Skip to main content

Group resource data model

The data model of the Soffid objects is mapped to JSON objects to enable the data transport between client and server.

/User

Dictionary table

AttributeTypeRequiredUpdatableDescriptionAdditional comment

id

Long

Yes

-

Primary key of the user

 

userName

String

Yes

Yes

User name used to identify a user, internal management and access to applications

User name must be unique

firstName

String

Yes

Yes

First name of the user

 

lastName

String

Yes

Yes

First surname

 

middleName

String

-

Yes

Used like second surname

 

fullName

String

-

-

firstName + lastName + middleName

 

shortName

String

-

Yes

Mail of the user but without the domain

The mail is created with the next pattern: shortName + '@' + mailDomain

createdDate

Calendar

-

-

User creation date

 

modifiedDate

Calendar

-

-

Last modification date of any user attributes

 

createdByUser

String

-

-

User that has created the user

 

modifiedByUser

String

-

-

User that has modified the last time attributes of this user

 

active

Boolean

-

Yes

User active or disable

If you avoid this attribute in the create operation by default the value is false

multiSession

Boolean

-

Yes

Allows some sessions with Soffid ESSO

When the value is false if the user logs with another session active, the SSO close the previous one

comments

String

-

Yes

Comments about the user

 

userType

String

Yes

Yes

User type assigned to the user. by default "I"

New use types could be created in the IAM Console (Administration > Configure Soffid > Global settings > User type)

profileServer

String

Yes

Yes

Server which hosts the user profile

It is linked to Roaming UserProfile on Active Directory

Servers are managed in the IAM Console (Administration > Resources > Hosts)

In the installation of Soffid a "null" server is created to be used by default

homeServer

String

Yes

Yes

Server which hosts the user folder

It is linked to Home Drive attribute on active directory

Servers are managed in the IAM Console (Administration > Resources > Hosts)

In the installation of Soffid a "null" server is created to be used by default

mailServer

String

Yes

Yes

Server which hosts the user mail

Servers are managed in the IAM Console (Administration > Resources > Hosts)

In the installation of Soffid a "null" server is created to be used by default

nationalID

String

-

Yes

ID card of the user

For example the NIF or NIE

phoneNumber

String

-

Yes

Phone number of the user (company or personal)

 

mailAlias

String

-

Yes

Lisf of mails separated by comma

 

mailDomain

String

-

Yes

 

The domain of the mails must be valid

Mail domains are managed in the IAM Console (Administration > Resources > Mail Domains)

primaryGroup

String

Yes

Yes

ID of the primary group where the user is assigned

Groups are managed in the IAM Console (Administration > Resources > Groups)

primaryGroupDescription

String

-

Yes

Description of the primary group where the user is assigned

Groups are managed in the IAM Console (Administration > Resources > Groups)

consoleProperties

ConsoleProperties

  • id (Long)
  • userName (String)
  • lastLoginDate (Calendar)
  • version (String)
  • bookmarks (Collection<String>)
  • preferences (Map)
  • lastIP (String)
  • language (String)

-

-

Internal properties for the IAM Console

These properties are created the first time the user access to IAM console

password

String

-

Yes

Password used with the userName to access applications

Password is not returned in the searches, is only used in PATCH and PUT methods

attributes

Map<String, Object>

  • "attribute" : "value"

-

Yes

Additional data assigned to the user

Attributes are managed in the IAM Console (Administration > Configure Soffid > Global Settings > Metadata)

Values are managed in the IAM Console (Administration > Resources > Users)

meta

 ScimMeta

  • resourceType (String)
  • created (Date)
  • lastModified (Date)
  • location (String)

-

-

Additional information recommended in SCIM definition:

  • resourceType: Resource requested (in this case "User")
  • created: user creation date
  • lastModified: last modification date of any user attributes
  • location: URL tof the resource (<domain>/webservice/scim/User/<i

These attributes are returned in the response

These attributes are not updatable

secondaryGroups

 List<JsonSecondaryGroup>

  • id (Long)
  • group (String)
  • groupDescription (String)

-

Yes

Secondary groups assigned to the user:

  • id: id of the group
  • group: name of the group (unique)
  • groupDescription: description of the group

Groups are managed in the IAM Console (Administration > Resources > Groups)

Secundary groups are managed in the IAM Console (Administration > Resources > Users)

accounts

List<JsonAccount>

id (Long)

name (String)

system (String)

-

Yes

Accounts created to the user to access to applications:

  • id: id of the account
  • name: name of the account (unique)
  • system: system to assign access

Accounts are managed in the IAM Console Administration > Resources > Users, Account tab)

Systems are managed in the IAM Console (Administration > Resources > Information Systems)

Full JSON example

{
  "lastName": "Smith",
  "createdByUser": "admin",
  "mailServer": "null",
  "mailDomain": "soffid.com",
  "nationalID": "",
  "multiSession": false,
  "modifiedByUser": "admin",
  "id": 1188,
  "homeServer": "null",
  "primaryGroupDescription": "World",
  "primaryGroup": "world",
  "comments": "Sample user",
  "profileServer": "null",
  "secondaryGroups": [
    {
      "groupDescription": "Enterprise",
      "id": 12353,
      "group": "enterprise"
    },
    {
      "groupDescription": "Engineering team",
      "id": 12347,
      "group": "engineering"
    }
  ],
  "active": true,
  "fullName": "John Smith",
  "userName": "jsmith",
  "mailAlias": "jsmith@soffid.com, jsmith.dev@soffid.com",
  "firstName": "John",
  "createdDate": "2017-08-04T15:04:37+02:00",
  "phoneNumber": "666777888",
  "meta": {
    "created": "2017-08-04T15:04:37+02:00",
    "location": "http://<domain>/webservice/scim/User/1188",
    "lastModified": "2017-08-18T16:52:38+02:00",
    "resourceType": "User"
  },
  "modifiedDate": "2017-08-18T16:52:38+02:00",
  "attributes": {
    "employeeId": "1234",
    "position": "Developer"
  },
 "middleName": "",
 "accounts": [
    {
      "system": "soffid",
      "name": "jsmith",
      "id": 12453
    }
  ],
  "userType": "I",
  "shortName": "jsmith"
}

/Group

Dictionary table

AttributeTypeRequiredUpdatableDescriptionAdditional comment

id

Long

Yes

-

Primary key of the group

 

name

String

Yes

Yes

Name used to identify a group

Name must be unique

quota

String

-

Yes

Quota allocated to the shared folder

 

description

String

-

Yes

Description of the group

 

parentGroup

String

-

Yes

Name of the parent group

Only the root group doesn't have value.

The groups have a tree structure.

type

String

-

Yes

ID of the organizational unit type

Organizational units type are managed in the IAM Console (Administration > Configure Soffid > Global Settings > Group Type)

driveLetter

String

-

Yes

Drive letter used to get access to this group's drive

This shared folder can be mounted on ESSO hosts by using a startup script

Only one character are allowed

driveServerName

String

-

Yes

File server to store this group's drive

Only applies when used in combination with shared folder agents and script logons. If specified, a shared folder for this group will be created.

obsolete

Boolean

-

Yes

 

 

organizational

Boolean

-

Yes

 

 

section

String

-

Yes

 

 

meta

ScimMeta

  • resourceType (String)
  • created (Date)
  • lastModified (Date)
  • location (String)

-

-

Additional information recommended in SCIM definition:

  • resourceType: Resource requested (in this case "Group")
  • created: user creation date
  • lastModified: last modification date of any user attributes
  • location: URL tof the resource <domain>/webservice/scim/Group/<id>

These attributes are returned in the response

These attributes are not updatable

attributes

Map<String, Object>

  • "attribute" : "value"

-

Yes

Additional data assigned to the group

Attributes are defined in the IAM Console (Administration > Configure Soffid > Global Settings > Metadata)

Values are managed in the IAM Console (Administration >  Resources > Groups)

Full JSON example

{
  "organizational": true,
  "driveLetter": "G",
  "obsolete": true,
  "description": "Enterprise engineering team",
  "section": null,
  "type": null,
  "meta": {
    "location": "http://<domain>/webservice/scim/Group/11345",
    "resourceType": "Group"
  },
  "quota": "0",
  "name": "Engineering team",
  "parentGroup": "enterprise",
  "attributes": {},
  "id": 11345
}

/Account

Dictionary table

AttributeTypeRequiredUpdatableDescriptionAdditional comment

id

Long

Yes

-

Primary key of the account

 

name

String

Yes

Yes

Name used to identify the account

 

description

String

-

Yes

Description of the account

 

type

AccountType

Yes

Yes

Acount Type. Values [ U | S | P | I ]

U=user, S=shared, P=privileged, I=Ignored

To create a user type account, a single user must be specified in ownerUsers attribute

system

String

-

Yes

System to assign access

Systems are managed in the IAM Console (Administration > Resources > Information Systems)

lastUpdated

Calendar

-

No

Last time the account has been updated

 

lastPasswordSet

Calendar

-

No

Last time the password of the account has been setted

 

passwordExpiration

Calendar

-

No

Expiration date of the password of the account

 

disabled

boolean

-

Yes

Account active (false) or disabled (true)

 

passwordPolicy

String

-

No

User type assigned to the account as a user. By default "I"

New user types could be created in the IAM Console (Administration > Configure Soffid > Global Settings > User types)

vaultFolderId

Long

-

No

 

 

vaultFolder

String

-

No

 

 

inheritNewPermissions

boolean

-

No

 

 

loginUrl

String

-

No

 

 

attributes

Map<String, Object>

-

Yes

List of values of the metadata attributes of the agente of the account

 

grantedGroups

Collection<Group>

-

Yes

List of groups assigned to an account

 

grantedUsers

Collection<User>

-

Yes

List of users assigned to an account

 

grantedRoles

Collection<Group>

-

Yes

List of roles assigned to an account

 

managerGroups

Collection<Role>

-

Yes

List of groups assigned to an account as managers

 

managerUsers

Collection<User>

-

Yes

List of users assigned to an account as managers

 

managerRoles

Collection<Role>

-

Yes

List of roles assigned to an account as a managers

 

ownerGroups

Collection<Group>

-

Yes

List of groups assigned to an account as owners

 

ownerUsers

Collection<User>

-

Yes

List of users assigned to an account as managers

 

ownerRoles

Collection<Role>

-

Yes

List of roles assigned to an account as managers

 

password

String

-

Yes

The password of the account

 

roles

List<Role>

  • id (Long)
  • roleName (String)
  • roleDescription (String)
  • informationSystemName (String)
  • domainValue (String)

-

Yes

List<Role> → list of the roles assigned to the account

  • id: id of the role
  • roleName: role name of the role
  • roleDescription: role description of the role
  • informationSystemName: application where the role is assigned
  • domainValue: domain value (if exists)

 

meta

ScimMeta

  • resourceType (String)
  • created (Date)
  • lastModified (Date)
  • location (String)

-

-

Additional information recommended in SCIM definition:

  • resourceType: Resource requested (in this case "Account")
  • created: user creation date
  • lastModified: last modification date of any user attributes
  • location: URL to the resource <domain>/webservice/scim/Account/<id>

These attributes are returned in the response

These attributes are not updatable

Full JSON example

{
  "description": "Admin Admin",
  "type": "U",
  "inheritNewPermissions": false,
  "disabled": false,
  "id": 69,
  "roles": [
    {
      "role": 30
    }
  ],
  "grantedUsers": []
  "grantedGroups": [],
  "grantedRoles": [],
  "managerGroups": [],
  "managerRoles": [],
  "managerUsers": [],
  "ownerGroups": [],
  "ownerRoles": [],
  "ownerUsers": [],
  "passwordPolicy": "I",
  "system": "soffid",
  "meta": {
    "location": "http://<domain>/webservice/scim/Account/69",
    "resourceType": "Account"
  },
  "name": "admin",
  "attributes": {},
}

/Application (addon version 1.2.0+)

Dictionary table

AttributeTypeRequiredUpdatableDescriptionAdditional comment

id

Long

Yes

-

Primary key of the application

 

name

String

Yes

Yes

Name used to identify the application

 

description

String

-

Yes

Description of the application

 

singleRole

boolean

No

Yes

true to enforce no user has two roles in this application at the same time

Setting the value to true does not automatically remove currently assigned roles.

bpmEnforced

boolean

No

Yes

Set to true if the user can request this role through the self service interface

 

database

String

No

Yes

Target system

Free text field

attributes


Map<String, Object>

-

Yes

Custom application attributes

Define new custom attributes (Administration > Configure Soffid > Global Settings > Metadata)

meta

ScimMeta

  • resourceType (String)
  • location (String)

-

-

Additional information recommended in SCIM definition:

  • resourceType: Resource requested (in this case "Application")
  • location: URL tof the resource <domain>/webservice/scim/Account/<id>

These attributes are returned in the response

These attributes are not updatable

Full JSON example

{
    "description": "Active Directory",
    "singleRole": false,
    "bpmEnforced": false,
    "database": "ad",
    "meta": {
        "location": "http://bubu-thinkpad:8080/webservice/scim/Application/1573127",
        "resourceType": "Application"
    },
    "name": "ad",
    "attributes": {},
    "id": 1573127
}

/Role (addon version 1.2.0+)

Dictionary table

AttributeTypeRequiredUpdatableDescriptionAdditional comment

id

Long

Yes

-

Primary key of the role

 

name

String

Yes

Yes

Name used to identify the role

 

description

String

-

Yes

Description of the role

 

system

String

Yes

Yes

Target system where the role exists

 

indirectAsignment

boolean

-

No

Flag that warns about roles granted by other roles

 

bpmEnforced

boolean

No

Yes

Set to true if the user can request this role through the self service interface

 

informationSystemName

String

Yes

Yes

Application that uses this role

 

password

boolean

No

Yes

Set to true if the access to this role is protected by a password

Usually applies only to Oracle database roles

enableByDefault

boolean

No

Yes

Set to true if the access to this role is enabled by default

Usually applies only to Oracle database roles

domain

Json object

Yes

Yes

Domain that drives how this role is granted to users.

Domain attributes:

  • name (SENSE_DOMINI for roles with no domain, another value for custom domains)
  • description: domain description
  • externalCode: application name

approvalStart

Date

-

No

Last change timestamp

 

approvalEnd

Date

-

No

Approval timestamp

If no approval definition workflow is defined, it contains the last change timestamp

attributes

Map<String, Object>

-

-

Custom application attributes

Define new custom attributes in the "additional data" screen.

ownedRoles

Collection<RoleGrant>

No

Yes

Contains the roles to grant with this role

Role grant attributes:

  • informationSystem: application name
  • ownerRole: optional
  • owner role id
  • ownerRoleName: optional name of owner role
  • ownerRolDomainValue: domain value of owner role (optional)
  • ownerSystem: optional system of owner role
  • mandatory: true to set the relationship as mandatory
  • enabled: true if the grant is already approved
  • roleName: owned (child) role name
  • system: system of owned (child) role
  • domainValue: domain value for owned (child) role

granteeGroups

Collection<RoleGrant>

 

No

Yes

Contains the groups that are granted with the current role

Role grant attributes:

  • informationSystem: application name
  • ownerGroup: group name
  • mandatory: true to set the relationship as mandatory
  • enabled: true if the grant is already approved
  • roleName: owned (current) role name
  • system: system of owned (current) role
  • domainValue: domain value for owned (current) role

ownerRoles

Collection<RoleGrant>

No

Yes

Contains the roles that grant the current one

Role grant attributes:

  • informationSystem: application name
  • ownerRole: optional
  • owner role id
  • ownerRoleName: mandatory name of owner role
  • ownerRolDomainValue: domain value of owner role (optional)
  • ownerSystem: mandatory system of owner role
  • mandatory: true to set the relationship as mandatory
  • enabled: true if the grant is already approvedroleName: owned (current) role name
  • system: system of owned (current) role
  • domainValue: domain value for owned (current) role

meta

ScimMeta

  • resourceType (String)
  • location (String)

-

-

Additional information recommended in SCIM definition:

  • resourceType: Resource requested (in this case "Role")
  • location: URL tof the resource <domain>/webservice/scim/Role/<id>

These attributes are returned in the response

These attributes are not updatable

 

Full JSON example

 {
    "approvalEnd": "2019-11-01T19:22:14+01:00",
    "ownedRoles": [
        {
            "informationSystem": "TEST",
            "ownerRole": 34,
            "roleId": 5794,
            "mandatory": true,
            "enabled": true,
            "ownerSystem": "soffid",
            "system": "soffid",
            "roleName": "TestRole",
            "hasDomain": false,
            "id": 1207155,
            "ownerRoleName": "SOFFID_ADMIN",
            "status": {
                "value": "A"
            }
        },
        {
            "informationSystem": "SOFFID",
            "ownerRole": 34,
            "roleId": 50247,
            "mandatory": true,
            "enabled": true,
            "ownerSystem": "soffid",
            "system": "soffid",
            "roleName": "test2",
            "hasDomain": false,
            "id": 2209016,
            "ownerRoleName": "SOFFID_ADMIN",
            "status": {
                "value": "A"
            }
        }
    ],
    "indirectAssignment": "",
    "description": "SOFFID Administrator",
    "granteeGroups": [],
    "bpmEnforced": false,
    "informationSystemName": "SOFFID",
    "password": false,
    "system": "soffid",
    "ownerRoles": [],
    "meta": {
        "location": "http://bubu-thinkpad:8080/webservice/scim/Role/34",
        "resourceType": "Role"
    },
    "domain": {
        "name": "SENSE_DOMINI",
        "description": ""
    },
    "name": "SOFFID_ADMIN",
    "approvalStart": "2019-11-01T19:22:14+01:00",
    "attributes": {},
    "id": 34,
    "enableByDefault": true
}

Notes about role domains

By default, roles have no security domain (sometimes referred to as scope). When a security domain is assigned to a role, each account-role object is tagged with the proper security domain value. It is allowed to assign one role multiple times to the same user, as long as each assignment is tagged with a different security domain value. For instance, one can create the SOFFID_OU_MANAGER role bound to the GROUPS security domain. Then, you can assign the role SOFFID_OU_MANAGER/Group1 to any user.

Four kinds of security domains are available:

  • SENSE_DOMAIN: No security domain applies.
  • GROUP: A business unit is bound to each grant of this role.
  • APPLICATION:  A information system is bound to each grant of this role.
  • Custom domain: Each application can have its own security domains with arbitrary meanings.

To set or modify the role domain for a role, one can use the "domain" attribute. This attribute is a complex object composed of a name and a description. Only the name is mandatory.

Notes about role inheritance

Role inheritance is driven by the ownedRoles, ownerRoles and ownedGroups. Each of these attributes is an array of grants. Each grant has the following attributes:

  • ownerRole: id of owner role.
  • ownerSystem: name of owner role's system.
  • ownerRoleName: name of owner role's name.
  • ownerRolDomainValue: security domain of the owner role. If a user is granted with the owner role, and the
  • ownerRolDomainValue does not match the grant domain, the inheritance rule does not apply.
  • roleId: id of owned role.
  • system: name of owned role's system
  • roleName: name of owned role's name
  • domainValue: security domain of the owned role.

The role inheritance can vary slightly depending on whether the owned role and the owner role are in the same domain or not:

Resulting domain value

Owner role has no domain

Owner role has a different domain

Same domain

Domain value not specifiedBlankBlankOwner role domain value
Domain value specifiedSpecified valueSpecified valueSpecified value