User resource data model

~~The data model of the Soffid objects is mapped to JSON objects to enable the data transport between client and server.~~

/User

Dictionary table

Attribute	Type	Required	Updatable	Description	Additional comment
id	Long	Yes	-	Primary key of the user
userName	String	Yes	Yes	User name used to identify a user, internal management and access to applications	User name must be unique
firstName	String	Yes	Yes	First name of the user
lastName	String	Yes	Yes	First surname
middleName	String	-	Yes	Used like second surname
fullName	String	-	-	firstName + lastName + middleName
shortName	String	-	Yes	Mail of the user but without the domain	The mail is created with the next pattern: shortName + '@' + mailDomain
createdDate	Calendar	-	-	User creation date
modifiedDate	Calendar	-	-	Last modification date of any user attributes
createdByUser	String	-	-	User that has created the user
modifiedByUser	String	-	-	User that has modified the last time attributes of this user
active	Boolean	-	Yes	User active or disable	If you avoid this attribute in the create operation by default the value is false
multiSession	Boolean	-	Yes	Allows some sessions with Soffid ESSO	When the value is false if the user logs with another session active, the SSO close the previous one
comments	String	-	Yes	Comments about the user
userType	String	Yes	Yes	User type assigned to the user. by default "I"	New use types could be created in the IAM Console (Administration > Configure Soffid > Global settings > User type)
profileServer	String	Yes	Yes	Server which hosts the user profile	It is linked to Roaming UserProfile on Active Directory Servers are managed in the IAM Console (Administration > Resources > Hosts) In the installation of Soffid a "null" server is created to be used by default
homeServer	String	Yes	Yes	Server which hosts the user folder	It is linked to Home Drive attribute on active directory Servers are managed in the IAM Console (Administration > Resources > Hosts) In the installation of Soffid a "null" server is created to be used by default
mailServer	String	Yes	Yes	Server which hosts the user mail	Servers are managed in the IAM Console (Administration > Resources > Hosts) In the installation of Soffid a "null" server is created to be used by default
nationalID	String	-	Yes	ID card of the user	For example the NIF or NIE
phoneNumber	String	-	Yes	Phone number of the user (company or personal)
mailAlias	String	-	Yes	Lisf of mails separated by comma
mailDomain	String	-	Yes		The domain of the mails must be valid Mail domains are managed in the IAM Console (Administration > Resources > Mail Domains)
primaryGroup	String	Yes	Yes	ID of the primary group where the user is assigned	Groups are managed in the IAM Console (Administration > Resources > Groups)
primaryGroupDescription	String	-	Yes	Description of the primary group where the user is assigned	Groups are managed in the IAM Console (Administration > Resources > Groups)
consoleProperties	ConsoleProperties id (Long) userName (String) lastLoginDate (Calendar) version (String) bookmarks (Collection<String>) preferences (Map) lastIP (String) language (String)	-	-	Internal properties for the IAM Console	These properties are created the first time the user access to IAM console
password	String	-	Yes	Password used with the userName to access applications	Password is not returned in the searches, is only used in PATCH and PUT methods
attributes	Map<String, Object> "attribute" : "value"	-	Yes	Additional data assigned to the user	Attributes are managed in the IAM Console (Administration > Configure Soffid > Global Settings > Metadata) Values are managed in the IAM Console (Administration > Resources > Users)
meta	ScimMeta resourceType (String) created (Date) lastModified (Date) location (String)	-	-	Additional information recommended in SCIM definition: resourceType: Resource requested (in this case "User") created: user creation date lastModified: last modification date of any user attributes location: URL tof the resource (<domain>/webservice/scim/User/<i	These attributes are returned in the response These attributes are not updatable
secondaryGroups	List<JsonSecondaryGroup> id (Long) group (String) groupDescription (String)	-	Yes	Secondary groups assigned to the user: id: id of the group group: name of the group (unique) groupDescription: description of the group	Groups are managed in the IAM Console (Administration > Resources > Groups) Secundary groups are managed in the IAM Console (Administration > Resources > Users)
accounts	List<JsonAccount> id (Long) name (String) system (String)	-	Yes	Accounts created to the user to access to applications: id: id of the account name: name of the account (unique) system: system to assign access	Accounts are managed in the IAM Console Administration > Resources > Users, Account tab) Systems are managed in the IAM Console (Administration > Resources > Information Systems)

Full JSON example

{
  "lastName": "Smith",
  "createdByUser": "admin",
  "mailServer": "null",
  "mailDomain": "soffid.com",
  "nationalID": "",
  "multiSession": false,
  "modifiedByUser": "admin",
  "id": 1188,
  "homeServer": "null",
  "primaryGroupDescription": "World",
  "primaryGroup": "world",
  "comments": "Sample user",
  "profileServer": "null",
  "secondaryGroups": [
    {
      "groupDescription": "Enterprise",
      "id": 12353,
      "group": "enterprise"
    },
    {
      "groupDescription": "Engineering team",
      "id": 12347,
      "group": "engineering"
    }
  ],
  "active": true,
  "fullName": "John Smith",
  "userName": "jsmith",
  "mailAlias": "jsmith@soffid.com, jsmith.dev@soffid.com",
  "firstName": "John",
  "createdDate": "2017-08-04T15:04:37+02:00",
  "phoneNumber": "666777888",
  "meta": {
    "created": "2017-08-04T15:04:37+02:00",
    "location": "http://<domain>/webservice/scim/scim2/v1//User/1188",
    "lastModified": "2017-08-18T16:52:38+02:00",
    "resourceType": "User"
  },
  "modifiedDate": "2017-08-18T16:52:38+02:00",
  "attributes": {
    "employeeId": "1234",
    "position": "Developer"
  },
 "middleName": "",
 "accounts": [
    {
      "system": "soffid",
      "name": "jsmith",
      "id": 12453
    }
  ],
  "userType": "I",
  "shortName": "jsmith"
}

/Group

Dictionary table

~~Attribute~~	~~Type~~	~~Required~~	~~Updatable~~	~~Description~~	~~Additional comment~~
id	~~Long~~	~~Yes~~	-	~~Primary key of the group~~
~~name~~	~~String~~	~~Yes~~	~~Yes~~	~~Name used to identify a group~~	~~Name must be unique~~
~~quota~~	~~String~~	-	~~Yes~~	~~Quota allocated to the shared folder~~
~~description~~	~~String~~	-	~~Yes~~	~~Description of the group~~
~~parentGroup~~	~~String~~	-	~~Yes~~	~~Name of the parent group~~	~~Only the root group doesn't have value.~~ ~~The groups have a tree structure.~~
~~type~~	~~String~~	-	~~Yes~~	~~ID of the organizational unit type~~	~~Organizational units type are managed in the IAM Console (Administration > Configure Soffid > Global Settings > Group Type)~~
~~driveLetter~~	~~String~~	-	~~Yes~~	~~Drive letter used to get access to this group's drive~~	~~This shared folder can be mounted on ESSO hosts by using a startup script~~ ~~Only one character are allowed~~
~~driveServerName~~	~~String~~	-	~~Yes~~	~~File server to store this group's drive~~	~~Only applies when used in combination with shared folder agents and script logons. If specified, a shared folder for this group will be created.~~
~~obsolete~~	~~Boolean~~	-	~~Yes~~
~~organizational~~	~~Boolean~~	-	~~Yes~~
~~section~~	~~String~~	-	~~Yes~~
~~meta~~	~~ScimMeta~~ ~~resourceType (String)~~ ~~created (Date)~~ ~~lastModified (Date)~~ ~~location (String)~~	-	-	~~Additional information recommended in SCIM definition:~~ ~~resourceType: Resource requested (in this case "Group")~~ ~~created: user creation date~~ ~~lastModified: last modification date of any user attributes~~ ~~location: URL tof the resource <domain>/webservice/scim/Group/<id>~~	~~These attributes are returned in the response~~ ~~These attributes are not updatable~~
~~attributes~~	~~Map<String, Object>~~ ~~"attribute" : "value"~~	-	~~Yes~~	~~Additional data assigned to the group~~	~~Attributes are defined in the IAM Console (Administration > Configure Soffid > Global Settings > Metadata)~~ ~~Values are managed in the IAM Console (Administration > Resources > Groups)~~

Full JSON example

{
  "organizational": true,
  "driveLetter": "G",
  "obsolete": true,
  "description": "Enterprise engineering team",
  "section": null,
  "type": null,
  "meta": {
    "location": "http://<domain>/webservice/scim/Group/11345",
    "resourceType": "Group"
  },
  "quota": "0",
  "name": "Engineering team",
  "parentGroup": "enterprise",
  "attributes": {},
  "id": 11345
}

/Account

Dictionary table

~~Attribute~~	~~Type~~	~~Required~~	~~Updatable~~	~~Description~~	~~Additional comment~~
id	~~Long~~	~~Yes~~	-	~~Primary key of the account~~
~~name~~	~~String~~	~~Yes~~	~~Yes~~	~~Name used to identify the account~~
~~description~~	~~String~~	-	~~Yes~~	~~Description of the account~~
~~type~~	~~AccountType~~	~~Yes~~	~~Yes~~	~~Acount Type. Values [ U \| S \| P \| I ]~~	~~U=user, S=shared, P=privileged, I=Ignored~~ ~~To create a user type account, a single user must be specified in ownerUsers attribute~~
~~system~~	~~String~~	-	~~Yes~~	~~System to assign access~~	~~Systems are managed in the IAM Console (Administration > Resources > Information Systems)~~
~~lastUpdated~~	~~Calendar~~	-	No	~~Last time the account has been updated~~
~~lastPasswordSet~~	~~Calendar~~	-	No	~~Last time the password of the account has been setted~~
~~passwordExpiration~~	~~Calendar~~	-	No	~~Expiration date of the password of the account~~
~~disabled~~	~~boolean~~	-	~~Yes~~	~~Account active (false) or disabled (true)~~
~~passwordPolicy~~	~~String~~	-	No	~~User type assigned to the account as a user. By default "I"~~	~~New user types could be created in the IAM Console (Administration > Configure Soffid > Global Settings > User types)~~
~~vaultFolderId~~	~~Long~~	-	No
~~vaultFolder~~	~~String~~	-	No
~~inheritNewPermissions~~	~~boolean~~	-	No
~~loginUrl~~	~~String~~	-	No
~~attributes~~	~~Map<String, Object>~~	-	~~Yes~~	~~List of values of the metadata attributes of the agente of the account~~
~~grantedGroups~~	~~Collection<Group>~~	-	~~Yes~~	~~List of groups assigned to an account~~
~~grantedUsers~~	~~Collection<User>~~	-	~~Yes~~	~~List of users assigned to an account~~
~~grantedRoles~~	~~Collection<Group>~~	-	~~Yes~~	~~List of roles assigned to an account~~
~~managerGroups~~	~~Collection<Role>~~	-	~~Yes~~	~~List of groups assigned to an account as managers~~
~~managerUsers~~	~~Collection<User>~~	-	~~Yes~~	~~List of users assigned to an account as managers~~
~~managerRoles~~	~~Collection<Role>~~	-	~~Yes~~	~~List of roles assigned to an account as a managers~~
~~ownerGroups~~	~~Collection<Group>~~	-	~~Yes~~	~~List of groups assigned to an account as owners~~
~~ownerUsers~~	~~Collection<User>~~	-	~~Yes~~	~~List of users assigned to an account as managers~~
~~ownerRoles~~	~~Collection<Role>~~	-	~~Yes~~	~~List of roles assigned to an account as managers~~
~~password~~	~~String~~	-	~~Yes~~	~~The password of the account~~
~~roles~~	~~List<Role>~~ ~~id (Long)~~ ~~roleName (String)~~ ~~roleDescription (String)~~ ~~informationSystemName (String)~~ ~~domainValue (String)~~	-	~~Yes~~	~~List<Role> → list of the roles assigned to the account~~ ~~id: id of the role~~ ~~roleName: role name of the role~~ ~~roleDescription: role description of the role~~ ~~informationSystemName: application where the role is assigned~~ ~~domainValue: domain value (if exists)~~
~~meta~~	~~ScimMeta~~ ~~resourceType (String)~~ ~~created (Date)~~ ~~lastModified (Date)~~ ~~location (String)~~	-	-	~~Additional information recommended in SCIM definition:~~ ~~resourceType: Resource requested (in this case "Account")~~ ~~created: user creation date~~ ~~lastModified: last modification date of any user attributes~~ ~~location: URL to the resource <domain>/webservice/scim/Account/<id>~~	~~These attributes are returned in the response~~ ~~These attributes are not updatable~~

Full JSON example

{
  "description": "Admin Admin",
  "type": "U",
  "inheritNewPermissions": false,
  "disabled": false,
  "id": 69,
  "roles": [
    {
      "role": 30
    }
  ],
  "grantedUsers": []
  "grantedGroups": [],
  "grantedRoles": [],
  "managerGroups": [],
  "managerRoles": [],
  "managerUsers": [],
  "ownerGroups": [],
  "ownerRoles": [],
  "ownerUsers": [],
  "passwordPolicy": "I",
  "system": "soffid",
  "meta": {
    "location": "http://<domain>/webservice/scim/Account/69",
    "resourceType": "Account"
  },
  "name": "admin",
  "attributes": {},
}

/Application (addon version 1.2.0+)

Dictionary table

~~Attribute~~	~~Type~~	~~Required~~	~~Updatable~~	~~Description~~	~~Additional comment~~
id	~~Long~~	~~Yes~~	-	~~Primary key of the application~~
~~name~~	~~String~~	~~Yes~~	~~Yes~~	~~Name used to identify the application~~
~~description~~	~~String~~	-	~~Yes~~	~~Description of the application~~
~~singleRole~~	~~boolean~~	No	~~Yes~~	~~true to enforce no user has two roles in this application at the same time~~	~~Setting the value to true does not automatically remove currently assigned roles.~~
~~bpmEnforced~~	~~boolean~~	No	~~Yes~~	~~Set to true if the user can request this role through the self service interface~~
~~database~~	~~String~~	No	~~Yes~~	~~Target system~~	~~Free text field~~
~~attributes~~	~~Map<String, Object>~~	-	~~Yes~~	~~Custom application attributes~~	~~Define new custom attributes (Administration > Configure Soffid > Global Settings > Metadata)~~
~~meta~~	~~ScimMeta~~ ~~resourceType (String)~~ ~~location (String)~~	-	-	~~Additional information recommended in SCIM definition:~~ ~~resourceType: Resource requested (in this case "Application")~~ ~~location: URL tof the resource <domain>/webservice/scim/Account/<id>~~	~~These attributes are returned in the response~~ ~~These attributes are not updatable~~

Full JSON example

{
    "description": "Active Directory",
    "singleRole": false,
    "bpmEnforced": false,
    "database": "ad",
    "meta": {
        "location": "http://bubu-thinkpad:8080/webservice/scim/Application/1573127",
        "resourceType": "Application"
    },
    "name": "ad",
    "attributes": {},
    "id": 1573127
}

/Role (addon version 1.2.0+)

Dictionary table

~~Attribute~~	~~Type~~	~~Required~~	~~Updatable~~	~~Description~~	~~Additional comment~~
id	~~Long~~	~~Yes~~	-	~~Primary key of the role~~
~~name~~	~~String~~	~~Yes~~	~~Yes~~	~~Name used to identify the role~~
~~description~~	~~String~~	-	~~Yes~~	~~Description of the role~~
~~system~~	~~String~~	~~Yes~~	~~Yes~~	~~Target system where the role exists~~
~~indirectAsignment~~	~~boolean~~	-	No	~~Flag that warns about roles granted by other roles~~
~~bpmEnforced~~	~~boolean~~	No	~~Yes~~	~~Set to true if the user can request this role through the self service interface~~
~~informationSystemName~~	~~String~~	~~Yes~~	~~Yes~~	~~Application that uses this role~~
~~password~~	~~boolean~~	No	~~Yes~~	~~Set to true if the access to this role is protected by a password~~	~~Usually applies only to Oracle database roles~~
~~enableByDefault~~	~~boolean~~	No	~~Yes~~	~~Set to true if the access to this role is enabled by default~~	~~Usually applies only to Oracle database roles~~
~~domain~~	~~Json object~~	~~Yes~~	~~Yes~~	~~Domain that drives how this role is granted to users.~~	~~Domain attributes:~~ ~~name (SENSE_DOMINI for roles with no domain, another value for custom domains)~~ ~~description: domain description~~ ~~externalCode: application name~~
~~approvalStart~~	~~Date~~	-	No	~~Last change timestamp~~
~~approvalEnd~~	~~Date~~	-	No	~~Approval timestamp~~	~~If no approval definition workflow is defined, it contains the last change timestamp~~
~~attributes~~	~~Map<String, Object>~~	-	-	~~Custom application attributes~~	~~Define new custom attributes in the "additional data" screen.~~
~~ownedRoles~~	~~Collection<RoleGrant>~~	No	~~Yes~~	~~Contains the roles to grant with this role~~	~~Role grant attributes:~~ ~~informationSystem: application name~~ ~~ownerRole: optional~~ ~~owner role id~~ ~~ownerRoleName: optional name of owner role~~ ~~ownerRolDomainValue: domain value of owner role (optional)~~ ~~ownerSystem: optional system of owner role~~ ~~mandatory: true to set the relationship as mandatory~~ ~~enabled: true if the grant is already approved~~ ~~roleName: owned (child) role name~~ ~~system: system of owned (child) role~~ ~~domainValue: domain value for owned (child) role~~
~~granteeGroups~~	~~Collection<RoleGrant>~~	No	~~Yes~~	~~Contains the groups that are granted with the current role~~	~~Role grant attributes:~~ ~~informationSystem: application name~~ ~~ownerGroup: group name~~ ~~mandatory: true to set the relationship as mandatory~~ ~~enabled: true if the grant is already approved~~ ~~roleName: owned (current) role name~~ ~~system: system of owned (current) role~~ ~~domainValue: domain value for owned (current) role~~
~~ownerRoles~~	~~Collection<RoleGrant>~~	No	~~Yes~~	~~Contains the roles that grant the current one~~	~~Role grant attributes:~~ ~~informationSystem: application name~~ ~~ownerRole: optional~~ ~~owner role id~~ ~~ownerRoleName: mandatory name of owner role~~ ~~ownerRolDomainValue: domain value of owner role (optional)~~ ~~ownerSystem: mandatory system of owner role~~ ~~mandatory: true to set the relationship as mandatory~~ ~~enabled: true if the grant is already approvedroleName: owned (current) role name~~ ~~system: system of owned (current) role~~ ~~domainValue: domain value for owned (current) role~~
~~meta~~	~~ScimMeta~~ ~~resourceType (String)~~ ~~location (String)~~	-	-	~~Additional information recommended in SCIM definition:~~ ~~resourceType: Resource requested (in this case "Role")~~ ~~location: URL tof the resource <domain>/webservice/scim/Role/<id>~~	~~These attributes are returned in the response~~ ~~These attributes are not updatable~~

Full JSON example

 {
    "approvalEnd": "2019-11-01T19:22:14+01:00",
    "ownedRoles": [
        {
            "informationSystem": "TEST",
            "ownerRole": 34,
            "roleId": 5794,
            "mandatory": true,
            "enabled": true,
            "ownerSystem": "soffid",
            "system": "soffid",
            "roleName": "TestRole",
            "hasDomain": false,
            "id": 1207155,
            "ownerRoleName": "SOFFID_ADMIN",
            "status": {
                "value": "A"
            }
        },
        {
            "informationSystem": "SOFFID",
            "ownerRole": 34,
            "roleId": 50247,
            "mandatory": true,
            "enabled": true,
            "ownerSystem": "soffid",
            "system": "soffid",
            "roleName": "test2",
            "hasDomain": false,
            "id": 2209016,
            "ownerRoleName": "SOFFID_ADMIN",
            "status": {
                "value": "A"
            }
        }
    ],
    "indirectAssignment": "",
    "description": "SOFFID Administrator",
    "granteeGroups": [],
    "bpmEnforced": false,
    "informationSystemName": "SOFFID",
    "password": false,
    "system": "soffid",
    "ownerRoles": [],
    "meta": {
        "location": "http://bubu-thinkpad:8080/webservice/scim/Role/34",
        "resourceType": "Role"
    },
    "domain": {
        "name": "SENSE_DOMINI",
        "description": ""
    },
    "name": "SOFFID_ADMIN",
    "approvalStart": "2019-11-01T19:22:14+01:00",
    "attributes": {},
    "id": 34,
    "enableByDefault": true
}

Notes about role domains

By default, roles have no security domain (sometimes referred to as scope). When a security domain is assigned to a role, each account-role object is tagged with the proper security domain value. It is allowed to assign one role multiple times to the same user, as long as each assignment is tagged with a different security domain value. For instance, one can create the SOFFID_OU_MANAGER role bound to the GROUPS security domain. Then, you can assign the role SOFFID_OU_MANAGER/Group1 to any user.

~~Four kinds of security domains are available:~~

~~SENSE_DOMAIN: No security domain applies.~~

~~GROUP: A business unit is bound to each grant of this role.~~

~~APPLICATION: A information system is bound to each grant of this role.~~

~~Custom domain: Each application can have its own security domains with arbitrary meanings.~~

~~To set or modify the role domain for a role, one can use the "domain" attribute. This attribute is a complex object composed of a name and a description. Only the name is mandatory.~~

Notes about role inheritance

~~Role inheritance is driven by the ownedRoles, ownerRoles and ownedGroups. Each of these attributes is an array of grants. Each grant has the following attributes:~~

~~ownerRole: id of owner role.~~

~~ownerSystem: name of owner role's system.~~

~~ownerRoleName: name of owner role's name.~~

~~ownerRolDomainValue: security domain of the owner role. If a user is granted with the owner role, and the~~

~~ownerRolDomainValue does not match the grant domain, the inheritance rule does not apply.~~

~~roleId: id of owned role.~~

~~system: name of owned role's system~~

~~roleName: name of owned role's name~~

~~domainValue: security domain of the owned role.~~

~~The role inheritance can vary slightly depending on whether the owned role and the owner role are in the same domain or not:~~

~~Resulting domain value~~	~~Owner role has no domain~~	~~Owner role has a different domain~~	~~Same domain~~
~~Domain value not specified~~	~~Blank~~	~~Blank~~	~~Owner role domain value~~
~~Domain value specified~~	~~Specified value~~	~~Specified value~~	~~Specified value~~