Skip to main content

RoleAccount resource data model

/Role (addon version 1.2.0+)RoleAccount

Dictionary table

The diagran service model of the object: http://www.soffid.org/doc/console/2.9.0/uml/com/soffid/iam/api/Role.RoleAccount.html

Soffid allows you to add customized data to the group object. You can do that on metadata option:

  • Main Menu > Administration > Configure Soffid > Global Settings > Metadata

It is allowed to consult all the RoleRoleAccount definition using the Schema query:

http://<your-domain>/webservice/scim2/v1/Schemas/urn:soffid:com.soffid.iam.api.RoleResourceTypes/RoleAccount

Full JSON example

Request

http://<your-domainserver>/webservice/scim2/v1/Role/393195RoleAccount/863774

Response

&&TODO&& Cambiar JSON 

{
    "approvalEnd"certificationDate": "2021-02-042020-11-23 15:39:05"17:50:13",
    "ownedRoles"accountSystem": []"ad",
    "description"accountName": "AD role"aitor.menta",
    "granteeGroups"approvalPending": []false,
    "userFullName": "Menta",
    "bpmEnforced": "N",
    "enabled": true,
    "accountId": 408539,
    "informationSystemName": "Operation/Business process/ad",
    "password": false,
    "system": "ad",
    "ownerGroups": [],
    "ownerRoles": [
        {
            "informationSystem": "Operation/Business process/ad",
            "ownerRole": 63,
            "ownerRoleDescription": "SOFFID Administrator",
            "roleId": 393195,
            "mandatory": true,
            "enabled": true,
            "ownerSystem": "soffid",
    "system": "ad",
    "meta": {
        "location": "http://<your-domain>/webservice/scim2/v1/RoleGrant/1563461"RoleAccount/863774",
        "resourceType": "RoleGrant"RoleAccount"
    },
    "schemas": [
        "urn:soffid:com.soffid.iam.api.RoleGrant"RoleAccount"
    ],
    "roleName": "AD role"enterprise",
    "hasDomain"removalPending": false,
    "id": 1563461,
            "ownerRoleName": "SOFFID_ADMIN",863774,
    "roleDescription": "AD role"Enterprise",
    "status"startDate": "A"2020-11-23 }
    ],
    "bpmEnabled": true,
    "meta": {
        "location": "http://<your-domain>/webservice/scim2/v1/Role/393195",
        "resourceType": "Role"
    },
    "schemas": [
        "urn:soffid:com.soffid.iam.api.Role"
    ],
    "name": "AD role",
    "approvalStart": "2021-02-04 15:39:05",
    "attributes": {},
    "id": 393195,
    "enableByDefault": false12:00:00"
}

Notes about role domains

By default, roles have no security domain (sometimes referred to as scope). When a security domain is assigned to a role, each account-role object is tagged with the proper security domain value. It is allowed to assign one role multiple times to the same user, as long as each assignment is tagged with a different security domain value. For instance, one can create the SOFFID_OU_MANAGER role bound to the GROUPS security domain. Then, you can assign the role SOFFID_OU_MANAGER/Group1 to any user. 

Four kinds of security domains are available:

  • SENSE_DOMAIN: No security domain applies.
  • GROUP: A business unit is bound to each grant of this role.
  • APPLICATION:  A information system is bound to each grant of this role.
  • Custom domain: Each application can have its own security domains with arbitrary meanings.

To set or modify the role domain for a role, one can use the "domain" attribute. This attribute is a complex object composed of a name and a description. Only the name is mandatory.

Notes about role inheritance

Role inheritance is driven by the ownedRoles, ownerRoles and ownedGroups. Each of these attributes is an array of grants. Each grant has the following attributes:

  • ownerRole: id of owner role.
  • ownerSystem: name of owner role's system.
  • ownerRoleName: name of owner role's name.
  • ownerRolDomainValue: security domain of the owner role. If a user is granted with the owner role, and the
  • ownerRolDomainValue does not match the grant domain, the inheritance rule does not apply.
  • roleId: id of owned role.
  • system: name of owned role's system
  • roleName: name of owned role's name
  • domainValue: security domain of the owned role.

The role inheritance can vary slightly depending on whether the owned role and the owner role are in the same domain or not:

Resulting domain value

Owner role has no domain

Owner role has a different domain

Same domain

Domain value not specifiedBlankBlankOwner role domain value
Domain value specifiedSpecified valueSpecified valueSpecified value