Skip to main content

Role resource data model

/Role (addon version 1.2.0+)

Dictionary table

Attribute Type Required Updatable Description Additional comment

id

Long

Yes

-

Primary key of the role

  

name

String

Yes

Yes

Name used to identify the role

 

description

String

-

Yes

Description of the role

 

system

String

Yes

Yes

Target system where the role exists

 

indirectAsignment

boolean

-

No

Flag that warns about roles granted by other roles

 

bpmEnforced

boolean

No

Yes

Set to true if the user can request this role through the self service interface

 

informationSystemName

String

Yes

Yes

Application that uses this role

 

password

boolean

No

Yes

Set to true if the access to this role is protected by a password

Usually applies only to Oracle database roles

enableByDefault

boolean

No

Yes

Set to true if the access to this role is enabled by default

Usually applies only to Oracle database roles

domain

Json object

Yes

Yes

Domain that drives how this role is granted to users.

Domain attributes:

  • name (SENSE_DOMINI for roles with no domain, another value for custom domains)
  • description: domain description
  • externalCode: application name

approvalStart

Date

-

No

Last change timestamp

 

approvalEnd

Date

-

No

Approval timestamp

If no approval definition workflow is defined, it contains the last change timestamp

attributes

Map<String, Object>

-

-

Custom application attributes

Define new custom attributes in the "additional data" screen.

ownedRoles

Collection<RoleGrant>

No

Yes

Contains the roles to grant with this role

Role grant attributes:

  • informationSystem: application name
  • ownerRole: optional
  • owner role id
  • ownerRoleName: optional name of owner role
  • ownerRolDomainValue: domain value of owner role (optional)
  • ownerSystem: optional system of owner role
  • mandatory: true to set the relationship as mandatory
  • enabled: true if the grant is already approved
  • roleName: owned (child) role name
  • system: system of owned (child) role
  • domainValue: domain value for owned (child) role

granteeGroups

Collection<RoleGrant>

 

No

Yes

Contains the groups that are granted with the current role

Role grant attributes:

  • informationSystem: application name
  • ownerGroup: group name
  • mandatory: true to set the relationship as mandatory
  • enabled: true if the grant is already approved
  • roleName: owned (current) role name
  • system: system of owned (current) role
  • domainValue: domain value for owned (current) role

ownerRoles

Collection<RoleGrant>

No

Yes

Contains the roles that grant the current one

Role grant attributes:

  • informationSystem: application name
  • ownerRole: optional
  • owner role id
  • ownerRoleName: mandatory name of owner role
  • ownerRolDomainValue: domain value of owner role (optional)
  • ownerSystem: mandatory system of owner role
  • mandatory: true to set the relationship as mandatory
  • enabled: true if the grant is already approvedroleName: owned (current) role name
  • system: system of owned (current) role
  • domainValue: domain value for owned (current) role

meta

ScimMeta

  • resourceType (String)
  • location (String)

-

-

Additional information recommended in SCIM definition:

  • resourceType: Resource requested (in this case "Role")
  • location: URL tof the resource <domain>/webservice/scim/Role/<id>

These attributes are returned in the response

These attributes are not updatable

 

Full JSON example

 {
    "approvalEnd": "2019-11-01T19:22:14+01:00",
    "ownedRoles": [
        {
            "informationSystem": "TEST",
            "ownerRole": 34,
            "roleId": 5794,
            "mandatory": true,
            "enabled": true,
            "ownerSystem": "soffid",
            "system": "soffid",
            "roleName": "TestRole",
            "hasDomain": false,
            "id": 1207155,
            "ownerRoleName": "SOFFID_ADMIN",
            "status": {
                "value": "A"
            }
        },
        {
            "informationSystem": "SOFFID",
            "ownerRole": 34,
            "roleId": 50247,
            "mandatory": true,
            "enabled": true,
            "ownerSystem": "soffid",
            "system": "soffid",
            "roleName": "test2",
            "hasDomain": false,
            "id": 2209016,
            "ownerRoleName": "SOFFID_ADMIN",
            "status": {
                "value": "A"
            }
        }
    ],
    "indirectAssignment": "",
    "description": "SOFFID Administrator",
    "granteeGroups": [],
    "bpmEnforced": false,
    "informationSystemName": "SOFFID",
    "password": false,
    "system": "soffid",
    "ownerRoles": [],
    "meta": {
        "location": "http://<domain>/webservice/scim2/v1/Role/34",
        "resourceType": "Role"
    },
    "domain": {
        "name": "SENSE_DOMINI",
        "description": ""
    },
    "name": "SOFFID_ADMIN",
    "approvalStart": "2019-11-01T19:22:14+01:00",
    "attributes": {},
    "id": 34,
    "enableByDefault": true
}

Notes about role domains

By default, roles have no security domain (sometimes referred to as scope). When a security domain is assigned to a role, each account-role object is tagged with the proper security domain value. It is allowed to assign one role multiple times to the same user, as long as each assignment is tagged with a different security domain value. For instance, one can create the SOFFID_OU_MANAGER role bound to the GROUPS security domain. Then, you can assign the role SOFFID_OU_MANAGER/Group1 to any user.

Four kinds of security domains are available:

  • SENSE_DOMAIN: No security domain applies.
  • GROUP: A business unit is bound to each grant of this role.
  • APPLICATION:  A information system is bound to each grant of this role.
  • Custom domain: Each application can have its own security domains with arbitrary meanings.

To set or modify the role domain for a role, one can use the "domain" attribute. This attribute is a complex object composed of a name and a description. Only the name is mandatory.

Notes about role inheritance

Role inheritance is driven by the ownedRoles, ownerRoles and ownedGroups. Each of these attributes is an array of grants. Each grant has the following attributes:

  • ownerRole: id of owner role.
  • ownerSystem: name of owner role's system.
  • ownerRoleName: name of owner role's name.
  • ownerRolDomainValue: security domain of the owner role. If a user is granted with the owner role, and the
  • ownerRolDomainValue does not match the grant domain, the inheritance rule does not apply.
  • roleId: id of owned role.
  • system: name of owned role's system
  • roleName: name of owned role's name
  • domainValue: security domain of the owned role.

The role inheritance can vary slightly depending on whether the owned role and the owner role are in the same domain or not:

Resulting domain value

Owner role has no domain

Owner role has a different domain

Same domain
Domain value not specified Blank Blank Owner role domain value
Domain value specified Specified value Specified value Specified value

 

Back to top