Soffid 3 Reference guide

Reference Guide Soffid 3

• 🔎 Overview
• Self service portal
• Introduction to Self Service Portal
• My tasks
• My issues
• My applications
• My requests
• Process Search
• My accounts
• My OTP devices
• My certificates and FIDO tokens
• My Profile
• Global settings
• Tenants
• Plugins
• Look & feel
• Soffid parameters
• User Type
• Group Type
• Metadata
• User backup configure & restore
• Configuration wizard
• Export settings and objects
• Import settings and objects
• Security settings
• Authorizations
• Authentication
• Password policies
• Configure PAM session servers
• PAM Rules
• PAM Policies
• Password recovery configuration
• OTP settings
• XACML Policy Management
• XACML PEP configuration
• Digital certificates
• Recertification policies
• Issue policies
• Resources Management
• Users
• Groups
• Accounts
• Roles
• Information systems
• Role assignment rules
• Segregation of Duties (SoD)
• Networks
• Hosts
• Printers
• Mail Domains
• Mail List
• Application access tree
• Password vault
• Custom objects
• Integration Engine
• Smart engine settings
• Agents
• Synchronization servers
• Account naming rules
• Attribute translation tables
• Soffid Objects
• Sample scripts
• Utility classes
• Network discovery
• Tools
• Clear redundant roles
• Disable inactive users
• Disable inactive accounts
• Role mining
• Monitoring and reporting
• Sync server monitoring
• Scheduled tasks
• Scheduled jobs
• Audit
• Access logs
• Sessions
• Console log
• Privileged accounts dashboard
• Search in PAM recordings
• Issues
• Common actions
• Search Types
• Column Selector
• Download CSV file & Import
• Bulk actions
• Issue Actions
• Textual Index
• Textual Index
• Operation
• Lucene - Query Parser Syntax

🔎 Overview

Introduction

The Soffid 3 reference guide wants to present all the functionality contained in version 3 of the Soffid Console, explaining the functionality of all the screens and the functionality of each of them.

The documentation is organized as the options menu of Soffid Console, to try to facilitate access and comprehension of the information.

For each screen we try to define the following attributes:

• Description: a brief description of the screen functionality.
• Screen overview: an overview of the functionality.
• Related objects: list of the related objects and a link to view the object documentation.
• Custom attributes: attributes of the screen and the associated functionality.
• Actions: operations that the users could perform on the page.

Functionality

Self-service portal

Soffid Console provides the Self-Service Portal, where the end-users can consult or change their credentials, request new permissions or access to applications, manage their profile, or launch applications. All from a single point of entry. 

Another purpose of the Self-Service Portal is to reduce the workload of the IT department, as well as improve the overall security of the IT system. 

Global settings

Global settings refer to configuration options or preferences that apply to the entire system. These settings are typically established by administrators or developers and are used to define the behavior and functionality of the system.

Security settings

Resources management

Integration engine

Monitoring and reporting

Self service portal

Introduction to Self Service Portal

What is Self-Service Portal?

Soffid Console provides the Self-Service Portal, where the end-users can consult or change their credentials, request new permissions or access to applications, manage their profile, or launch applications. All from a single point of entry. 

Another purpose of the Self-Service Portal is to reduce the workload of the IT department, as well as improve the overall security of the IT system. 

Soffid allows administrator users to configure access to the different options depending on the end-users roles defined to use Soffid. In this way, end-users will be able to access the Self-Service Portal to manage their own requirements always depending on the defined business processes.

Screen overview

Brief description of each option

My tasks

My tasks display all the tasks in which the user is involved, like a supervisor, manager, o person how has to approve or deny that task. 

Visit My Task page

My request

My requests display all the processes or workflows that the user will be able to run, and the option allows the user to consult the status of the requests.

The Query request status displays all the processes that the user has initiated and allows the user to consult all the information about the workflow.

Visit My Request page

Process Search

That functionality allows to users search for processes initiated or requested by themselves. Here the users will be able to consult all the information related to the processes and their status and if there are any pending tasks to be completed. If there are pending tasks, the user will be able to browse the task and manage it.

Administrator users will be able to consult all the information about all the processes which have been executed by any user.

Visit the Process search page

My Applications

My applications display all the corporate applications and third-party applications as well to which the user has permission to connect. Those applications have to be configured into Soffid Console

The password vault folder will be displayed as well. In this folder, the users will be able to find the shared accounts on the Soffid vault folder and will be able to save their personal accounts.

Visit My Applications page

My Accounts

My Accounts display all the personal user accounts registered into Soffid Console and with which the user will log into the target system.

Visit My Accounts page

My authentication

My OTP devices

My OTP devices display all the OTP devices configured by the user and allow to the user config new ones.

Visit My OTP devices page

My certificates and FIDO tokens

My certificates and FIDO token display all the configured certificates and allow to the user config new ones.

Visit  My certificates and FIDO tokens page

My Profile

My Profile allows to end-users config their own profile, update the user info and preferences, change the password, and recovery questions.

Visit My Profile page

My tasks

Description

Displays the task in which the user is involved like a supervisor, manager, o person how has to approve or deny that tasks.

My task provides information about the process, the task, the start and due date and the asigned user. By clicking a record, it will be shown de task details and to perform actions will be allowed.

Manual tasks are assigned to named users, groups or roles.  Whatever strategy is followed, each one of the assigned users will see that task at their tasks page. 

You can differentiate tasks by their highlighted style:

• Normal: started task
• Highlighted Blue: due task
• Highlighted Bold: new task

The purpose of My tasks as a part of Self Service Portal is to reduce the workload of IT department, as well as improve overall security of IT system. Soffid console is concerned about task delegation and workflow management. 

Screen overview

Custom attributes

My Task List

• Process ID: unique process identifier in the system.
• Process: generic process name.
• Task: generic task name.
• Start Date: date and time when the process was started.
• Due Date: date and time when the process will finish.
• Assigned: user to whom the task is assigned

Task detail

Task

Shows information about the job done in this task. This information depends on the process launched.

Action Logs

The action logs tab shows basic information about the process and a list with the summary of all the successive phases through which the task has passed.

• Start date: date and time the task starts
• Last task date: date of last task update.
• End date: date and time the process ends.
• Status: shows the point of the task (pending, on going or End/Completed)
• Approve pending permissions: Summary of all the successive phases through which the task has passed, providing information on the start date and time of the phase, the user assigned, and the action that was done.

Attachments

Displays the documents attached to the task, in some cases, files are attached to the tasks.

Allows you to download those documents and to verify any digital signature attached to them. Some tasks even allow the user to upload documents.

Comments

Displays the comments list added during the business process execution. Displays the comments list added during the task execution providing information about the user who wrote the comment, the date and time of that writing, and the comment that was writed.

Actions

My task query actions

My task detail actions

My issues

Description

Soffid provides a tool to manage all issues and allows you to perform the operations available for each type of task. The actions to be performed will depend on each kind of task.

Screen overview

Standard attributes

• Issue type: issue list defined by Soffid.
• Description: a brief description of the issue.
• Status:  possible task status. There are three available statuses:
  • New
  • Acknowledged
  • Solved
• Created on: date of creation

Actions

Issues query action

Issue detail

account-created

disconnected-system

discovered-host

discovered-system

duplicated-user

failed-job

enabled-account-on-disabled-user

global-failed-login

integration-errors

locked-account

login-different-country

login-from-new-device

login-not-recognized

otp-failures

pam-violation

password-changed

permissions-granted

risk-increase

robot-login

security-exception

My applications

Description

My application is a part of a Soffid Self-service portal that allows end-users to start corporate applications and third party applications. Also,  the end-user can view and use the shared accounts available for the user defined on the Password vault.

Applications

That option shows to each user, all the Corporate and Third party Applications to which the user can connect and the applications with public access. These applications have to be configured on the Application Access Tree option by an administrator user.

For more information you can visit the Application access tree page.

Password Vault

My Applications option shows the PasswordVault folder. On the vault folder you can find two kind of folders, one a personal folder and other a shared folder. 

Inside the personal folder, you can create your own accounts, those accounts will not be shared with any other user. The shared folders could be used or managed by the owner/manager/SSO users.

For more information you can visit the Password vault page.

Screen overview

My requests

Description

Soffid provides a complete workflow engine that allows you to incorporate business processes or define new business processes as needed. End-users with the appropriate permissions will be able to request these processes. You can visit Self service portal examples page for more information.

My request screen allows to users: on the one hand, consult the processes they have executed and view the process details and status, Query request status; on the other hand, they will be able to execute the processes for which they have been assigned the proper permissions.

More information about process and workflows on BPM Editor Book

Screen overview

Query request status

Description

Displays a table with all the processes performed by the end-user. The end-user can consult processes detail and perform actions depending on the user permissions. You can visit Self service portal examples page for more information.

Custom attributes

• Process ID: unique process identifier in the system.
• Process Name: generic process name
• Status: displays the point in progress on the defined process diagram. Depend on the process status, you could perform some operations or others.
• Start date: date and time the process starts
• End date: date and time the process ends. A process without end date it is a process in progress

To view all the attributes of one process, you can access Process attributes to consult the custom attributes. Be in mind, the processes have custom attributes depending on the business process definition.

Actions

The operations to be performed depend on the user permission and the business processes defined with the workflow engine.

You can find documentation about the business processes on BPM Editor Book.

Query request status actions

Process actions

The actions to perform to each process, depend on the business process definition and the user permissions.

You can find more information about the most commons process actions if you go to Process detail actions

Process Search

Description

A process is a series of actions, connected by transitions. An action could be either an automatic action or a manual task.

Soffid console is concerned about task delegation and workflow management. Any user is able to create new processes or any user can be assigned as an actor for a task belonging to a process.

Process Search page allows users to search process by different criteria, to view the process details and to perform the proper actions depending on the user roles.

In order to view a task, a security constraint must be accomplished. The user must have granted the observer or administrator role on the specific project version or has been assigned as a potential actor of it at some time.

Screen overview

Custom attributes

Search attributes

The search can be performed by setting certain parameters, which are as follows:

• Search text: search by a certain text, as user name or application, etc.
• Process ID: all the processes have an assigned an identifier ID.
• Start date: allows you to establish a date range when the process was started.
• Include completed: by default, tasks that have not yet been completed are displayed. By marking this flag, those who have concluded will also be shown. If you marck this flag, you could select a date range about the End date of the process.

Process attributes

Each process has commons attributes and specific attributes depending on the business process definition.

You can find documentation about the business processes on BPM Editor Book

Commons process attributes

• Proces Id: each proces has an unique identifier.
• Name: shows process name and the versión of the addon you are using.

Other process information

• Specific process attributes: these attributes depend on the process definition.
• Work in progress: details the specific point in which the process and associated tasks are. You can find information about the process ID, the job description for each one of them, the start date and time, and the current status. The users with the proper roles could view the task details, browse and perform actions by clicking on it.
• Actions log: summary of all the successive phases through which the process has passed, providing information on the start date and time of the phase, the user (task manager) assigned, and the action that was done.Also when it is defined,  the diagram of the workflow is diplayed.
• Attachments:  in some cases, for example in massive user upload processes using a CSV file, files are attached to the process so that it can be executed. These files can be consulted, by downloading or opening them directly, from this page. Additionally, if needed, it is possible to see the certificates used by the process owner.
• Comments:  displays the comments added by the user who initializes or performs actions on the process.

Actions

Process query actions

Actions to be performed on the process list:

Process detail actions

Each process has a specific action defined on the business process definition.

You can find documentation about the business processes on BPM Editor Book

The most commons actions are below:

Work in progress actions

Attachments

My accounts

Description

My Account is a part of Soffid's self-service portal that allows end-users to access and manage their personal accounts. That option displays to each user, all their personal accounts and allows to set and query the password of each account.

Screen overview

Standard user attributes

• System: target sistem for which this account has been created
• System description: a brief description of the system.
• Name: user account name.
• Actions: available actions.

Actions

My OTP devices

Description

My OTP devices are part of a Soffid Self-service portal that allows end-users to access their OTP devices configured.

That option display to each user, all their OTP devices and also allows you to manage those and add new OTP devices.

This option will only be available if the OTP addon is installed in the Soffid console. Visit the Two factor authentication book for more information

Screen overview

Standard attributes

• Name: automatic name assigned to the OTP device
• Created: created date and time.
• Last use: last used date and time.
• Status
  • Created
  • Enabled
  • Locked
  • Disabled

Actions

My certificates and FIDO tokens

Description

My certificates and FIDO tokens are part of a Soffid Self-service portal that allows end-users to access their OTP devices configured.

That option displays to each user, all their certificates and FIDO tokens and allows also to manage those and add new certificates and FIDO tokens.

Screen overview

Standard attributes

• Type: there are two available options:
  • Certificate.
  • FIDO token.
  • Soffid Authenticator

Actions

My Profile

Description

My Profile is a part of a Soffid Self-service portal that allows to end-users config their own profile, update the user info and preferences, change their password, and recover questions.

To display My Profile page you need to click on the config icon and then click My Profile on the options menu. Then Soffid displays a new window that will allow end users to configure their profiles.

Screen overview

Basic tab

Change password

Authorizations tab

Application consents tab

Standard attributes

Basic

User Info

• Last login: date and time of the user's last login.
• Last IP connection: IP of the user's last login.
• Change password: allows end-users to change their password.
• Password recovery questions: allows end-users to config their own questions to recover their passwords.

For more info about password recovery, you can visit the Password recovery questions page.

Preferences

• Language: allows end-users to select their preferred language.
• Time Zone: allows end-users to select their time zone.
• Date format: allows end-users to select the format date.
• Sample: displays how the date will be displayed in Soffid Console
• Time format: allows end-users to select the format time
• Sample: displays how the time will be displayed in Soffid Console

Authorizations

Display a list with the user authorizations. 

• Role
• Authorization [domain value]
• Scope
• Domain value

Application consents

Displays a list of all the user's consents given, and the user can see all of them. Users can remove the consent at any time as well.

When the user connects to a new application, the IdP will indicate which data will be shared with this application. That information is defined in the Attribute sharing policies page of the Federation.

For more info about password recovery, you can visit the Attribute sharing policies page.

Global settings

Tenants

Definition

Soffid 3 is multi tenant. This means that one can configure many differente tenants to manage disjoints groups of identities and applications. 

Each Soffid object, including applications, systems, roles, users, and accounts are bound to a single tenant. 

Of course, there is a special tenant named master. Master tenant administrators can jump to any other tenant with administration privileges.

Soffid recommends connecting directly to the specific tenant to configure it correctly. You have more information about this topic in the Tenant access section.

Screen overview

Tenant properties

• Name: Set a short name for the tenant. 
• Description: Enter a long description for the tenant
• Enabled: Usually set to yes. If it's set to NO, no user will be able to log in to that tenant, and no provisioning or automated task will be ran on that tenant.
• Disabled permissions: By default, tenant administrator permissions are restricted, so they are not able to bypass tenant borders and access to other tenant information. To achive this, the following permissions are disabled by default, but some others can be added:
  • Open the tenants management page
  • Use the tenant micro-service
  • Manage sync servers
• Assigned sync servers: By default, the new tenant will not be able to use any sync server unless it is authorized to. So, one can create a sync server for a specific tenant that cannot be used by any other tenant.

Actions

The following actions can be performed on tenants:

Tenant access

Option 1

When users are connecting to Soffid console, the master tenant is displayed by default. In order to directly connect to any tenant, a DNS entry with the tenant name must be added to your DNS server.

For instance, if you have deployed a Soffid console with the DNS name soffid.mycompany.com, the DNS name test1.soffid.mycompany.com will be used to access to the test1 tenant.

Note that you must configure the hostName Soffid parameter in the master with your DNS name

Option 2

You can also configure the login page using the soffid.auth.showTenant Soffid parameter. If the parameter value is true, Soffid will display a new box in the login page to write the tenant name to login.

Plugins

Definition

Soffid provides you additional functionality that allows installing addons and server plugins. There are two main types of addons: system connectors and console addons.

You can download existing addons and plugins developed by Soffid by visiting http://download.soffid.com/download  or http://download.soffid.com/download/enterprise  if you have a Soffid user with authorization.

Addons and plugins can be developed using Addon Development Guide. 

An addon or plugin, must be upload into a Master tenant, the other tenant will inherit these installed addons and plugins.

System connectors

Also referred as plugins, there are little pieces of software able to manage identities on some type of systems. They can be generic plugins (SQL or LDAP plugins) or custom specific plugins.

The system connector is configured when the administrator creates an agent. An agent can be viewed as a configured instance of a plugin.

In order to upgrade existing (running) plugins, the synchronization server that hosts this plugin must be restarted from the system monitoring screen.

Console addons

Add important features to Soffid console. A console addon can contain common classes, data models, transactional services, web services, and web interfaces.

In order to apply addon changes, the console must be restarted. It can be restarted from this page by clicking on the restart console button.

From the addon management screen, you will be able to upload and upgrade server plugins, as well and enable or disable them.

Screen overview

Related objects

1. Tenants
2. Agents: is used to configure a system connector.

Standard attributes

• Plugin: identified name of the plugin or addon deployed.
• Version: version of the plugin or addon.
• Deployed by: user that deployed the addon or plugin.
• Date: date and time of the deployment.
• Enabled: if enabled is Yes, the plugin or addon will be available to use it.
• Components: component list that make up the plugin or addon.

Actions

Plugins query actions

Plugins detail actions

Look & feel

Definition

Soffid's Look & feel page allows you to adjust the Console styles to your organization.

In this configuration page, the customization of three sections is allowed:

• You can change the colors of the Soffid components and text.
• You can change the image of the logo that appears on the login page.
• You can change the image of the logo that appears in the header.
• Changes made on this page affect the entire Console.

Some changes may require updating the browser several times because some items are in the browser's cache.

Overview

Actions

Soffid parameters

Definition

Soffid allows you to customize the configuration of some attributes of the Console, Syncserver, connectors and add-ons.

There are several types of parameters.

• Informative parameters, such as the versions of internal components of Soffid.
• Parameters used as attributes in Soffid screens, such as the values of the look & feel fields.
• There are also parameters that can be modified, such as some configuration data for the synchronization server.
• There are new attributes that can be included to expand the functionality of Soffid, such as mail server data.

If you want to know the Soffid console version check the component.iam-core.version parameter.

Screen overview

Standard attributes

• Name: code used to identify the parameter.
• Value: parameter value.
• Network (optional): network to which this parameter would be assigned.
• Description (optional): a brief description of the parameter.

Actions

Soffid parameters query actions

"Parameter","Network","Value","Description"
"addon.backup.test","","",""

Soffid parameters detail actions

List of parameters sorted by functionality

Console

%2$s %3$s, %1$s  

Syncserver

Mail server

Job notifications

Syncserver provisioning

Addons

Federation

Exclude menu options

To exclude default menu options for all users of the Sofid console, the following steps can be followed

1. To exclude some menu options from your Soffid console, you must edit the system.properties file of this console. You can find this file in the following path: /opt/soffid/iam-console-3/conf/

2. Add the soffid.menu.hidden parameter to the system.properties file. The value of this parameter can be the menu options name that you can find in the console.yaml file.

3. Restart the Soffid console.

User Type

Description

User type is the way to categorize users and allows configuring different password policies. Those policies can be more or less restrictive depending on the user's risk. For instance, internal users (automatically created) are different from external ones.

Therefore, this field is very useful for the following cases:

• Sort or list the users on the user's page or in the reports
• Apply different password policies
• Apply restrictions on the synchronization of Soffid to the target systems
• Ease configuration in automatic rules or custom scripts

Be in mind that a user always must belong to a User Type.

Overview

Related objects

1. User: each user must be assigned a user type.
2. Account: the shared or privileged accounts also require having selected a user type to associate it with a password policy

Standard attributes

• Short name: internal code used to identify the user type.
• Description: brief description of the user type.
• Unmanaged: (yes|no) if unmanaged is Yes, users belonging to this category will not be propagated to final systems.  You must use it when you are developing a PoC.

Actions

User type query

User type detail

Group Type

Description

Companies are organized in different business units, departments or workgroups. In Soffid, they all are named as groups. These group can be categorized by a group type.

Group types can be used in the definition of Holder Groups. Some roles can be assigned to a user only through a group enabled for it. When a user no longer belongs to a group, it is not allow assign that role to the user.

A user always belongs to a user type, but groups do not necessarily have to belong a group type.

Related objects

1. Group
2. User

Standard attributes

• Name: name (or code) of the organizational unit.
• Description: description of the organizational unit.
• Role holder: (yes|no), when this attribute is active (yes), all the groups of this type of organizational unit could be assigned to a user as a domain of a role.

Role holder (and holder group)

In some organizations is necessary to assign roles that affect only a part of the structure, for instance, a department, a division or a country.

The role holder is the role that requires to be assigned to a group, and the holder group is the group that can be assigned role permission.

To configure correctly this functionality you have to apply the next steps:

1. Create at least one organizational unit with the role holder attribute active (yes).
2. Assign groups to the organizational unit (with the attribute type of the group).
3. Also, you can include new custom attributes to this membership relation, go to Metadata page and select the GroupUser to add these attributes.
4. In the soffid parameters page, create a new parameter named soffid.entitlement.group.holder. It can have one of these three values:
   1. Set to optional enables the operator to set a group as the group holder for any entitlement assignment.
   2. Set to always to enforce that any entitlement assignment must be bound to a holder group.
   3. Set to none to disable this feature

Now you can start to apply this configuration to the users:

• In the Users page, select a user.
• In the Groups tab, add a new group.
• In the Roles tab, add a new role and select the holder group in the optional scope.
• If the holder group column is hidden, you can add with the option Add or remove columns.

Actions

Group type query

Group type detail

Metadata

Description

The Metadata functionality allows expanding the Soffid objects, their attributes, and their data types. Also, it allows expanding custom objects.

By default, there is a list of built-in objects, but it is possible to create new custom objects and add new custom attributes to each of them.

It is usual to add custom attributes in the User built-in object to hold additional information.

Each attribute has a data type, it may be a basic type as a String (simple text), integer value, date, or something more complex as a reference to a custom object, or a popup to select a manager. In this way, one can build relationships between objects.

Screen overview

Related objects

Basically, there are two types of metadata objects. The built-in objects are part of the Soffid core and the custom objects as new objects.

built-in objects

The built-in objects are the objects that are part of the Soffid core. It can not be removed, but more custom attributes can be added.

The following objects are Soffid well-known objects that can be customized by means of this screen. All of them are tagged as Built-in objects.

1. Accounts
2. Application
3. Group
4. Host
5. Mail List
6. Role
7. User

Custom objects

The custom objects are the objects created by the administrator to extend the Soffid underlying data model. All of them are marked as  Built-in type No.

Each custom object type created by the administrator is displayed at the custom objects menu options. Unfortunately, all custom object types share the same icon.

Custom object attributes

• Name: name of the custom object. This field is mandatory.
• Description: a brief description of the custom object. This field is mandatory.
• Public object: if you select the Yes option, the object will be visible to all the users with the proper permissions. If you select the No option, you must indicate what roles can Read and what roles can Write this object.
• Write access: allows you to select the proper roles with permissions to write. This field is only displayed when the Public object value is No
• Read access: allows you to select the proper roles with permissions to read. This field is only displayed when the Public object value is No

For more information, you can visit the Custom Objects page.

Standard attributes

Object attributes

• Object type
• Description: a brief description of the object.
• Use textual index: allows you to check the Yes option if you want to use the Textual index for searching data in this object.

For more information, you can visit the Textual index page.

Attribute metadata

• Code: short name used by scripts and connectors to access the underlying information. It is suggested to use short names without blanks or special characters to make it easier to use.
• Label: text displayed just beside the attribute value. It is advised to use short descriptions in order to keep the screen cleaner.
• Data type: The attributes can have different data types
  • Basics
    • • String
      • Numeric
      • Password: a text that will be stored encrypted in the database. This field will never be displayed to the end user.
      • Binary: raw information, probably images or documents.
      • Boolean
      • Photo: an image that is displayed as a small image.
      • Date: a date with a calendar popup.
      • Date and time: a date and time with a calendar popup.
      • E-mail: a text with email format.
      • HTML: rich text.
      • Separator: a separator is a label to group attributes according to some criteria
      • SSO HTML input: used primarily for the web SSO engine includes an input field and a value.
  • Extensible built-in objects
    • • User
      • Account
      • Role
      • Group
      • Information System
      • Host
  • Other built-in objects 
    • • Group Type
      • User Type
      • Network
      • Mail domain
      • Mail list
      • Operating system
  • Custom objects: any other custom object created by the administrator.
• Description: text field to write a brief description of the attribute.
• Required: enabling this box will enforce the user to enter a value for this attribute at any object. Set no to allow objects without value. 
• Include in quick search: the system will find any object that contains all the words included in the text search at any of the most relevant attributes. For instance, a quick search of "John Joe" will find users named "Joe Johnson" or "Johnathan Joel" as the first and last marked to be included in the quick search. If you enable the quick search for any new attribute, the same query will find a user named "Joe Williams" whose new attribute value is "John".
• Prevent duplicated values: mark this field as a unique key for the object type. There is no chance of two objects with the same attribute value. Soffid smart engine will avoid the creation of duplicated objects.
• Multiple values: some attributes can contain multiple values for the same object. For instance, an attribute containing the languages a user can speak can be multi-valued, as a user can speak multiple languages.
• Maximum number of rows to display: when an attribute is multivalued, the screen size can grow a lot. To prevent such a big form, the system will only display a maximum number of values, and a scroll bar will appear to browse through the attribute values.
• Size: primarily for string attributes, specify the maximum length in characters of the attribute value.
• Values: primarily, for attributes of data type String, you can specify the allowed values for the attribute. Then, the text box to the data type String is replaced by a drop-down list. Also, you can define a "code:label" for the value, the "code" is used internally and the "label" is displayed in the drop-down list, e.g. "ESP:Spain".
• Administrator visibility: sets the maximum visibility level for administrators. If the visibility level is set to read-only, the administrator will not be allowed to modify it. If the visibility is set to hidden, the administrator will not be able to query it. A user is considered as administrator when has the role SOFFID_ADMIN.

  This field is only used in the user object.

• Operator visibility: sets the maximum visibility level for operators. If the visibility level is set to read-only, the operator will not be allowed to modify it. If the visibility is set to hidden, the operator will not be able to query it. A user is considered as an operator when has permission to open the users management page but lacks the role SOFFID_ADMIN.

  This field is only used in the user object.

• User visibility: sets the maximum visibility level for end-users. If the visibility level is set to read-only, the user will not be allowed to modify it. If the visibility is set to hidden, the user will not be able to query it. Mind that even an administrator is considered to be a user rather than an administrator or operator when accessing their own identity.

  This field is only used in the user object.

• Visibility expression: write an optional BeanShell expression to check if the field should be displayed or not. The expression should return true or false. The following variables are exposed to the expression:

  • ownerObject: current object owning the attribute.

  • value: current attribute value.

  • requestContext: tip about the screen using the attribute.

  • inputField: the ZK input object (ZK Framework). 

  • inputFields: a map to get access to any other ZK input object (ZK Framework).

  • serviceLocator: locator to use any Soffid engine microservice.

// Sample to enable company name attribute only when the user is of type E (external)
return "E".equals(ownerObject.userType);

• Validation expression: write an optional BeanShell expression to check if the field value is acceptable or not. The expression should return true if the value is acceptable. If the expression returns false or any other object, a warning message will be displayed. When the expression returns a string value, the return value will be considered the warning message to present to the end-user.  

  The following variables are exposed to the expression:

  • ownerObject: current object owning the attribute
  • value: current value to evaluate.
  • requestContext: tip about the screen using the attribute
  • inputField: the ZK input object (ZK Framework).
  • inputFields: a map to get access to any other ZK input object (ZK Framework).
  • serviceLocator: locator to use any Soffid engine microservice.

  
  

// Sample for checking birthDate is greater than 18 years old
c = java.util.Calendar.getInstance();
c.add(-18, c.YEAR);
if (birthDate == null || birthDate.before(c.getTime()) return true;
else return "Birth date should be before "+ new java.text.SimpleDateFormat().format(c.getTime());

• onLoad trigger:  write an optional BeanShell expression that will be executed just after preparing the user interface. The script can modify in any way the inputField object before it is displayed, but cannot modify other input fields.

  The following variables are exposed to the expression:

  • ownerObject: current object owning the attribute
  • value: current value to evaluate.
  • requestContext: tip about the screen using the attribute
  • inputField: the ZK input object (ZK Framework).
  • inputFields: a map to get access to any other ZK input object (ZK Framework).
  • serviceLocator: locator to use any Soffid engine microservice.

// Sample to set contract number attribute to read only if the attribute company is empty
// Place as an on-load trigger in the contract number field
if (ownerObject.attributes.get("company") == null || ownerObject.attributes.get("company").trim().isEmpty())
  inputField.setReadonly(true);
else
  inputField.setReadonly(false);

• onChange trigger: write an optional BeanShell expression that will be executed just after the user has changed the object value. The script can modify in any way the inputField object or any other input fields.

  The following variables are exposed to the expression:

  • ownerObject: current object owning the attribute.
  • value: current value to evaluate.
  • requestContext: tip about the screen using the attribute.
  • inputField: the ZK input object (ZK Framework).
  • inputFields: a map to get access to any other ZK input object (ZK Framework).
  • serviceLocator: locator to use any Soffid engine microservice.

// Sample trigger to set contract number attribute to read only when the company attribute gets empty
// Place as an on-change trigger in the contract field
contractField = inputFields.get("contractNumber");
if (value == null || value.trim().isEmpty())
  contractField.setReadonly(true);
else
  contractField.setReadonly(false);
contractField.invalidate(); // Redraw contract number field

......
inputFields.get("contractNumber").getValue();

• You can add a SCIM expression: exclusive for Soffid objects (users, groups, roles...). Write an optional SCIM query using the SCIM standard to filter valid results for a specific field.

You can access to SCIM Chapter for more information

Actions

Metadata query

Metadata object detail

Attribute metadata

User backup configure & restore

Description

On the User backup configure & restore page, you could search, check and restore the user's snapshots.

Main Menu > Administration > Configuration > Global Settings > User backup configure & restore

Screen overview

Custom attributes

• User Name: to identify the user.
• Valid since: date and time when the user changes were saved.
• Valid until: 
• Download: XML file with the user snapshot info.

Actions

Backup query actions

Configuration wizard

For more information, you can visit the Configuration wizard book 

Introduction

Soffid provides you a 360° perspective of the identities of your organization employees, providers and customers:

• Identity governance to manage the identities life-cycle
• Access management identifies your users accessing applications, including multi-factor authentication
• Privileged access management tracks usage and access of service and system management accounts
• Identity risk and compliance

Screen overview

For more information, you can visit the Configuration wizard book 

Export settings and objects

Description

Soffid has the functionality that allows you to export configuration, Soffid objects, and objects from target systems in a  ZIP file. Every object or configuration will be downloaded into the ZIP in a binary file. This ZIP file could be imported into another Soffid tenant to be used.

For more information, you can visit the Import settings and objects page.

Once you open the Export settings and objects, you must select the configuration, objects, and target system objects you want to export. Then you only need to click the Generate export file button to download the ZIP that will contain all the previous information selected.

It is not allowed to export the basic configuration and configuration parameters of an agent for security reasons. You must create them manually and make sure you put the same names as in the source system if you are going to import accounts.

Overview

Related objects

Configuration

• Metadata
• Plugins
• Business process definition
• Custom Scripts
• User types
• Group types
• Account naming rules
• Password policies
• Mail Domains
• Authorizations

Objects

• Users
• Information Systems
• Groups
• Hosts
• Networks
• Mail lists
• Role assignment rules
• Segregation of Duties
• Application access tree
• Custom objects

Target system objects

• Accounts
• Roles
• Granted permissions
• Attribute mappings
• Systems: if you select and target system object, you must also select the system.

Actions

Import settings and objects

Description

Soffid has the functionality that allows you to import configuration, Soffid objects, and objects from target systems from a  ZIP file. This ZIP file must be generated by the export action from another Soffid tenant.

For more information, you can visit the Export settings and objects page.

Once you pick the file to import, Soffid will display all the objects and configurations that you can load. You must select the proper objects and settings to import or enable the Load everything option. And finally, you must click the Proceed buttons to launch the import process. Once the process is finished, Soffid will display the result and allows you to download the log file.

It is not allowed to import the basic configuration and configuration parameters of an agent for security reasons. You must create them manually and make sure you put the same names as in the source system if you are going to import accounts.

Overview

Related objects

Configuration

• Metadata
• Plugins
• Business process definition
• Custom Scripts
• User types
• Group types
• Account naming rules
• Password policies
• Mail Domains
• Authorizations

Objects

• Users
• Information Systems
• Groups
• Hosts
• Networks
• Mail lists
• Role assignment rules
• Segregation of Duties
• Application access tree
• Custom objects

Target system objects

• Accounts
• Roles
• Granted permissions
• Attribute mappings
• Systems: if you select and target system object, you must also select the system.

Actions

Security settings

Authorizations

Definition

Soffid console provides a granular access control system. That granular control system allows the administrator user to assign granular permissions to roles. Be in mind that some permissions may inherit some other permissions.

You cannot assign permissions directly to users. Instead, permissions are assigned to roles and roles are assign to users, either directly or through grant inheritance.

The roles may be created into Soffid application system, but could also be included in any other application system.

Permissions are grouped into permission scopes. Most scopes are Soffid object types, but there are one special scope named Soffid, that applies to Soffid console web pages.

Addons can create their own authorizations that automatically will appear at this screen. When a new addon has been installed and applied, the first thing to do use to be assign permissions for this new addon. In fact, administrators won't be able to manage the addon unless the log out and log in to get the newly created permissions.

The permissions given to roles and the roles given to users are cached by Soffid. In order to reapply permissions, the user should close its session and log-in again

Screen overview

Related objects

1. Roles
2. Information system

Standard attributes

• Scope: scope of application.
• Name: name of the granular permission.
• Description: brief description of the granular permission.
• Roles: role list assigned to that granular permission.
• Description: role description 
• Information system: asset or application, from a functional point of view.
• Target system: target system name.
• Domain: the role is limited to that scope.

Actions

Authorization query action

Authorization detail actions

Authentication

Definition

Soffid could use different kinds of external authentication sources. These mechanisms could be selectively enabled or disabled.

Screen overview

Standard attributes

Global status

• Maintenance mode (only administrators can log in): if this option is checked (value is Yes), only the administrators could connect to Soffid Console.

• Message to display before logging in: administrators can configure a banner that will be displayed before the user logging in. This banner will display security advice.

• Session timeout in minutes:  time in seconds it takes for the console to display the message indicating that the session is being closed. If nothing is indicated, the session does not expire. (Available since console version 3.5.26)

Username and password

Internal

• Enabled: the only one enabled by default in the installation of Soffid. It is the internal username and password authentication mechanism. Therefore, the authentication is made with the username and password of the soffid account.

External

• Forward authentication requests to trusted target systems: to use external username and password sources. Therefore, the authentication is made with the username and password of an account of an external system.

Not all the external systems are included, only the ones that have marked the check "Trust password" on the agent. For more information about agents please visit the Agents page.

Once an agent is configured, Soffid will still use its internal tables to authenticate usernames and passwords.

If the password entered by the user does not match, the Soffid core will issue a "ValidatePassword" task for each trusted target system. If any of the trusted target systems accepts the password, it will be hashed and stored in Soffid tables and login will be accepted.

External SAML identity provider 

It should be noted this feature does not depend on the federation addon. That is a feature included by default in the Soffid smart engine to allow you to include in the authentication flow a mechanism to use a third-party SAML system.

• Enable: check it (select value Yes) to use an external SAML Identity Provider.
• Soffid Server host name: the URL that will be used by external IdP. This URL will be resolved by end user's browser in order to send the SAML assertion.
• SAML federation metadata: the URL where federation information can be found. If the Soffid console can fetch federation metadata, the Identity provider drop-down will be filled in with any identity provider found in the federation metadata URL.
• Cache limit (seconds): how often the federation information will be refreshed. By default, 10 minutes will be taken.
• Identity provider: Identity Provider to use for authentication.

Finally, download the Soffid Console and load it into your SAML Identity Provider federation.

If SAML Identity Provider is enabled, as well as username and password, the user will have the chance to select the preferred authentication method. Otherwise, if only SAML is enabled, the user will be automatically redirected to SAML Identity Provider.

Enable LinOTP integration

Soffid allows you to use an external OTP, LinOTP in this case. If you decide to use LinOTP, Soffid could be configured to request the user to authenticate using a second factor authentication to perform certain actions. In another case, you can use the Soffid OTP.

• Enabled: check it (select value Yes) to use an external SAML Identity Provider.
• LinOTP server URL:  URL of your LINOTP service.
• LinOTP admin username: username of the admin account used by Soffid.
• LinOTP admin password: password of the admin account used by Soffid.
• LinOTP users domain: the user's domain for LinOTP authentication. The selected user domain will guess the LinOTP username for any Soffid identity. It is extremely important when LinOTP users do not match Soffid usernames. Please visit the Account naming rules page for more information

If you want to configure the Soffid OTP you could visit Two factor authentication (2FA) chapter.

Second Factor Authentication configuration

This section requires to have the LinOTP integration enabled (previous section)

• Pages that optionally require OTP authentication for users with an enabled token: (Optional) If a URL optionally requires OTP authentication, and the user does not have any OTP token, access will be granted. Otherwise, if the user has an OTP token, the OTP value will be required, and no access will be allowed until the user provides the right token value.
  • You can include the list of pages to include the two factors only for the users with the token.

• • You can add a regular expression to determine the list of pages to always include the second factor to the users with the token

• Pages that require OTP authentication to any user: (Mandatory) You should include the list of pages to always include the second factor to the users with the token. Therefore, if a URL strictly requires OTP authentication, users with no token won't be allowed to use them.

• Second factor authentication period: number of seconds after that, a new OTP value will be required.

In both configurations, if OTP is required by the user, a popup requesting the token value is raised to write the OTP value.

Actions

Password policies

Definition

Password domain

Is a logical way of grouping managed systems that are sharing the same password for each account. If the administrator chooses to have the same password for every system, only one password domain should exist. If the administrator chooses to assign a different password for each system, then a password domain should be created for each managed system.

Password policies

Password policies allow you to define custom rules that passwords must comply with to enhance system security. For each password domain, Soffid allows you to create different password policies related to user type. It is only possible to define a single password policy for one password domain and one user type. 

There are two kinds of password policies.

• The first one is for user selected passwords. That is the default behavior.
• The second one is system generated passwords. These policies are useful for shared accounts when using Enterprise Single Sign-on.

A password policy will also define how often the password needs to be changed and how many days are allowed to change it.

Regarding password complexity, you can specify the minimum and the maximum number of lowercase letters, uppercase letters, numbers, and symbols, as well as password length.

The administrator users can define a regular expression that must match each password. This can be used, for instance, to ensure that the first password is not numeric.

It is allowed to create a list of forbidden words that cannot be used as passwords.

Screen overview

Related objects

1. Password domain
2. User Type

Standard attributes

Password Domain

• Code: password domain identifier code.
• Description: a brief description of the password domain.

Password policies

• Password domain: the password policy belongs to that password domain.
• User type: specific user type for which the password policy is created.
• Description: a brief description of the password policy.
• Password type: the king of policies password:
  • Entered by the user: that is the default behavior.
  • Automatically generated: these policies are useful for shared accounts when using Enterprise Single Sign-on.
• Change allowed: if it is checked, the user could change automatically generated passwords.
• Query allowed: if is checked, the user can view the current password.
• Valid period (days): the change of the password will be asked in that number of days. That option is available when you select the "Entered by the user" option.
• Minimum days for next change
• Grace period (days): additional days allowed to the valid period, for changing the password. That option is available when you select the "Entered by the user" option. 

• Renewal Time: added number of days to change the password. That option is available when you select the "Automatically generated" option.
• Length (min & max): added the number of days to change the password.
• Regular expression: the password must comply with that regular expression.
• Uppercase letters (min & max): min and max number of uppercase letters that be included on the password.
• Lowercase letters (min & max): min and max number of lowercase letters that be included on the password.
• Numbers (min & max): min and max number of numbers that be included on the password.
• Symbols (min & max): min and max number of symbols that are included on the password.
• Complexity: Similar operation to the same option in Active Directory. It is mandatory to use three different types of characters (uppercase, lowercase, numbers, and symbols), it is not allowed to use the user code, name, or surname.
• Passwords remembered: the number of passwords the system will remember.
• Forbidden words: list of forbidden words that may not be used to create a password if they are selected. It will be case insensitive.  For instance, there will be no distinction between "Soffid", "SOFFID", or "soffid".
• Lock after failures: the number of login attempts before blocking an account.
• Unlock after seconds: the number of seconds an account is blocked.

Actions

Password policies query actions

Password domain detail actions

Password policies detail actions

Configure PAM session servers

Definition

Soffid provides the functionality that allows you to configure the Jump servers. That option is located on

Main Menu > Administration > Configure Soffid > Security settings > Configure PAM session servers

To configure that functionality is mandatory to install PAM following the instructions of the PAM installation page.

A Jump server is the control point that forces users to log into that system first, then, they could traverse to other servers without having to log in again. The purpose of a jump server is to be the only gateway for access to your infrastructure reducing the size of any potential attack surface.

Screen overview

Related objects

• soffid-pam-store: storage server container
• soffid-pam-launcher: launcher container

Standard attributes

• Group name: name to identify the configuration. 
• Description: a brief description.
• User name: user name given at installation of PAM
• Password: password given at installation of PAM.
• URL: of the storage. The default port is 8081.
• Jump servers: list of jump servers. A URL of each jump server. The default port is 8082.

Actions

PAM Rules

Definition

Soffid allows you to define rules to detect commands executed on a server. When a user launches a command defined on a rule, Soffid will detect it.

To use those rules you need to define the PAM policies. For more information, you can visit the PAM policies page.

Screen overview

Keyboard example

Screen example

Standard attributes

• Name: name to identify the rule. 
• Description: a brief description of the rule.
• Type: rule type.
  • Keyboard: Indicate the command typed in the terminal that you want to control.
  • Screen: Indicate the text displayed in the screen that you want to control.
• Content: the content of the rule that Soffid will detect. Be in mind, that Soffid will consider blanks, returns, and all characters you type.
• Modified by: user who modified that rule.
• Modified on: the date and time of the update.

Actions

PAM rules query

PAM rules detail

PAM Policies

Definition

Privileged Access Management (PAM) policies are a set of guidelines and controls that dictate how privileged access is granted, managed, and audited within an organization.

Soffid allows you to define policies, those policies can be made up of several rules. For each rule, you could select the action to perform when Soffid detects that rule is accomplished.

To use those policies you need to define how policies will be used by each folder in the password vault. For more information, you can visit the Password Vault page. 

Screen overview

Standard attributes

• Name: name to identify the policy. 
• Description: a brief description of the policy.
• Modified by: user who modified that rule.
• Modified on: the date and time of the update.

When you save the standard attributes of a PAM policy and edit the policy again, the rule list will be shown. Here you can customize the policy depending on the existing rules.

• Rule list: show a list of the PAM rules defined. You can check/uncheck the available options. You can choose zero, one, or several:
  • Close session: when the rule is met, Soffid will close the session.
  • Lock account: when the rule is met, Soffid will lock the account.
  • Open issue: when the rule is met, Soffid will open an issue in the system (*).
  • Notify: when the rule is met, Soffid will send a notification about the action.

(*) You can visit the following page for more information about the issues:

https://bookstack.soffid.com/books/soffid-3-reference-guide/page/issue-policies https://bookstack.soffid.com/link/1153#bkmrk-pam-violation

Actions

PAM rules query

PAM rules detail

Password recovery configuration

Description

Soffid provides you the functionality that allows to the users recover their passwords. To do that, the admin user, o a user with the proper roles, must config the the password recovery parameters.

Screen Overview

Custom attributes

• Enable email recovery: if Yes is selected, it will allow password recovery through an e-mail sent to an authorized mailbox.
• Enable question&answer recovery: if Yes is selected, a question and control response will be requested.
• Enable OTP: if Yes is selected, an OTP will be required to recover the password. That OTP depends on the OTP settings configured into the Soffid Console and the OTP devices configured for the end-user.
• Enable SMS: if Yes is selected, an SMS will be send to recover the password.
• Preferred method: in case you select two or more previous options, this drop-drown will allow you to priorize one option over the others.
• Minimum number of filled-in questions: indicates the minimum number of user questions that must be have answered in the end-user's profile to can use this recover password method.
• Questions to answer to unlock: indicates the number of questions that must be formulated to the end-user to reset his password.
• Numer to answer to unlock: indicates the number of answers that must be answered by the end-user to reset his password.
• Allow to unlock account and keep the same password: allows to administrator user to unlock an end-user's  account and keep the same password.
• Enforce fill-in questions: allow on each access Soffid to check if the questions are answered. In case the questions have not been not answered, Soffid will display a window with the questions to answer or to config to the end-user depending on that value.
  • Disabled: allows you to disable that functionality.
  • Required: if this option is selected, the system will check if the user questions are answered correctly.
    If the user have not a required number of questions defined or he have not answered all his questions, the system will show the retrieve password questions page.
  • Optional: when this option is selected, the system will check the user questions but it will not show the retrieve password questions page if the user questions does not meet the configuration parameters.
• Email subject
• Email body
• URL for SMS service
• HTTP method for SMS
• HTTP body for SMS
• HTTP headers for SMS
• Response must contain
• User attribute to store phone number: user object attribute defined on the Metadata page to save the phone number.

Actions

OTP settings

Definition

The OTP settings allow the administrator users to configure the available OPT options. Soffid provides four different OTP implementations.

Main Menu > Administration > Configuration > Security settings > OTP settings

Screen overview

Standard attributes

Email

• Enabled: allows you to enable or disable the OTP implementation.
• Number of digits: number of digits of the PIN code that will be generated.
• Subject
• Body
• Number of failures to lock the token

To send an email, will be mandatory to fill in the value of the mail.from parameter. You can visit the mail server parameters.

SMS

• Enabled: allows you to enable or disable the OTP implementation.
• Number of digits: number of digits of the PIN code that will be generated.
• URL to send the SMS: enter the URL of your SMS provider rest service

https://www.xxxxxxx.com/cgi-bin/sms/http2sms.cgi?account=sms-bg490971-1&password=XXXXXXt&login=user&from=SOFFID&to=${PHONE}&message=This is your access PIN: ${PIN}&noStop&contentType=application/json&class=0

• HTTP Method: enter POST or GET depending on your provider documentation
• HTTP Header: optionally, you can add any HTTY header, including Basic or Bearer authentication tokens. The header must include the header name and header value. For instance:
  Authorization: Basic dXNlcjpwYXNzd29yZA==
• POST data to send Enter the body of the HTTP request
• Text to be present in the HTTP response: Soffid will check the response from your SMS Provider contains this text

"status":100

• Number of failures to lock the token

The URL and POST data to be sent, the administrator can use some tags that will be replaced by some target user attributes:

• ${PHONE}: The target phone number
• ${PIN}: The one-time password to be entered by the user
• ${userAttribute}: Any of the standard or custom user attributes, like ${fullName} or ${userName}

Voice (alternative to SMS)

• Enabled: allows you to enable or disable the OTP implementation.
• URL to send the SMS: enter the URL of your voice call provider rest service
• HTTP Method: enter POST or GET depending on your provider's documentation
• HTTP Header: optionally, you can add any HTTY header, including Basic or Bearer authentication tokens. The header must include the header name and header value. For instance:
  

  Authorization: Basic xxxxxxxxxxxxxxOUVCRS1DMzE0LTI3MzAtQkY0Qy05RDgwRTMyQUQ4OUY=
  Content-Type: application/json
  Accept: application/json

  
  
• POST data to send Enter the body of the HTTP request.

  Text to be present in the HTTP response: Soffid will check the response from your SMS Provider contains this text

The POST data to be sent, the administrator can use some tags that will be replaced by some target user attributes:

• • ${PHONE}: The target phone number
  • ${PIN}: The one-time password to be entered by the user
• Number of failures to lock the token

Time based HMAC Token

• Enabled: allows you to enable or disable the OTP implementation.
• Number of digits: number of digits of the PIN code that will be generated.
• Algorithm: allows you to select an HMAC algorithm.
• Issuer
• Number of failures to lock the token

Event based HMAC Token

• Enabled: allows you to enable or disable the OTP implementation.
• Number of digits: number of digits of the PIN code that will be generated.
• Algorithm: allows you to select an HMAC algorithm.
• Issuer
• Number of failures to lock the token

Security PIN

• Enabled: allows you to enable or disable the Security PIN implementation.
• Minimum PIN length: minimum number of digits that the PIN has to have.
• Number of digits from the PIN to ask: number of digits that Soffil will ask to verify the identity.
• Number of failures to lock the token

Actions

XACML Policy Management

Definition

The PDP, Policy Decision Point, is in charge of evaluating the defined rules. The Policy Decision Point is essentially a policy compiler. The PDP must verify that the specified rules are within the scope of the rule authors authority. The PDP provides the authorization to the PEP.

XACML Policy Management

The policy language is used to describe general access control requirements, and has standard extension points for defining new functions, data types, combining logic, etc. The request/response language lets you form a query to ask whether or not a given action should be allowed, and interpret the result.

Main Menu > Administration > Configure Soffid > Security settings > XACML Policy Management

It is possible to import an existing PolicySet into the system. The file to import must be a well-formed XML.

To know more about XACML, read XACML 2.0 Standard Specification

Related objects

• Policy set
• Policy
• Policy set reference
• Policy reference

https://www.oasis-open.org/committees/download.php/2713/Brief_Introduction_to_XACML.html

XACML PEP configuration

Description

The PEP, Policy enforcement point,  is a component of policy-based management, where enforce the policies. It is the component that serves as the gatekeeper to access a digital resource. The PEP gives the PDP, Policy Decision Point, the job of deciding whether or not to authorize the user based on the description of the user's attributes.

XACML PEP configuration

Soffid allows you to configure different policies enforcement points, each of then can use a different policy set.

Main Menu > Administration > Configure Soffid > Security settings > XACML PEP configuration

• Web Policy Enforcement Point
• Role centric Policy Enforcement Point
• Dynamic role Policy Enforcement Point
• External Policy Enforcement Point ( https://iam-sync-lab.soffidnetlab:1760//XACML/pep )
• Password vault Policy Enforcement Point ( https://iam-sync-lab.soffidnetlab:1760//XACML/vault )

Screen

Custom attributes

Custom attributes for each PEP:

• Enable XACML Policy Enforcement Point: select the Yes option to enable the PEP.
• Policy Set Id: policy set identifier.
• Policy Set Version: version of the policy set to enforce.
• Trace requests: select the Yes option to enable the trace.

Policies enforcement points

Web Policy Enforcement Point

The policy will be enforced when the user open a new Soffid page. Using this PEP you can define the rules to access to Soffid pages.

Role centric Policy Enforcement Point

The policy will be enforced when the user login into Soffid. It will calculate the user authorizations as of the permissions that the user has assigned.

Dynamic role Policy Enforcement Point

The policy will be enforced when the user performs an action to evaluate if the user has or not authorization. The user must have the proper role and comply with the XACML rule.

You can use that PEP to split the permissions, for instance, a support group can update the permission of a specific group of user, and another support group can update the permissions of another group of users.

(*) It is allowed to use "Attribute Selector" to configure Dynamic role policy,

External Policy Enforcement Point (https://iam-sync-lab.soffidnetlab:1760//XACML/pep)

PEP of general purpose. Calling the web service, the clients can made validations and figure out if the users have access.

Password vault Policy Enforcement Point (https://iam-sync-lab.soffidnetlab:1760//XACML/vault)

The policy will be enforced when the password vault is used.

Digital certificates

Definition

Soffid includes Digital certificate functionality as a security enhancement. You could add new Digital certificates, internal or external. If you select the external certificate, you could add a valid certificate to Soffid; If you select the internal certificate, Soffidl will generate a valid certificate.

Screen Overview

Internal

External

Standard attributes

Internal

• Organization name
• Expiration date: referring to the root certificate.
• Device certificate: Indicates if the certificate is for a device
• Certificate duration (months): Referring to users' certificates.

External

• Certificate: File .pk12
• Organization name
• Device certificate: Indicates if the certificate is for a device
• Script to guess the certificate owner: script to compute the user name. Can use the certificate and subject variables. Should return a valid user name.

Actions

Digital certificates query

New token

Recertification policies

Description

Soffid allows you to establish some policies to define the scope of the recertification process.

Menu option

Main Menu > Administration > Configuration > Security settings > Recertification policies

Screen overview

Custom attributes

• Name: name to identify the policy
• Type: list of available recertification types.
  • User entitlements: the recertification process will be conducted to review user access rights.
  • Role definitions: the recertification process will be conducted to review the relationship between roles.
  • Share account entitlements: the recertification process will be conducted to review access rights to shared accounts.
• Filter: this allows you to define a script to identify the grant list to which to apply the recertification process. The grant object (*1) is always available. You can use the Enumeration SoDRisk to compare:
  • SOD_LOW
  • SOD_HIGH
  • SOD_FORBIDDEN
  • SOD_NA
• Step 1 expression: this allows you to define a script to determine who is or are in charge to approve or deny the recertification process in the first level.
• Step 2 expression: this allows you to define a script to determine who is or are in charge to approve or deny the recertification process after the first level of approval.
• Step 3 expression: this allows you to define a script to determine who is or are in charge to approve or deny the recertification process after the second level of approval.
• Step 4 expression: this allows you to define a script to determine who is or are in charge to approve or deny the recertification process after the third level of approval.
• Mail Template: this allows you to define a template to send an email to the people in charge to approve or deny. Be in mind, that to work fine, the review process link must be ${url}

(*1) grant object is a com.soffid.iam.api.RoleAccount object.

Examples

Some sample scripts for the filters and approval steps are shown below

Filter

Return all grants with risk.

return grant.sodRisk != null 
	&& grant.sodRisk != es.caib.seycon.ng.comu.SoDRisk.SOD_NA;

Steps

account = serviceLocator.getAccountService().findAccountById(grant.accountId);
StringBuffer sb =  new StringBuffer();
for (owner : account.ownerUsers) {
  if (sb.length() > 0)
    sb.append(" ");
  
  sb.append(owner);
}
if (sb.length() > 0) 
  return sb.toString();
else 
  return "admin";

com.soffid.iam.api.Role role = serviceLocator.getApplicationService().findRoleByNameAndSystem(grant.roleName, grant.system);
StringBuffer sb =  new StringBuffer();
List owners = role.getAttributes().get("owner");
if (owners != null) {
	for (owner : account.ownerUsers) {
    	if (sb.length() > 0)
    		sb.append(" ");
        
        sb.append(owner);
	}
}

if (sb.length() == 0) 
	return "admin";
else 
	return sb.toString();

Mail template

Actions

 Recertification policies query

 Recertification policies details

https://download.soffid.com/doc/console/latest/uml/es/caib/seycon/ng/comu/SoDRisk.html

Issue policies

Definition

Soffid has defined automatic events by default. For each of these events, it is possible to define the tasks to be performed and configure them.

You can find this functionality in the following path:

Main Menu > Administration > Configuration > Security settings > Issue policies

The default events are the following;

Screen Overview

Related Objects

1. Roles
   

Standard attributes

• Issue type: by default, some issues type are defined in Soffid Console. 
• Description: a brief description of the issue.
• Action:
  • Ignore: the action will be ignored, and no additional actions will be run.
  • Record: the action will be recorded and an issue with the status Acknowledged will be created. The actions configured for the Acknowledged status will be run.
  • Manage: a new issue will be created in the New status and the action configured for this status will be run.
• Assigned role: the role who will be the owner of the created issues.
• Actions list: list of actions to be taken when this issue occurs. You can choose one or more actions from the list and configure them:
  • Issue status: it is used to determine the point when the action will be launched.
    • New.
    • Acknowledged.
    • Solved.
    • Solved - Not a duplicate.
  • Actions:  
    • Notify affected user: this allows you to configure an email that will be sent to the affected users.
    • Send custom email: this allows you to configure a custom email that will be sent to specific users.
    • Run script: allows you to type a script that will be performed
    • Look affected accounts: allows you to configure an email that will be sent to the owner user.
    • Look affected host.
    • Notify issue owner by email.
    • Acknowledge.
    • Start new process.: allows you to configure the workflow that will be run.
  • Description: a brief description of the action you are defining.

Note that it will be necessary to restart the Sync Server when changing the action of an issue.

Actions

Issue policies query action

Issue policy detail

Resources Management

Users

Description

The user is the core object of the system. In Soffid, a user means an identity (usually a person). Every user can have a number of accounts spread on different information systems.

In traditional system management, one can assign roles and permissions to accounts. Then, the administrator uses to grant the account to one single user. In Soffid you can have a global view of permissions assigned to any user. Being the user and the main management object, you have a more clear perspective in terms of operation, security, and end-user engagement.

It is important to know that dependency rules can be established between systems, so a user with a role or permission in one system will automatically be assigned a role or permission in another system, according to the system policies.

The administrator can also identify the potential users of shared or system management accounts. These accounts are managed in a slightly different way. See the Accounts and Password Vault pages for more information.

Sometimes is possible to find that there is any user with duplicated user data. To solve that problem, Soffid provides the merge functionality. That allows you to combine two user records, selecting the proper data to fix that situation.

Screen overview

Related objects

1. Groups
2. Account
3. Roles
4. User Type
5. Password domains
6. Audit
7. Logs 
8. Workflows

Standard user attributes

Basic

On the basic user tab, you can view all the user attributes. Other attributes can be customized in Soffid.

Common attributes

• User name: short name to identify the user. It uses can be either a name abbreviation, an employee Id, or a system generated number.
• First name: name of the user.
• Last name: first surname.
• Middle name: used like a second surname.
• Full name: firstName + lastName + middleName.

Mail service

• Internal eMail: this will be the mail address that will appear on outgoing emails from this user.
• Mail aliases: In this box, there will be a comma-separated list of mail addresses that will be forwarded to this user mailbox. It will you one to one aliases and one to many distribution lists.
• External email: additional external email.
• Mail server: select which server will host its user mail.

User status

• Enable: uncheck in order to prevent this user from logging into any system.
• Multi session: uncheck to prevent this user from using more than one device at a time. If the user logs into the system when another session is active, the single sign-on agent will manage it in order to close the first session before opening a new one. This checkbox is only effective when using Soffid ESSO
• Comments. 

Organization

• Type: identifies the password policy that is to be applied. More information on this link User Type.
• Primary group: select which organization unit this user belongs to.
• Home server: select which server will host its user folder. It is linked to the Home Drive attribute on Active Directory.
• Profile server: select which server will host its user profile. It is linked to Roaming UserProfile on Active Directory.
• Manager: select another user, who will be the manager 

Other

• NIF
• Phone

Audit information

• Created by: user who created it.
• Created on: when this one was created.
• Modified by: responsible for the user's last change.
• Modified last on: date of last user modification.

Groups

Your company is organized into different business units, departments, or workgroups. In Soffid, they all are named as groups. Some systems, like Active Directory, use groups to control or restrict resource access. A Soffid Group is more like an Active Directory OU.

On the group tab, you can manage all the groups that the user belongs to. Be in mind that all users have to belong to a Primary Group defined on the Basic user attributes.

By clicking on a record, Soffid shows group membership details. It is possible to change the group, and the start date and add comments.

It is also possible to assign a new membership by clicking the button with the add symbol (+), and revoking the group membership from the group details, or by selecting one or more records from the list and clicking the button with the subtraction symbol (-).

Accounts

An account is a way a user is presented on a target system.

On the accounts tab, you can view the accounts that belong to the user that is currently displayed, grouped by password domains. The account can be displayed in black or gray color. The gray color is used to indicate that the account is unmanaged, that is because the agent is disconnected or because the agent is in Read-Only Mode.

Soffid smart engine will automatically create, disable or remove user accounts depending on the system policies.

Also, you can manually add a new account for a specific system, rename an existing one, delete it or change its password. You can also see when the password was last set and its expected expiration date. Mind that you cannot change a single account password, as long as any password belongs to a password domain, so each password belonging to the same user and password domain will be changed at a time. When you apply user changes, automatically they will be forwarded to target systems.

Mind that Soffid smart engine can revert some of your changes if those changes are violating any system policy.

Each change made at the Soffid console is asynchronously replicated into the managed system. At the accounts tab, the administrator can check when each account was updated last. When the Soffid console notices there the replication process is failing, an exclamation sign will appear next to the account name.

When the settings for a managed system exclude a user to be replicated, no account will be created for him. In case the user was replicated and due to user attributes changes it should be excluded, its account will be disabled and it will appear with line-through style.

At the agent configuration screen, the administrator can configure when to create or enable user accounts depending on the user type or the group the user belongs to. When the settings for a managed system exclude a user, no account will be created for him. In case the account exists and due to user attributes changes it should be excluded, its account will be disabled and it will appear with line-through style.

Regarding automatic account creation, it's important to know that if a user needs an account with a name, based on the user domain configuration, and that such an account already exists as a shared or single user account, this account won't be created or assigned. Nevertheless, if such account already exists as an unmanaged account, this existing account will be assigned to the user along with their role grants.

By clicking on a record Soffid displays more accurate information about the account. It will be allowed to rename the account, change it, change the account status or delete the account (logic delete). Also, Soffid allows you to query the properties if the account on the target system. Finally, Soffid will display custom attributes defined for the specific agent on the agent "Account metadata"  tab, you can visit the Agent page for more information.

On the accounts tab, you can check the failed login attempts and if the account has been blocked, it is displayed until how long it has been blocked.

Roles

A role is a collection of permissions that can be granted to a user. With these permissions, the user will access to another system and perform some operations.

On the roles tab, you can assign or revoke roles to any user. Each role needs an account to be applied to. So, if a user has no account on a system and a role on that system is granted, a new account will be created on this system. In case a user has more than one account on a system, you should indicate which of the suitable accounts will be granted the role.

More and more, when the role should be scoped, the operator must select the right scope for the role. The scope and its allowed values are defined on the application management page.

By clicking on a record Soffid shows more information about the role, this information can not be updated. On this screen, you can browse through the different roles.

It is also possible to revoke the role to the user from the entitlement details or by selecting one or more records from the list and clicking the button with the subtraction symbol.

The roles list shows a column to display when there are risks with the roles assigned to the user. If you click on a record, Soffid will show the entitlement details including the SoD rules with the detail of the risk. 

For more information about SoD visit the  Segregation of Duties page.

Additionally, you can download a CSV file with the user's role information, or upload a CSV file to assign or revoke roles to the user.

Effective Roles

Hierarchy of permissions assigned to or inherited. 

This screen details the effective roles of the selected user. 

• By direct assignment of the role: when you assign a role to a user, you are assigning to the user all the permissions defined for that role.
• By belonging to a group: when you add a user to a group, the user will have all the roles assigned to the group
• By rules defined in the system: when a rule is satisfied for a user, the system assigns the roles defined in the rule to the user.

Shared accounts

Accounts that can be used by several users, those accounts can be privileged or shared.

On the shared account tab, you can see all shared user accounts. You can view information about the system, the account, the date of update, when was the last login, when the password was changed, and the expiration date.

By clicking on a record, you can browse the share account details page.

Sessions

On the sessions tab, you can view sessions opened by the user. Here will be displayed any open ESSO session, showing the host that has created the session and the host where the user is connected from, if applicable. The port number is the TCP/IP port number the ESSO session manager is listening to. It is used by the synchronization server to check for session validity.

ESSO Integration

Multi-session attribute: ESSO will prevent any user from having more than one session at a time unless it has the multisession attribute checked.

If ESSO detects the user trying to log in has an active session, it will do the following job:

• The previous session will be noticed of such a duplicate session.
• The new session will have the choice to:

  • Give up and not log in.

  • Wait until the previous session is closed.

  • Force the previous session to log out. If the user selects to close the remote session, the remote user will still have the chance to accept or reject such action.

No user with an active flag unchecked will be allowed to log in or use any system managed through ESSO.

User Processes

In the user processes tab you can view the business processes in which the user has been managed. It shows information about the process, the status process and when it was initiated and ended.

NOTE: Mind that this page does not show the business processes the user has acted.

Pending tasks

When a user has pending tasks, an icon will be appearing at the right corner. If the status of pending tasks is "Error", the icon will be a highlight alert icon, if the status is "Pending", the icon will be a wifi icon.

That window displays the most relevant task data, the task name, the agent that manages the task, the status task, and the schedule to will be executed, ... That pending task information is only available in consultation mode. 

Tokens

In the Tokens tab, you can manage the user tokens. You can add or delete the users' tokens. Currently, the available options are Certificate and FIDO token.

Certificate

If you select the certificate option, you only need to register the certificate description. Then Soffid will read the existing certificates registered into Soffid, at the Digital certificates page, and finally, Soffid will give you a p12 file and a password to install the certificate in the browser.

If there are no registered certificates, Soffid will not allow you to add new certificate tokens for any user.

FIDO token

If you select the FIDO token option, you need to full fill in the following data:

• Identity provider: You need to select one Identity provider from the available list.
• Registration method: Soffid offers three different registration methods. To use one of them you will need to insert and touch the FIDO key to create a new token. 
  • Register now: Soffid allows you to register a new FIDO key related to a specific user. Once you select this option, you need to register the FIDO key, and Soffid automatically will register the key related to the user.
  • Generate secure link: Soffid generates a secure link related to a specific user to register. You can follow the link and then register the FIDO key. Once you register the FIDO key, you can close this page. You only need to register the FIDO key and this page will close automatically.
  • Generate insecure link: Soffidl will generate an insecure link, this link is not related to any user. Then you need to browse to the insecure link and type the user name, and then the password. Finally, you need to register the FIDO key. Once you register the FIDO key, you can close this page.

You can use the Generate secure or insecure link option to send it to users to complete the registration process.

When you register a FIDO token, this will be displayed on the proper user "My certificates and FIDO tokens" page and it will be available for this user.

Backups

The backup functionality is available when the backup addon is loaded in the Soffid Console. By clicking on the Backups tab, Soffid will display all the snapshots available for the user, and you could restore what you need.

You can also check other available snapshots by clicking on the hamburger icon and a specific option. Those are the options:

Groups History

You can check all the group history changes for a specific user, and decide if you want to restore an earlier versión.

Accounts History

You can check all the account history changes for a specific user, and decide if you want to restore an earlier versión.

Roles history

You can check all the role history changes for a specific user, and decide if you want to restore an earlier versión.

Mail list history

You can check all the mail list history changes for a specific user, and decide if you want to restore an earlier version.

Download CSV file

Allows you to download a CSV file with the data of all backups.

OTP devices

In the OTP devices tab, Soffid displays all the OTP devices configured by this user. For each OTP device, Soffid displays the info about the name, the created date, the last time used, and the status. Soffid allows you to manage all the OTP devices for each user.

By clicking on a record, Soffid shows OTP device details, including the failed number. It is also possible to change the status.

This option will only be available if the OTP addon is installed in the Soffid console.

Issues

In the Issues tab, Soffid displays all the issues in which the user is involved. If you click one issue, Soffid will display the issue detail and will allow you to perform any available operation if you have the proper permissions to do that.

This option will only be available in Soffid >= 3.5.x

For more information, you can visit the Issue page.

Actions

Users query actions

User detail actions

Groups actions

Group query actions

Group detail actions

Accounts actions

Accounts query actions

Accounts detail actions

Roles actions

Roles query actions

Role detail action

Sessions actions

User processes 

OTP devices action

Issues

Groups

Description

Groups are a convenient way to apply policies to a collection of users. Groups allow administrator users to specify permission for multiple users in a quick and easy way. Groups are managed in a hierarchical way. A user can belong to a group, and that user will be assigned the roles of this group and all the roles that this group inherits from its parent.

Companies are organized in different business units, departments, or workgroups. In Soffid, they all are named as groups. Some systems, like Active Directory, use the groups to control or restrict access to resources. A Soffid Group is more like an Active Directory OU.

Screen overview

Related objects

1. User
2. Roles

Standard attributes

Basic

On the basic group tab, you can view all the group attributes. It is allowed to add new groups, and update or delete existing groups.

• Name: short name to identify the group. The group name must be unique.
• Description: a brief description of the group.
• Drive letter: if specified, a shared folder for this user will be created. This shared folder can be mounted on ESSO hosts by using a startup script.
• Parent group: name of the parent within the hierarchy. Only the root group doesn't have value. Be in mind the groups have a tree structure.
• Type: a group can be categorized by organizational unit types. You have more information about Group Type page.
• Drive server name: the server where the shared folders can be located.
• Disabled: allows you to enable and to disable the group. When a group is disabled, the group's role hierarchy is no longer available to the group's users.

Users

Administrator users can manage the users who belong to the group. These users will have assigned all the permissions granted to that group and permissions inherited from its parent.  

On the user's tab, you can add new users to the group by clicking the button with the add symbol (+), you must select the user to add, and select the membership properties.

It is also allowed to delete one or more users from a specific group, you can do it from the group membership details or by selecting one or more records from the list and clicking the button with the subtraction symbol (-).

Additionally, you can download a CSV file with the user's information and you can also upload a CSV file to add new users or update existing users.

Granted roles

Administrator users can manage the permissions to a group, this is the way to establish an access policy to a collection of users. The users who belong to a group will inherit all the permissions granted of that group.

On the granted roles tab, you can assign or revoke roles to the group. To assign a new role, you must click the button with the add symbol (+), then select the role,  in some cases specify the scope, and finally set membership properties. To revoke role, you can do it from the group membership detail or by selecting one or more records from the list and clicking the button with the subtraction symbol (-).

Additionally, you can download a CSV file with the granted roles information and you can also upload a CSV file to assign roles, modify or delete assigning roles.

Managers

On the tab Managers, Soffid displays the Roles with Domain group for the specific Information System and the proper authorization. Here you could grant the role to one or more users. You could grant the role on the Role page and on the User page as well and the information will be displayed on the managers tab.

Be in mind, to query the information about the roles and users on the managers tab, it will be mandatory to give authorization to query users, you must add the role to the authorization (user:query). You can visit the Authorization page.

Actions

Group query actions

Historical view

Group detail actions

Users

Granted roles

Managers

Accounts

Description

An account is the way an user is presented on a target system.  There can be user accounts as well as system-purpose accounts.

An account belongs to a system and that account can have specific permissions assigned to it. An account must have defined the account type, that is if the account is a single user, privileged, shared, or unmanaged.

The password policy is also mandatory to create an account. That password policy determines the conditions that the password must meet.

It is allowed to set a password for an account, which can be a generated password by the system, or a password set by the administrator user. That password must comply with the password policies defined. When the account is unmanaged, if the password change, it will not be sent to the target system.

The account can be displayed in black or gray color. The gray color is used to indicate that the account is unmanaged, that is because the agent is disconnected or because the agent is in Read-Only Mode.

Screen overview

Related objects

An account is related, in Soffid, to other objects:

1. User: users related to this account.
2. Groups: groups to which the account belongs.
3. Roles: the permissions that this account has associated with the system in which it is used. They can be assigned or revoked by users with administrator privileges.
4. System: the environment in which that account is used (AD, Exchange, etc).

Standard attributes

Basic

On the basic account tab, you can view all the account attributes. It is allowed to add new accounts,  update or delete existing accounts and other options.

Commons attributes

• System: target system to which the account will be connected. When SSO is the system selected, the account name is assigned by Soffid, that is because SSO is a multi-system connector and can be many accounts with the same login name.
• Name: name used to identify the account.
• Description: plain text with information about the account.
• Type: there are four kinds of accounts:
  • Single user account: accounts should normally be user accounts and bound to a single user. We can see user accounts on the user management screen, and will mostly be created by Soffid.
  • Shared accounts: these accounts are shared among multiple users. They have an access control list to prevent unauthorized usage. Will be granted to users, groups or roles. Passwords on shared accounts might be set by operators or by the user. It depends on the password policy definition. A shared account could have related services.
  • High privilege accounts: shared among users, but only one user possesses it at one time. Through self-service portal, a high privilege account owner can check-in and check-out them. Will be granted to users, groups or roles. Passwords on these accounts will be set only by the user using the self-service portal. The user can set it for a period of time. After that, the system will change the password by a temporary one.
  • Unmanaged accounts: ignored by Soffid. They can be populated based on existing system accounts. Soffid will be able track any changes applied to this type of accounts on the managed system, but Soffid will not apply any change to the actual system. You should have a limited number of unmanaged accounts, but they are extremely useful during deployment phase.
• Status: 
  • Enabled: the account can be used by the user. Soffid engine will disable it when the user does not match the access requirement policy.
  • Manually enabled: the account can be used by the user. Soffid engine will keep it enabled, even when the user does not match the access requirement policy.
  • Disabled: the account cannot be used by the user. Soffid engine will enable it when the user does matches the access requirement policy.
  • Manually enabled: the account cannot be used by the user. Soffid engine will keep it disabled, even when the user matches the access requirement policy.
  • Removed: the account no longer exists in the target system, but its image is kept in Soffid for audit purposes.
  • Locked: the account is locked when a user tries to access with a fail password too many times  (5 times). The account will be enabled in a specific period of time (5 minutes).
• Password policy: the policy applied to this account. It is mandatory select a password policy. You can see more information on the User Type and Password policies pages. 

Owners, Managers, and SSO users

Specify the list of users authorized to use this account. For accounts of type "single user", only one user can be specified. Other accounts can have more than one user. The users that can use this account can be specified either directly, by entering the user name, or indirectly, by entering a group or role name. At the latest, any user having that group or role will automatically be entitled to use this account.

There are three access levels for each account and user:

• SSO User: can use it by means of the SSO or PAM engines. They cannot change their password, not even through single sign on engine.
• Manager: can use it, and set or query the password (using self-service portal), depending on the password policy restriction.
• Owner: can use it, modify the access control list, and set or query the password sing self-service portal or single sign-on engine.
  

Password vault

• Vault folder: personal or shared folder, depending on the account type, in which account data are stored.
• Inherit new permissions: determines if the account will inherit the permissions granted to the folder that contains it.

Launch properties

Defines the properties to connect to the target system.

• Login URL: URL to connect. You can add the port when you need it
• Login name: account name to connect.
• Launch type: connection type.
  • Simple
  • WebSSO
  • PAM Jump server: it is mandatory to select the Jump server group.

Audit information

• Created on: account creation date.
• Last login: last registered access.
• Last updated: last modified.
• Last password set: date of last password change.
• Password expiration: password expiry date.
• In use by: account owner
• Password synchronization.

System properties

• SSH Private key: private key that establishes trust to be able to access the system without requiring a password.
• SSH Public key: public key that establishes trust to be able to access the system without requiring a password.

Roles

A role is a collection of permissions that can be granted.

On the roles tab, you can view the roles assigned to the account, it is shown information about the role name, description, application or start (and, if proceed, end) date of the role assignment. 

You can also assign roles to the account, you can click the add symbol (+), select the role that you want to assign, depending on the role you must fill the scope, and finally set memberships properties.

It is also possible to revoke roles to the account from the entitlement details or by selecting one or more records from the list and clicking the button with the subtraction symbol (-). 

By clicking on a record, it is shown the detail  role assignment information.

Additionally, you can download a CSV file with the roles information and you can also upload a CSV file to assign or revoke roles.

Effective roles

Hierarchy of permissions assigned to or inherited. 

This screen details the effective roles for the selected account.

• By direct assignment of the role: when you assign a role to an account, you are assigning to the account all the permissions defined for that role.
• By belonging to a group: when you add a user to a group, the user will have all the roles assigned to the group.
• By rules defined in the system: when a rule is satisfied for a user, the system assigns the roles defined in the rule to the user.

Actions

Account query actions

Account detail actions

Roles

Roles

Description

Soffid allows you to create roles to specify permissions that can be assigned to a user, a group, or an account. These permissions determine what operations are allowed on a resource. You can use roles to delegate access to users, applications, or services. The main goal is to achieve optimal security administration.

Roles can be defined at different levels:

• Organizational permissions.
• Application permissions.
• Low-level permissions.

When needed, generic roles can be created. When such a role is granted to any user, it is converted into a specific role by specifying an organization unit, information system, or a specific value. So, for instance, a generic emergency coordinator role can be created. The master emergency coordinator will have this role granted for the whole organization, while a remote office emergency coordinator will have this role granted for his single unit.

Screen overview

Related objects

1. User
2. Groups
3. Information System

Standard attributes

Role detail

• Name: name used to identify the role
• Description: detailed role description.
• System: information storage system from a technical point of view (active directory, database, CSV, ...).
• Category
• Information system name: asset or application, from a functional point of view, on which the permissions are granted or revoked.
• Domain: limitation of role scope to this domain. Initially, there are two domains defined, Groups and Information Systems. It is allowed to add more domains.
• BPM enabled: enables "Role assignments" workflow. 
• Approval start: at this date, Soffid will connect to the system and will assign the role. If there is no approval start, it will be assigned at the moment.
• Apploval end: at this date, Soffid will connect to the system and will revoke the role.

More information about workflows on the BPM Editor Book.

Granted roles

On the granted roles tab, you can assign the privileges of this role to another role in another system.

To assign privileges you must click the button with the add symbol (+), then select the target role, finish, and apply changes. With this operation, all the permissions of this will be assigned to the target role.

If you want to revoke permissions,  you must select one or more records from the list and click the button with the subtraction symbol (-). 

In addition, you can check the preview changes, it display information about the action, the user or account, and the role or domain, and you can apply them.

Grantee roles

On the grantee roles tab, you can assign the privileges of a role of any other system to this role.

To assign privileges you must click the button with the add symbol (+), then select the source role, finish, and apply changes. With this operation, all the permissions of the source role will be assigned to this role.

If you want to revoke permissions,  you must select one or more records from the list and click the button with the subtraction symbol (-). 

In addition, you can check the preview changes, it display information about the action, the user or account, and the role or domain, and you can apply them.

Grantee groups

On the grantee groups tab, you can assign the privileges from a specific group to this role, or revoke the privileges.

To assign privileges you must click the button with the add symbol (+), then select the group, finish, and apply changes. With this operation, all the permissions of this group will be assigned to the role.

If you want to revoke permissions,  you must select one or more records from the list and click the button with the subtraction symbol (-). 

In addition, you can check the preview changes, it display information about the action, the user or account, and the role or domain, and you can apply them.

Users

On the users tab, you can assign or revoke roles. To assign a role you must click the button with the add symbol (+) and choose one or more users, fill the scope when it is mandatory, and set membership properties. Each role needs an account to be applied to, so, if a user has no account on a system and a role on that system is granted, a new account will be created on this system. In case a user has more than one account on a system, you should indicate which of the suitable accounts will be granted the role.

It is also possible to revoke roles to the user from the entitlement details or by selecting one or more records from the list and clicking the button with the subtraction symbol.

The users with the role assigned by rules will be displayed with different colors. Soffid does not allow to revoke roles, on that page, that were assigned by rules. 

Additionally, you can download a CSV file with the basic users data.

Role assignment rules

You can consult the Role assignment rules related to this role.

For more information, you can visit the Role assignment rules page.

Actions

Roles query

Roles detail

Granted roles

Grantee roles

Grantee groups 

Users

Information systems

Description

Information systems are the systems that Soffid will protect granting and revoking roles. Each role and entry point is bound to an information system.

The information system can be created hierarchically. These information systems are managed in a tree structure. 

Soffid allows you to categorize the information systems to facilitate the management, the available categories are Application, Container and Business. That categories are for information purposes only.

The permission can be granted by using workflows.  You can access to Workflows page for more information.

Related objects

1. Users
2. Role

Custom attributes

Basics

• Type: information system category.
• Parent: parent within the hierarchy.
• Name: short name to identify the information system.
• Description: detailed description information system.
• Source: documentation.
• Owner: is the information owner, and has the capability to appoint security manager.
• Executable: documentation.
• Database: documentation.
• Owner name: documentation.
• BPM enable: if enabled, permissions can be granted by using workflows.
• Notification emails: this list will be notified on a daily about grants and revokes performed.
• Approval process: approval process defined
• Role definition process: role definition process. It is an advanced function for workflows.
• Single role: if checked, the roles of this application are mutually exclusive: if a user has the role X and want to assign him the role Y, X will be removed to give him Y.

Role Scopes (Domain)

Role scope or domains are properties that can be assigned to some entitlements, limiting the scope of that entitlement. This can be used to limit, for instance, the maximum amount allowed for a money transfer, or the commercial zones to manage.

On this tab, you can add new domains, you must click the button with the add symbol and fill the information about the new domain. You can also delete a domain or update the domain information.

Other operations allowed are to download a CSV file with the domain data and toOther operations allowed are to download a CSV file with the domain data and to upload a CSV file to add new domains, or update existed domains to add new domains, or update existing domains

Roles

A role is a collection of permissions that determine what operations a user or a group of users can perform on that information system.

On the roles tab is allowed to create, update and delete roles. The effective privileges bound to each role are managed from each application.

To add a new role you must click the button with the add symbol (+) and fill all the role data.

You can update a specific role by clicking on the right record, making and applying changes.

It is also possible to delete roles from the role details or by selecting one or more records from the list and clicking the button with the subtraction symbol (-). 

Additionally you can download a CSV file with the roles information and you can also upload a CSV file to add new roles, or modify existing roles.

Users

On the user's tab, Soffid displays all the user with granted roles for this information system.

It is allowed to download a CSV file with all the user data.

Actions

Information system query

Information system detail actions

Role scopes actions

Roles actions

In addition for each role you can perform the specific operations defined on the Role page

Users actions

Role assignment rules

Description

Soffid console provides an option that allows you to customize policies to assign or revoke roles automatically to specific users. To assign or revoke roles, the users must comply with the defined requirements.

That option allows you to Preview changes before to Apply changes, to verify that the actions to be performed are the correct ones. 

To Apply now the Role assignment rule, it is mandatory to have previously saved any changes made in the customization of the role assignment rule using the Apply changes button.

The rule evaluation is performed asynchronously.

When a user is updated, no matter from where, Soffid will launch the role assignment rules defined.

Screen overview

Related objects

1. User
2. Roles

Role detail

• Name: name of the rule.
• Description: brief description of the rule.
• Script (Rule expression):  when returns true, the roles will be applied and the script that assigns roles.
• Rule Progress: displays the time remaining to finish applying the rule.

Roles to apply when rule expression returns true

• Role list: roles to apply when rule expression returns true.
• Script to assign roles: allows you to customize the rules to apply roles. That roles will be added to the role list.

The roles result will be a Role list, or RoleAccount list, or String list. 

Actions

Role assignment rules query action

Role assignment rules detail action

Segregation of Duties (SoD)

Description

The segregation of duties (SoD) is a fundamental element of internal controls, defined to prevent error and fraud. Segregation of duties ensure that at least two individuals are responsible for the separate parts of any task.

For each user, the roles tab displays the list of roles assigned to the user and the possible risks. If you click on a role record, Soffid will show the entitlement details including the SoD rules with the detail of the risk. 

Related objects

1. Information Systems
2. Roles

• Name: name of the segregation separation of duties
• Information System: asset or application, from a functional point of view, on which the permissions are granted or revoked.
• Type: type of segregation 
  • Trigger on all permissions: no user can be assigned the roles added to the role list.
  • Trigger on some permissions: if you select that option, you have to fill in the number of roles that can not match. Soffid will not allow you to assign to a user more than the number indicated of the roles added to the role list.
  • Query permissions matrix: Soffid displays a matrix that allows you to select the risk between pairs of roles, those roles are the roles added to the role list.
• Risk: level of risk:
  • Low.
  • High.
  • Forbidden:  it is not allowed that one user to have assigned the roles defined on the role list.
  • None: there is no risk.
• Role List: list of roles to keep in mind on the segregation of duties.

Actions

Segregation of Duties query actions

Segregation of Duties detailed actions

Networks

Description

Operators can define the subnets that compose the internal network, in order to manage the IP address space. The main goal is to manage a limited resource as the IP address is.

Soffid supports both static and dynamic IP assignments. Anyway, static IP management does not exclude the use of DHCP o BOOTP protocols in order to get them.

Screen overview

Custom attributes

Basics

On the network group tab, you can view all the network attributes. It is allowed to add new networks,  update or delete existing networks.

• Name: short name that identifies the network.
• Description: network description.
• IP Address: IP range of this network.
• IP Address mask: IP mask of this network.
• Internal network: activate this check box to indicate if this network is fully managed or not. What fully managed means changes in each organization. It used to mean corporate office versus branch office. It affects mainly to access the menu tree. Application entry points have different scripts or URLs for internal and external networks.
• Support DHCP: if enabled (selected value is Yes), hosts belonging to this network will be automatically registered. 
• DHCP attributes: allows to enter additional parameters that the DHCP server will use to assemble DHCP response. Usually, it will have a gw=0.1.2.34 like parameter. It is only needed when a DCHP connector is configured.
• Used IPs: IP addresses used. This data is auto calculated

Access control

In order to delegate the management of IP addresses in this network range, the Access Control List allows to select which users, groups or roles will be allowed to manage it.

• Restrict ESSO login: allows to restrict the access to the workstations of this network, otherwise, any Soffid users can log in.

Each Access Control List Entry has the following attributes:

• Access level: four levels are defined:

  • Without access: denies everything.

  • Query: allows to know about hosts on this network.

  • Support: allows to know about hosts on this network, and allows to manage the workstations on it. This option is fully tied to Single Sign On module.

  • Administration: allows to create, modify or remove hosts on this network.

• Mask: specifies a pattern that will be check against the host name in order to apply this authorization level.

• Identity: specifies a user, group or role name.

• Description.

To add a new access control you can click the button with the add symbol (+), you have to select the grantee type (user, group or role), then you have to choose an user, group or role depending on the grantee selected, and finally set the acces level and the mask and apply the changes.

If you want to delete access controls,  you must select one or more records from the list and clicking the button with the subtraction symbol (-). 

Actions

Networks query

Networks detail

Access control

Hosts

Description

The host screen lets the administrator manage a static IP address assigned to any host. Dynamic IP addresses are automatically managed by Soffid ESSO.

Screen overview

Related objects

1. Network
2. Operating systems

Basics

On the basic host tab, you can view all the host attributes. It is allowed to add new host,  update or delete existing hosts.

• Name: host name.
• Description: location, owner and whatever other information you want.
• Network: to which it belongs
• DHCP server parameters: used by the DHCP agent in order to generate DHCP configuration files.
• IP Address: host IP
• Operating system: used by the Active Directory agent in order to know if this host must be have an Active Directory host account. Using this functionality, no operator needs to be authorized to add or remove hosts on Active Directory. Soffid will do it for them. More and more, whenever this hosts is left off its IP address, the host account will be removed from Active Directory. This behavior can, of course, be customized.
• Mail server: if enabled (selected value is Yes), the user will be able to create mailboxes in the host.
• Shared folders server: if enabled (selected value is Yes), the user will be able to create shared folders in the host.
• MAC Address: used by the DHCP agent in order to generate DHCP configuration files.
• Alias
• Shared printer server: if enabled (selected value is Yes), the user will be able to create a printer queues in the host.
• Dynamic IP
• Serial number
• Last connection
• Created on
• Locked
• Device type
• Internet browser
• CPU type

Access Control

On the access control tab, you can delegate the host management.

If you add a user authorization, you will allow the user to execute any task as a local administrator on this server or workstation. This feature requires the Soffid ESSO to be installed in the target host.

To add a user authorization you can click the button with the add symbol (+), then select the user and expiration date, and finally apply changes.

It is also allowed to delete one or more user authorizations, you can do it from the entitlement details or by selecting one or more records from the list and clicking the button with the subtraction symbol (-).

Additionally, you can download a CSV file with the access control data and you can also upload a CSV file to add user authorizations, and modify or delete user authorizations.

You also can view the administrator password.

Sessions

On the sessions tab, you can view the information about the last connection of a user to this host. Shows data about the user, server, client, port used and date of connection.

You can download a CSV file with the user sessions data.

Actions

Host query

Host detail

Access control

Sessions

Printers

Description

Soffid lets administrator users manage system printers. A printer must always be attached to a host. A network attached printer is composed of a host (network print server) and a printer (printer queue).

Printers can be assigned to specific users or to user groups. The effective assignment can be done on session startup by using a Single Sign On client script. To do that, it is necessary to add a script on a Login entry point with type x-mazinger-script.

Related objects

1. Hosts
2. Users
3. Groups

• Name: identifier name of the printer.
• Description: additional printer information.
• Model: printer model.
• Server: where the printer is hosted.
• Restricted: if checked, only users and groups of users assigned can be access to that, in another case any user could access to that printer.
• Users: assignment of printer queues to users.
• Groups: assignment of printer queues to groups

Actions

Printer query

Printer detail

Mail Domains

Description

The mail domains identify each single mail domain that is going to be managed. If a mail domain is marked as obsolete, it won't be assigned to a user anymore.

• Code: domain, it will be as in email address is written.
• Description: a brief description about domain name usage.
• Obsolete: enabled to indicate that the domain will not be used and therefore should not be assigned.

Actions

Mail Domains query

Mail Domain detail

Mail List

Description

The mail lists identify addresses that are going to be delivered to one or more users, just as distribution mail lists do.

• Name: identifier name of the mail list.
• Mail domain: an existing domain in the system. It is a predictive field that facilitates the search.
• Description: a brief description of the mail list.
• Nested lists: nested mail lists.
• External address: other mail addresses not managed by Soffid that will be on the mail list.
• Roles: the users who have been assigned those roles, will be on the mail list.
• Groups: the users who belong to that groups, will be on the mail list.
• Users: users who will be on the mail list.
• Computed target users: breakdown list of users that are on the mailing list.

Actions

Mail List query

Mail List detail

Application access tree

Description

The entry points could be to connect to information systems defined on Soffid, or to connect to other applications. These applications can be Web applications or Native applications. Each information systems can have one or more application entry points.

The entry points are managed in a tree structure, that allows creating new menus and new application access.

Each member of the tree can be tied to a list of users, account groups, or roles. Also, you can choose if the application menu entry will be visible or not by unauthorized users.

After logging on to a managed workstation, the system will apply such restrictions and will update the Windows or Linux start menu.

Each application entry point will have different execution methods for fully managed workstations, loosely managed workstations, or external devices. Each of them can be a web browser URL or a javascript piece.

Each application entry point can have a single sign on rule. Those roles are fully explained in the ESSO reference guide. For more information, you can visit the ESSO chapter.

The defined entry points allow to final users open applications from the self service portal. For more information can visit My Applications page.

Screen overview

Related objects

1. Information system
2. User
3. Group
4. Role
5. Account

Standard attributes

Basics

• Menu: (yes|no) when the menu is Yes, this application will be like a folder to contain and organize other applications.
• Name: application identifier name.
• Code: application code.
• Information System: asset or application, from a functional point of view, on which the permissions are granted or revoked. For more information visit the Information Systems page.
• System: information storage system from a technical point of view (active directory, database, CSV, ...). These systems are the agents configured on Soffid, for more information about these visit the Agents page.
• Public access: when it is Yes, this application will be displayed as public at the self-service portal of all users.
• Visible without permissions: when it is Yes, this application will be displayed at the self-service portal, but only users with permissions will be allowed to connect.
• Icon: application identification icon.

Authorizations

Allows you to grant access permissions to users, groups, roles, or accounts. 

To give authorization it is necessary, first of all, to select the grantee type, then to choose the user, group, role, or account, and finally choose the access level. The access level allows two options:

• Manage: allows to update the entry point.
• Execute:
  • When the entry point has selected the option public access to NO, only users with the assigned access level as execute could execute that entry point.
  • When the entry point has selected the option public access to YES, all users can execute that entry point.

Executions

Allows Administrator users to configure the entry point access. It is only available to entry points with the option Menu not selected.

There are three options to configure the executions. Administrator users can configure one or more:

• Running from Intranet: if you select the Yes option, Soffid will check if the host that is trying to run this entry is located in a network flagged as internal, if so, Soffid will allow to run the entry. 
• Running from Extranet: if you select the Yes option, Soffid will check if the host that is trying to run this entry is located in a network NOT flagged as internal, if so, Soffid will allow to run the entry. 
• Running on the Internet: if you select the Yes option, Soffid will check if the host that is trying to run this entry is located in an unknown network, if so, Soffid will allow to run the entry.

For each execution option it is possible to configure the following parameters: 

• Enabled: if the option is available to configure.
• Type: access connection type.
• Content: 
  • text/html: a URL to access to the application. 
  • x-application/x-mazinger-script: scripts that will be executed on ESSO clients
  • Recorded session: configuration to use PAM service.
  • Web Single Sign On: a URL to access the application with SSO.

ESSO

Allows you to customize a script to define a pattern to detect when an application is used and how to inject the credentials.

For more information, you can visit the ESSO chapter.

Actions

Application query

Application detail

Authorizations

Executions

ESSO

Password vault

Description

Soffid provides a protected storage, to save and manage accounts for multiple applications, that is the Password vault. Here you can save the accounts and passwords to access to critical systems and to your applications as well. Password vault allows you to handle the access control list to these accounts. Sometimes these accounts can be used by a specific user or a set of users.

The accounts are organized in folders depending on the permissión, and the criticality level, .... These accounts can be system accounts or user accounts.

The Password vault exposes a subset of accounts to some users. These accounts are available through the Self-services portal. You can visit My applications page for more information.

When a privileged account is being config, it will be able to assign a workflow or approval process to request in order to use that account. For more information visit the link How to apply policies. 

Users can be authorized to manage their own personal accounts, sso:manageAccounts. For more info visit the Authorizations page.

Folders

In the password vault, two kinds of folders are used: personal folders and shared folders, which depend on the Owners configuration you define.

On one hand, each user has their own personal folder. Inside this folder, the user can create accounts. That account will not be shared with any other user.

On the other hand, the shared folders could be used or managed by the owner/manager/SSO users.

Accounts

Soffid allows you to create new accounts on a specific folder on the password vault page, to add a new account will be mandatory to fill in some attributes, like System, name, and login name. You can consult the existing accounts related to a folder. For each account, you can update or delete the account, view and set a password.

Also, you can create accounts on the Account page and assign the appropriate vault folder.

Soffid allows administrator users to configure a workflow to request permissions when a user try to change the password of a privileged account in the password vault. That process can be defined with the BPM Editor as an Account reservation type. For more information you can visit the BPM Editor book.

Overview

Related objects

1. Accounts

Standard attributes

Folder attributes

• Folder detail
  • Name: folder name which will be displayed in My Applications.
  • Description: folder description.
  • PAM policy: when using PAM system, you could choose the policy that will comply with for each folder. When you define a policy for a folder, that policy will apply to all accounts hanging from this folder. For more information you can visit the Configure PAM page.
• Owners: allows you to handle the full privileged access control list.
  • Owner users: list of users who will be the folder owners.
  • Owner groups: list of groups, whose users will be the owners of the folder.
  • Owner roles: list of roles. Users who have been granted these permissions will be the owners of the folder.
• Managers
  • Manager users: list of users who can manage the folder. Those users can view the password depending on the password policy.
  • Manager groups: list of groups, whose users can manage the folder. Those users can view the password depending on the password policy.
  • Manager roles: list of roles. Users who have been granted these permissions can manage the folder. Those users can view the password depending on the password policy.
• SSO users 
  • Granted users: list of users who can use the account of that folder.
  • Granted groups: list of groups, whose users can manage the account of that folder
  • Granted roles: list of roles. Users who have been granted these permissions can manage the account of that folder.
• Browse folder
  • Users: list of users who can browse the folder, but can not perform any action.
  • Groups: list of groups, whose users can browse the folder, but can not perform any action.
  • Roles: list of roles. Users who have been granted these permissions can browse the folder, but can not perform any action.

Accounts attributes

Actions Tab

This tab shows the read-only attributes of the user account:

• Name: user account name.
• Description: a brief description.
• System: target system to which the account will be connected.
• Login name: login name to connect to the target system.
• Login URL: URL to connect.
• In use by: user name who is using that account.

Also, this tab allows you to launch the connection to the target system, view the password, set the password to launch the connection, and unlock the use of that account. All those options depend on the account definition and user privileges.

Basics Tab

This tab displais all the account attributes and allows you to update the account configuration.

Visit the Account page to view more information about the standard attributes of an account.

Actions

Folders query actions

Folder actions

Account actions

How to apply policies

Soffid allows you to define policies and rules to apply to a specific folder or a set of folders. To do that is needed to install the XACML  addon and configure the proper policies and rules. 

Also, you can config a workflow or approval process to request in order to use accounts saved on a folder.

It is mandatory to enable the Password Vault PEP and populate the information about the XACML policy set and the version which applies.

Example 

XACML PEP config

It is mandatory to enable the Password Vault PEP and populate the information about the XACML policy set and the version which applies.

Password Vault:

XACML PEP config:

XACML Policy Management

You need to configure the access to the folder "VaultFolder", that folder can contain other folders and accounts. It will be mandatory to config the access list, who are the owners, managers, and so on. You need to know if you need to config the control access list by accounts, by folders, or both.

For instance, the policies you need to implement are the following:

1. Only users between 6:00 and 18:00 could use the accounts inside the "demoFolder".

2.- User "bob" never could use the accounts of demoFolder.

3. Users with result permits, need the authorization to use the accounts.

You need to config the workflow that will be called, to config you need to include the bpm obligation on the policy. Also, you can include a message to the user, or other obligations. 

Visit the XACML Book for more information.

Visit the BPM Editor Book for more information.

Custom objects

Description

The custom objects are the objects created by the administrator to extend the Soffid underlying data model. You can visit the Metadata page for more information.

This option allows administrator users to provide objects with content.

Related objects

1. Object Type: objects created by the administrator.

Standard attributes

• Name: identification name.
• Description: brief description.

Every single custom object could have specified attributes defined by the administrator users when they create the object type.

Actions

Custom object query

Custom object detail

Integration Engine

Smart engine settings

Description

The administrator users can decide the engine mechanism for the synchronization task, i.e. when the tasks are created and sent to external systems.

Screen overview

Standard attributes

1. Task engine mode:  allows you to select the synchronization mode. There are three available options: 
   • Read only: it is the option by default in the Soffid installation.  No task is synchronized to external systems.
   • Manual: only selected synchronization tasks are performed. You could synchronize manually a user, check the "Propagates the changes" action on the Users page. Or also synchronize a whole target system, check the Agents page. 
   • Automatic:  each change is automatically send to target systems.
2. Tasks limit per transaction: if a single transaction creates more than this number of tasks, tasks will be held until Soffid administrator releases them. The administrator could check them in the  Sync server monitoring page.
3. Scripting language: Soffid allows you to create scripts and you can choose the scripting language:
   • Beanshell
   • Javascript
   • Autodetected

Soffid offers a set of sample scripts. You can find examples visiting the Sample scripts page.

Additionally, in the initial configuration of the container, we can configure the SOFFID_TRUSTED_SCRIPTS environment variable to allow the use of insecure classes.  You can find this information visiting the Installing IAM Console page.

Tips

Use the task engine mode for these scenarios:

• Read Only: use this option after the Soffid installation until you have at least one target system configured to test the synchronization.
• Manual: use this option for testing environments, or at the beginning of a live release.
• Automatic: use this option for live environments, or also for the testing environments when the platform is mature.

Tasks limit per transaction:

• Use a high task limit when you are comfortable with the configured processes of Soffid, for instance, 1000 or 10000 depending on the number of accounts of these external systems.

Actions

Agents

Description

Soffid agents are the tool that allows the connection between the Soffid console and the target systems. To establish the connection with target systems, Soffid provides a large number of connectors that will be able to set up into the Soffid console.

You could see the complete list of Synchronization Server Connectors. 

Soffid administrator has the chance to easily customize attribute mappings for some connectors addons, without having to code it using Java. Soffid provides a graphical interface to perform attribute mapping.

An agent will appear disabled when this agent won't have a server assigned. Bear in mind to select the “Disabled” flag on Server URL criteria when you will query if you want to search for disabled, but defined agents.

Related objects

1. Synchronization server
2. Account naming rules
3. User type
4. Password policies
   

Standard attributes

Basic

• Task engine mode: shows the current task engine configuration. For more information visit the Smart engine settings page.
• Name: agent's identifying name.
• Description: a brief description of the agent.
• Usage: identify whether the accounts created are to be used for IAM or PAM. The IAM and PAM tasks will be managed in separate queues. This attribute will be available in Soffid 3.5.10 or higher.
  • IAM
  • PAM:
    • The PAM accounts will be managed as a Shared thread internally.
    • The PAM accounts will be shared accounts and never will be single user accounts.
• Type: Identify the connector type to use. Different implementations of the server plugins are included in the connectors installed into Soffid. Each type has a Java class bound, the name of the Java class implementing the connector is displayed next to the connector name.
• Server: synchronization will be performed with the selected server. It is allowed to select two servers in cases high disponibility will be necessary. If you choose two servers, when one fails, the other will be used.
  • If “Each main synchronization server” is selected, the agent will be run by every sync server.
  • If "-disabled-" is selected, the agent will be disabled. 
  • If you select a single sync-server, the agent only will be run on that server.
• Shared Thread: if it is enabled, the same thread will be shared to several synchronization servers. 
• Dedicated Thread: if "Shared thread" is disabled, it will be available the option to choose the number of threads to dedicate to the synchronization process.
• Task timeout (ms): add a timeout to the synchronization server tasks (query, insert, update, delete, update password, etc). If you add a timeout, when the connection gets this timeout, the synchronization server will stop the request and add it to the queue for a new retry later.
• Long task timeout (ms): add a timeout to the reconciliation server tasks (user, group, role, account, grants, etc). If you add a timeout, when the connection gets this timeout, the synchronization server will stop the request (no retry is added).
• Trust passwords: check if you can trust it to propagate their passwords to Soffid. Trusted password agents differ from the non-trusted ones in:

  • Temporary passwords generated from the console only propagate to agents that have trusted passwords checked. In the other case, the agents only receive definitive passwords.

  • When a password has reached its expiry date, it will automatically be disabled on agents where the trusted password is not checked, so the user can no longer access it.

  • When the managed system detects a change in the user request password, the password will be propagated to Soffid only if the agent associated trusted password is checked.

• If you want to forward the authentication requests to trusted target systems, you must enable the Trust passwords option and the proper feature on the Authentication page.
• Authoritative identity source: check if the agent will be used as the source for users' information. It is usually checked for the first load of users into Soffid, and then it is unchecked, being Soffid that manages users. Optionally, you can select a custom workflow to process incoming changes. 
• Read-only: if it is checked (the selected option is Yes), no change will be applied to the managed system. Only read operations will be allowed.
• Paused task: if it is checked (the selected option is Yes), the system remains connected, but the tasks in the queue will be retained. It is very useful when conducting tests and ensuring that no tasks propagate, except the ones we are manually triggering (we pause, make the changes, and when everything is fine, we remove the pause). As a rule, you should pause when making configuration changes in production.
• Manual account creation:
  • If you check NO, Soffid will create the new user accounts applying the defined policies.
  • Check YES if you don't want Soffid to create automatically new accounts for the users.
• Role-based: when "Manual account creation" is not checked (option selected is No), it will show "Role-based". Check it if only users with any role on this agent should be created. When the identity or account loses its permissions, the account will be disabled. Uncheck to allow users with no role on it.
• Groups: when "Manual account creation" is not checked (option selected is No), it will show "Groups". Identify the business units that are allowed to have an account on this system.
• User domain: it is the rule used to determine how to generate account names.  If the account name is the same as the user name (as is normally the case), the “Default user domain” should be used. The user domain values are defined on the Account naming rules page.
• Password domain: determines the password policies that will be used. If the "Default password domain" is selected, Soffid passwords will be shared with the managed systems. The user domain values are defined on the Password policies page.
• User Type: when "Manual account creation" is not checked (option selected is No), it will show User Type. Only users of the selected types will be created. Any change made in this field involves all accounts to be recalculated. New ones will be added to the repository and managed systems. Some accounts will get disabled if the owner user no longer belongs to any authorized user type.

When uploading authoritative data for identities from a managed system, firstly, users will be created in Soffid as indicated in the attribute mapping, and secondly, accounts will be created for the managed systems only if the agent option "Manual account creation" is not checked and only for User Types indicate.

Connector parameters

The custom attributes depend on the used plugin. 

Here you will find all the information needed about the available Soffid connectors to integrate external managed systems.

1. AWS Connector
2. CSV Connector
   • Customizable CSV file (CSV Connector type)
3. Google Apps Connector
4. JSON REST Web Services Connector
5. LDAP Connector
6. Oracle Connector
7. Oracle EBS Connector
8. SAP Connector
9. SCIM Connector
10. Shell Connector
    • Invoker interface
11. SQL Connector
12. Windows Connector
    • HOWTO SSL access to Active Directory
    • Invoker interface for Active Directory
13. Zarafa Connector
14. SQL Server Connector

Integration flows

Some connector addons have associated integration workflows. On the Integration flows tab you can view the integration flows related to the agent. You also can view in detail the workflows and test them. 

Attribute mapping

The attribute mapping tab only appears when the agent allows such customization. Soffid administrators have the chance to easily customize attribute mappings without having to code them using Java. The administrator users can select system objects and the Soffid objects related, manage their attributes, and make either inbound and outbound attribute mappings.

There is an action that creates all the default mapping depending on the agent connector type. That option creates automatically system objects with their attributes and properties, you can select them by clicking on the hamburger icon and then the Create default mapping option. Once created the default mapping, those can be customized as required. 

Properties

Some agents require to configure some custom attributes in their properties section.

These properties are specific for each type of connector. You could see all these properties by visiting each connector type page.

Methods

This option is only available on some types of connectors. It is used to define methods that can be called using the defined properties.

Attributes

Each object mapping defines an agent object name and one bound Soffid object type.

The left hand side attributes are managed system attributes, so they are agent dependent that is being configured. The right side attributes are Soffid attributes and must be selected from an existing list. 

It is allowed to use bean Shell expression in the source when the mapping is one-way.

System attributes

A configuration agent must define object types that can be created on it. Each object mapping defines an agent object name and needs bound Soffid object type.

At this column, the system's attribute name will be displayed.

Directions

At the center column, an arrow will show the direction of the information flows.

When the information flows from the system (left) to Soffid (right), the left column name can be replaced by a bean shell expression. This expression will be evaluated on the system object prior to uploading it to Soffid.

When the information flows from Soffid (right) to the managed system (left), the right column can contain a bean shell expression that will be evaluated prior to provisioning the user.

Here are some examples:

for (group: secondaryGroups) {
  if  (group.get("name").equals(primaryGroup)) {
    return group.get("description");
  }
}
return null;

Soffid attributes

You can consult the list of Soffid attributes:

• User Object
• Account Object
• Group Object
• Role Object
• Grant Object
• Maillist Object
• Membership Object

When evaluating any expression, either the system or soffid attributes are available as script variables. Moreover, the following variables are available:

Test

For the definition of an object, you can check the system attributes defined, in both the final system and in Soffid.

1. First of all, you need to click the Test button, then Soffid will display a text field and some buttons to perform new actions.

2. Secondly, the text field must be filled in with the appropriate data. It can be a user, an account, a group or another system object. It depends on the system object you are checking.

3. Then, you can choose the action to perform.