection<RoleGrant> |
No |
Yes |
Contains the roles that grant the current one |
Role grant attributes:
|
meta |
ScimMeta
|
- |
- |
Additional information recommended in SCIM definition:
|
These attributes are returned in the response These attributes are not updatable |
Full JSON example
{
"approvalEnd": "2019-11-01T19:22:14+01:00",
"ownedRoles": [
{
"informationSystem": "TEST",
"ownerRole": 34,
"roleId": 5794,
"mandatory": true,
"enabled": true,
"ownerSystem": "soffid",
"system": "soffid",
"roleName": "TestRole",
"hasDomain": false,
"id": 1207155,
"ownerRoleName": "SOFFID_ADMIN",
"status": {
"value": "A"
}
},
{
"informationSystem": "SOFFID",
"ownerRole": 34,
"roleId": 50247,
"mandatory": true,
"enabled": true,
"ownerSystem": "soffid",
"system": "soffid",
"roleName": "test2",
"hasDomain": false,
"id": 2209016,
"ownerRoleName": "SOFFID_ADMIN",
"status": {
"value": "A"
}
}
],
"indirectAssignment": "",
"description": "SOFFID Administrator",
"granteeGroups": [],
"bpmEnforced": false,
"informationSystemName": "SOFFID",
"password": false,
"system": "soffid",
"ownerRoles": [],
"meta": {
"location": "http://bubu-thinkpad:8080/webservice/scim/Role/34",
"resourceType": "Role"
},
"domain": {
"name": "SENSE_DOMINI",
"description": ""
},
"name": "SOFFID_ADMIN",
"approvalStart": "2019-11-01T19:22:14+01:00",
"attributes": {},
"id": 34,
"enableByDefault": true
}
Notes about role domains
By default, roles have no security domain (sometimes referred to as scope). When a security domain is assigned to a role, each account-role object is tagged with the proper security domain value. It is allowed to assign one role multiple times to the same user, as long as each assignment is tagged with a different security domain value. For instance, one can create the SOFFID_OU_MANAGER role bound to the GROUPS security domain. Then, you can assign the role SOFFID_OU_MANAGER/Group1 to any user.
Four kinds of security domains are available:
- SENSE_DOMAIN: No security domain applies.
- GROUP: A business unit is bound to each grant of this role.
- APPLICATION: A information system is bound to each grant of this role.
- Custom domain: Each application can have its own security domains with arbitrary meanings.
To set or modify the role domain for a role, one can use the "domain" attribute. This attribute is a complex object composed of a name and a description. Only the name is mandatory.
Notes about role inheritance
Role inheritance is driven by the ownedRoles, ownerRoles and ownedGroups. Each of these attributes is an array of grants. Each grant has the following attributes:
- ownerRole: id of owner role.
- ownerSystem: name of owner role's system.
- ownerRoleName: name of owner role's name.
- ownerRolDomainValue: security domain of the owner role. If a user is granted with the owner role, and the
- ownerRolDomainValue does not match the grant domain, the inheritance rule does not apply.
- roleId: id of owned role.
- system: name of owned role's system
- roleName: name of owned role's name
- domainValue: security domain of the owned role.
The role inheritance can vary slightly depending on whether the owned role and the owner role are in the same domain or not:
Resulting domain value |
Owner role has no domain |
Owner role has a different domain |
Same domain |
---|---|---|---|
Domain value not specified | Blank | Blank | Owner role domain value |
Domain value specified | Specified value | Specified value | Specified value |