User resource data model

The data model of the Soffid objects is mapped to JSON objects to enable the data transport between client and server.

/User

Dictionary table

Attribute	Type	Required	Updatable	Description	Additional comment
id	Long	Yes	-	Primary key of the user
userName	String	Yes	Yes	User name used to identify a user, internal management and access to applications	User name must be unique
firstName	String	Yes	Yes	First name of the user
lastName	String	Yes	Yes	First surname
middleName	String	-	Yes	Used like second surname
fullName	String	-	-	firstName + lastName + middleName
shortName	String	-	Yes	Mail of the user but without the domain	The mail is created with the next pattern: shortName + '@' + mailDomain
createdDate	Calendar	-	-	User creation date
modifiedDate	Calendar	-	-	Last modification date of any user attributes
createdByUser	String	-	-	User that has created the user
modifiedByUser	String	-	-	User that has modified the last time attributes of this user
active	Boolean	-	Yes	User active or disable	If you avoid this attribute in the create operation by default the value is false
multiSession	Boolean	-	Yes	Allows some sessions with Soffid ESSO	When the value is false if the user logs with another session active, the SSO close the previous one
comments	String	-	Yes	Comments about the user
userType	String	Yes	Yes	User type assigned to the user. by default "I"	New use types could be created in the IAM Console (Administration > Configure Soffid > Global settings > User type)
profileServer	String	Yes	Yes	Server which hosts the user profile	It is linked to Roaming UserProfile on Active Directory Servers are managed in the IAM Console (Administration > Resources > Hosts) In the installation of Soffid a "null" server is created to be used by default
homeServer	String	Yes	Yes	Server which hosts the user folder	It is linked to Home Drive attribute on active directory Servers are managed in the IAM Console (Administration > Resources > Hosts) In the installation of Soffid a "null" server is created to be used by default
mailServer	String	Yes	Yes	Server which hosts the user mail	Servers are managed in the IAM Console (Administration > Resources > Hosts) In the installation of Soffid a "null" server is created to be used by default
nationalID	String	-	Yes	ID card of the user	For example the NIF or NIE
phoneNumber	String	-	Yes	Phone number of the user (company or personal)
mailAlias	String	-	Yes	Lisf of mails separated by comma
mailDomain	String	-	Yes		The domain of the mails must be valid Mail domains are managed in the IAM Console (Administration > Resources > Mail Domains)
primaryGroup	String	Yes	Yes	ID of the primary group where the user is assigned	Groups are managed in the IAM Console (Administration > Resources > Groups)
primaryGroupDescription	String	-	Yes	Description of the primary group where the user is assigned	Groups are managed in the IAM Console (Administration > Resources > Groups)
consoleProperties	ConsoleProperties id (Long) userName (String) lastLoginDate (Calendar) version (String) bookmarks (Collection<String>) preferences (Map) lastIP (String) language (String)	-	-	Internal properties for the IAM Console	These properties are created the first time the user access to IAM console
password	String	-	Yes	Password used with the userName to access applications	Password is not returned in the searches, is only used in PATCH and PUT methods
attributes	Map<String, Object> "attribute" : "value"	-	Yes	Additional data assigned to the user	Attributes are managed in the IAM Console (Administration > Configure Soffid > Global Settings > Metadata) Values are managed in the IAM Console (Administration > Resources > Users)
meta	ScimMeta resourceType (String) created (Date) lastModified (Date) location (String)	-	-	Additional information recommended in SCIM definition: resourceType: Resource requested (in this case "User") created: user creation date lastModified: last modification date of any user attributes location: URL tof the resource (<domain>/webservice/scim/User/<i	These attributes are returned in the response These attributes are not updatable
secondaryGroups	List<JsonSecondaryGroup> id (Long) group (String) groupDescription (String)	-	Yes	Secondary groups assigned to the user: id: id of the group group: name of the group (unique) groupDescription: description of the group	Groups are managed in the IAM Console (Administration > Resources > Groups) Secundary groups are managed in the IAM Console (Administration > Resources > Users)
accounts	List<JsonAccount> id (Long) name (String) system (String)	-	Yes	Accounts created to the user to access to applications: id: id of the account name: name of the account (unique) system: system to assign access	Accounts are managed in the IAM Console Administration > Resources > Users, Account tab) Systems are managed in the IAM Console (Administration > Resources > Information Systems)

Full JSON example

{
  "lastName": "Smith",
  "createdByUser": "admin",
  "mailServer": "null",
  "mailDomain": "soffid.com",
  "nationalID": "",
  "multiSession": false,
  "modifiedByUser": "admin",
  "id": 1188,
  "homeServer": "null",
  "primaryGroupDescription": "World",
  "primaryGroup": "world",
  "comments": "Sample user",
  "profileServer": "null",
  "secondaryGroups": [
    {
      "groupDescription": "Enterprise",
      "id": 12353,
      "group": "enterprise"
    },
    {
      "groupDescription": "Engineering team",
      "id": 12347,
      "group": "engineering"
    }
  ],
  "active": true,
  "fullName": "John Smith",
  "userName": "jsmith",
  "mailAlias": "jsmith@soffid.com, jsmith.dev@soffid.com",
  "firstName": "John",
  "createdDate": "2017-08-04T15:04:37+02:00",
  "phoneNumber": "666777888",
  "meta": {
    "created": "2017-08-04T15:04:37+02:00",
    "location": "http://<domain>/webservice/scim/User/1188",
    "lastModified": "2017-08-18T16:52:38+02:00",
    "resourceType": "User"
  },
  "modifiedDate": "2017-08-18T16:52:38+02:00",
  "attributes": {
    "employeeId": "1234",
    "position": "Developer"
  },
 "middleName": "",
 "accounts": [
    {
      "system": "soffid",
      "name": "jsmith",
      "id": 12453
    }
  ],
  "userType": "I",
  "shortName": "jsmith"
}

/Group

Dictionary table

Attribute	Type	Required	Updatable	Description	Additional comment
id	Long	Yes	-	Primary key of the group
name	String	Yes	Yes	Name used to identify a group	Name must be unique
quota	String	-	Yes	Quota allocated to the shared folder
description	String	-	Yes	Description of the group
parentGroup	String	-	Yes	Name of the parent group	Only the root group doesn't have value. The groups have a tree structure.
type	String	-	Yes	ID of the organizational unit type	Organizational units type are managed in the IAM Console (Administration > Configure Soffid > Global Settings > Group Type)
driveLetter	String	-	Yes	Drive letter used to get access to this group's drive	This shared folder can be mounted on ESSO hosts by using a startup script Only one character are allowed
driveServerName	String	-	Yes	File server to store this group's drive	Only applies when used in combination with shared folder agents and script logons. If specified, a shared folder for this group will be created.
obsolete	Boolean	-	Yes
organizational	Boolean	-	Yes
section	String	-	Yes
meta	ScimMeta resourceType (String) created (Date) lastModified (Date) location (String)	-	-	Additional information recommended in SCIM definition: resourceType: Resource requested (in this case "Group") created: user creation date lastModified: last modification date of any user attributes location: URL tof the resource <domain>/webservice/scim/Group/<id>	These attributes are returned in the response These attributes are not updatable
attributes	Map<String, Object> "attribute" : "value"	-	Yes	Additional data assigned to the group	Attributes are defined in the IAM Console (Administration > Configure Soffid > Global Settings > Metadata) Values are managed in the IAM Console (Administration > Resources > Groups)

Full JSON example

{
  "organizational": true,
  "driveLetter": "G",
  "obsolete": true,
  "description": "Enterprise engineering team",
  "section": null,
  "type": null,
  "meta": {
    "location": "http://<domain>/webservice/scim/Group/11345",
    "resourceType": "Group"
  },
  "quota": "0",
  "name": "Engineering team",
  "parentGroup": "enterprise",
  "attributes": {},
  "id": 11345
}

/Account

Dictionary table

Attribute	Type	Required	Updatable	Description	Additional comment
id	Long	Yes	-	Primary key of the account
name	String	Yes	Yes	Name used to identify the account
description	String	-	Yes	Description of the account
type	AccountType	Yes	Yes	Acount Type. Values [ U \| S \| P \| I ]	U=user, S=shared, P=privileged, I=Ignored To create a user type account, a single user must be specified in ownerUsers attribute
system	String	-	Yes	System to assign access	Systems are managed in the IAM Console (Administration > Resources > Information Systems)
lastUpdated	Calendar	-	No	Last time the account has been updated
lastPasswordSet	Calendar	-	No	Last time the password of the account has been setted
passwordExpiration	Calendar	-	No	Expiration date of the password of the account
disabled	boolean	-	Yes	Account active (false) or disabled (true)
passwordPolicy	String	-	No	User type assigned to the account as a user. By default "I"	New user types could be created in the IAM Console (Administration > Configure Soffid > Global Settings > User types)
vaultFolderId	Long	-	No
vaultFolder	String	-	No
inheritNewPermissions	boolean	-	No
loginUrl	String	-	No
attributes	Map<String, Object>	-	Yes	List of values of the metadata attributes of the agente of the account
grantedGroups	Collection<Group>	-	Yes	List of groups assigned to an account
grantedUsers	Collection<User>	-	Yes	List of users assigned to an account
grantedRoles	Collection<Group>	-	Yes	List of roles assigned to an account
managerGroups	Collection<Role>	-	Yes	List of groups assigned to an account as managers
managerUsers	Collection<User>	-	Yes	List of users assigned to an account as managers
managerRoles	Collection<Role>	-	Yes	List of roles assigned to an account as a managers
ownerGroups	Collection<Group>	-	Yes	List of groups assigned to an account as owners
ownerUsers	Collection<User>	-	Yes	List of users assigned to an account as managers
ownerRoles	Collection<Role>	-	Yes	List of roles assigned to an account as managers
password	String	-	Yes	The password of the account
roles	List<Role> id (Long) roleName (String) roleDescription (String) informationSystemName (String) domainValue (String)	-	Yes	List<Role> → list of the roles assigned to the account id: id of the role roleName: role name of the role roleDescription: role description of the role informationSystemName: application where the role is assigned domainValue: domain value (if exists)
meta	ScimMeta resourceType (String) created (Date) lastModified (Date) location (String)	-	-	Additional information recommended in SCIM definition: resourceType: Resource requested (in this case "Account") created: user creation date lastModified: last modification date of any user attributes location: URL to the resource <domain>/webservice/scim/Account/<id>	These attributes are returned in the response These attributes are not updatable

Full JSON example

{
  "description": "Admin Admin",
  "type": "U",
  "inheritNewPermissions": false,
  "disabled": false,
  "id": 69,
  "roles": [
    {
      "role": 30
    }
  ],
  "grantedUsers": []
  "grantedGroups": [],
  "grantedRoles": [],
  "managerGroups": [],
  "managerRoles": [],
  "managerUsers": [],
  "ownerGroups": [],
  "ownerRoles": [],
  "ownerUsers": [],
  "passwordPolicy": "I",
  "system": "soffid",
  "meta": {
    "location": "http://<domain>/webservice/scim/Account/69",
    "resourceType": "Account"
  },
  "name": "admin",
  "attributes": {},
}

/Application (addon version 1.2.0+)

Dictionary table

Attribute	Type	Required	Updatable	Description	Additional comment
id	Long	Yes	-	Primary key of the application
name	String	Yes	Yes	Name used to identify the application
description	String	-	Yes	Description of the application
singleRole	boolean	No	Yes	true to enforce no user has two roles in this application at the same time	Setting the value to true does not automatically remove currently assigned roles.
bpmEnforced	boolean	No	Yes	Set to true if the user can request this role through the self service interface
database	String	No	Yes	Target system	Free text field
attributes	Map<String, Object>	-	Yes	Custom application attributes	Define new custom attributes (Administration > Configure Soffid > Global Settings > Metadata)
meta	ScimMeta resourceType (String) location (String)	-	-	Additional information recommended in SCIM definition: resourceType: Resource requested (in this case "Application") location: URL tof the resource <domain>/webservice/scim/Account/<id>	These attributes are returned in the response These attributes are not updatable

Full JSON example

{
    "description": "Active Directory",
    "singleRole": false,
    "bpmEnforced": false,
    "database": "ad",
    "meta": {
        "location": "http://bubu-thinkpad:8080/webservice/scim/Application/1573127",
        "resourceType": "Application"
    },
    "name": "ad",
    "attributes": {},
    "id": 1573127
}

/Role (addon version 1.2.0+)

Dictionary table

Attribute	Type	Required	Updatable	Description	Additional comment
id	Long	Yes	-	Primary key of the role
name	String	Yes	Yes	Name used to identify the role
description	String	-	Yes	Description of the role
system	String	Yes	Yes	Target system where the role exists
indirectAsignment	boolean	-	No	Flag that warns about roles granted by other roles
bpmEnforced	boolean	No	Yes	Set to true if the user can request this role through the self service interface
informationSystemName	String	Yes	Yes	Application that uses this role
password	boolean	No	Yes	Set to true if the access to this role is protected by a password	Usually applies only to Oracle database roles
enableByDefault	boolean	No	Yes	Set to true if the access to this role is enabled by default	Usually applies only to Oracle database roles
domain	Json object	Yes	Yes	Domain that drives how this role is granted to users.	Domain attributes: name (SENSE_DOMINI for roles with no domain, another value for custom domains) description: domain description externalCode: application name
approvalStart	Date	-	No	Last change timestamp
approvalEnd	Date	-	No	Approval timestamp	If no approval definition workflow is defined, it contains the last change timestamp
attributes	Map<String, Object>	-	-	Custom application attributes	Define new custom attributes in the "additional data" screen.
ownedRoles	Collection<RoleGrant>	No	Yes	Contains the roles to grant with this role	Role grant attributes: informationSystem: application name ownerRole: optional owner role id ownerRoleName: optional name of owner role ownerRolDomainValue: domain value of owner role (optional) ownerSystem: optional system of owner role mandatory: true to set the relationship as mandatory enabled: true if the grant is already approved roleName: owned (child) role name system: system of owned (child) role domainValue: domain value for owned (child) role
granteeGroups	Collection<RoleGrant>	No	Yes	Contains the groups that are granted with the current role	Role grant attributes: informationSystem: application name ownerGroup: group name mandatory: true to set the relationship as mandatory enabled: true if the grant is already approved roleName: owned (current) role name system: system of owned (current) role domainValue: domain value for owned (current) role
ownerRoles	Collection<RoleGrant>	No	Yes	Contains the roles that grant the current one	Role grant attributes: informationSystem: application name ownerRole: optional owner role id ownerRoleName: mandatory name of owner role ownerRolDomainValue: domain value of owner role (optional) ownerSystem: mandatory system of owner role mandatory: true to set the relationship as mandatory enabled: true if the grant is already approvedroleName: owned (current) role name system: system of owned (current) role domainValue: domain value for owned (current) role
meta	ScimMeta resourceType (String) location (String)	-	-	Additional information recommended in SCIM definition: resourceType: Resource requested (in this case "Role") location: URL tof the resource <domain>/webservice/scim/Role/<id>	These attributes are returned in the response These attributes are not updatable

Full JSON example

 {
    "approvalEnd": "2019-11-01T19:22:14+01:00",
    "ownedRoles": [
        {
            "informationSystem": "TEST",
            "ownerRole": 34,
            "roleId": 5794,
            "mandatory": true,
            "enabled": true,
            "ownerSystem": "soffid",
            "system": "soffid",
            "roleName": "TestRole",
            "hasDomain": false,
            "id": 1207155,
            "ownerRoleName": "SOFFID_ADMIN",
            "status": {
                "value": "A"
            }
        },
        {
            "informationSystem": "SOFFID",
            "ownerRole": 34,
            "roleId": 50247,
            "mandatory": true,
            "enabled": true,
            "ownerSystem": "soffid",
            "system": "soffid",
            "roleName": "test2",
            "hasDomain": false,
            "id": 2209016,
            "ownerRoleName": "SOFFID_ADMIN",
            "status": {
                "value": "A"
            }
        }
    ],
    "indirectAssignment": "",
    "description": "SOFFID Administrator",
    "granteeGroups": [],
    "bpmEnforced": false,
    "informationSystemName": "SOFFID",
    "password": false,
    "system": "soffid",
    "ownerRoles": [],
    "meta": {
        "location": "http://bubu-thinkpad:8080/webservice/scim/Role/34",
        "resourceType": "Role"
    },
    "domain": {
        "name": "SENSE_DOMINI",
        "description": ""
    },
    "name": "SOFFID_ADMIN",
    "approvalStart": "2019-11-01T19:22:14+01:00",
    "attributes": {},
    "id": 34,
    "enableByDefault": true
}

Notes about role domains

By default, roles have no security domain (sometimes referred to as scope). When a security domain is assigned to a role, each account-role object is tagged with the proper security domain value. It is allowed to assign one role multiple times to the same user, as long as each assignment is tagged with a different security domain value. For instance, one can create the SOFFID_OU_MANAGER role bound to the GROUPS security domain. Then, you can assign the role SOFFID_OU_MANAGER/Group1 to any user.

Four kinds of security domains are available:

SENSE_DOMAIN: No security domain applies.
GROUP: A business unit is bound to each grant of this role.
APPLICATION: A information system is bound to each grant of this role.
Custom domain: Each application can have its own security domains with arbitrary meanings.

To set or modify the role domain for a role, one can use the "domain" attribute. This attribute is a complex object composed of a name and a description. Only the name is mandatory.

Notes about role inheritance

Role inheritance is driven by the ownedRoles, ownerRoles and ownedGroups. Each of these attributes is an array of grants. Each grant has the following attributes:

ownerRole: id of owner role.
ownerSystem: name of owner role's system.
ownerRoleName: name of owner role's name.
ownerRolDomainValue: security domain of the owner role. If a user is granted with the owner role, and the
ownerRolDomainValue does not match the grant domain, the inheritance rule does not apply.
roleId: id of owned role.
system: name of owned role's system
roleName: name of owned role's name
domainValue: security domain of the owned role.

The role inheritance can vary slightly depending on whether the owned role and the owner role are in the same domain or not:

Resulting domain value	Owner role has no domain	Owner role has a different domain	Same domain
Domain value not specified	Blank	Blank	Owner role domain value
Domain value specified	Specified value	Specified value	Specified value