Soffid Objects
You can consult the list of Soffid attributes:
- User Object
- Account Object
- Group Object
- Role Object
- Grant Object
- Maillist Object
- Membership Object
- dispatcherService
User object
A user objects are maps that hold the information belonging to a single user account.
Attribute
|
Type
|
Description
|
---|---|---|
id | Long | user id |
accountId | Long | account id |
accountName | String | account name |
system | String | managed system (agent) name |
accountDescription | String | account description |
active | Boolean | true if user is active |
accountDisabled | Boolean | true if account is diabled |
mailAlias | String | blank separated mails |
userName | String | user name |
primaryGroup | String | user's primary group name |
comments | String | user's comments |
createdOn | Date | user creation date |
modifiedOn | Date | user last modification date |
mailDomain | Date | user mail domain ( email right side of @) |
fullName | String | user full name |
shortName | String | user mail name (email left side of @) |
firstName | String | user first name |
lastName | String | user last name |
lastName2 | String | user second last name (when applicable) |
mailServer | String | mail server host name |
homeServer | String | home drive server host name |
profileServer | String | roaming profile server host name |
phone | String | user's phone number |
userType | String | user type |
createdBy | String | user name creator of this user |
modifiedBy | String | user name modifier of this user |
secondaryGroups | List<Map<String,Object>> |
list of groups the user belongs to, including primary group The attributes of the inner map are described later |
attributes | Map<String,String> | additional user attributes |
grantedRoles | List<Map<String,Object>> | list of grants directly granted to the user |
allGrantedRoles | List<Map<String,Object>> | list of grants directly on indirectly granted to the user |
granted | List<String> | list of role names and group names directly granted to the user |
allGranted | List<String> | list of role names and group names directly or indirectly granted to the user |
Account object
An account object holds the information belonging to an account.
Attribute
|
Type
|
Description
|
---|---|---|
accountDescription | String | account description |
accountDisabled | Boolean | true if account is diabled |
accountId | Long | account id |
accountName | String | account name |
allGranted | List<String> | list of role names directly or indirectly granted to the user |
allGrantedRoles | List<Map<String,Object>> | list of grants directly on indirectly granted to the user |
attributes | Map<String,String> | additional account attributes |
granted | List<String> | list of role names directly granted to the user |
grantedRoles | List<Map<String,Object>> | list of grants directly granted to the user |
lastLogin | Calendar | lastLogin |
lastPasswordUpdate | Calendar | lastPasswordUpdate |
lastUpdate | Calendar | lastUpdate |
passwordExpiration | Calendar | passwordExpiration |
passwordPolicy | String | password policy |
system | String | managed system (agent) name |
type | AccountType | "U"=user, "S"=shared, "P"=privileged, "I=ignored |
Group object
An group object holds the information belonging to a group.
Attribute
|
Type
|
Description
|
---|---|---|
groupId | Long | group id |
name | String | group name |
description | String | group description |
parent | String | parent group name |
server | String | home server host name |
disabled | boolean | true if the group is disabled |
accountingGroup | String | group accounting information |
type | String | group type |
driveLetter | String | home server letter to connect to |
users | List<Map<String,Object>> | list of users belonging to this group |
userNames | List<String> | list of user names belonging to this group |
allUsers | List<Map<String,Object>> | list of users directly or indirectly belonging to this group |
allUserNames | List<String> | list of user names either directly or indirectly grantee of this role |
grantedRoles | List<Map<String,Object>> | list of roles granted to this group |
grantedRoleNames | List<String> | list of role names granted to this group |
Role object
An role object holds the information belonging to a role.
Attribute
|
Type
|
Description
|
---|---|---|
roleId | Long | role id |
system | String | managed system (agent) name |
name | String | role name |
application | String | application system name |
category | String | role category |
passwordProtected | boolean | true if role should be password protected (where applicable) |
description | String | Role description |
wfmanaged | boolean | true if role should be displayed in self service requests |
domain | String | custom domain for this role: Use com.soffid.iam.api.DomainType constants or configured custom domain |
ownedRoles | List<Map<String,Object>> | list of roles granted to this one |
ownerRoles | List<Map<String,Object>> | list of roles grantee of this one |
ownerGroups | List<Map<String,Object>> | list of groups grantee of this role |
grantedAccountNames | List<String> | list of account names directly grantee of this role |
grantedAccounts | List<Map<String,Object>> | list of users directly grantee of this role |
allGrantedAccountNames | List<String> | list of account names either directly or indirectly grantee of this role |
allGrantedAccounts | List<Map<String,Object>> | list of users either directly or indirectly grantee of this role |
attributes | Map<String,Object> | role's custom attributes |
Grant object
Grant, grantedRole & allGrantedRoles
The objects grant, grantedRole and allGrantedRoles are used to assing roles to accounts and roles.
Attribute
|
Type
|
Description
|
---|---|---|
domainValue | String | grant value (if any) |
grantedRole | String | granted role name |
grantedRoleId | Long | granted role id |
grantedRoleObject | role object | granted role |
grantedRoleSystem | String | granted role managed system (agent) name |
id | Long | grant id |
ownerAccount | String | grantee account name |
ownerAccountObject | account object | grantee account |
ownerGroup | String | grantee group name |
ownerRoleId | String | grantee role id |
ownerRoleName | String | grantee role name |
ownerSystem | String | grantee account or role managed system name |
ownerUser | String | grantee user name |
Examples
Grant
Example to map a grant object (assign a role to an account):
System attribute
|
Direction
|
Soffid attribute
|
---|---|---|
role_name | => | grantedRole |
account_name | => | ownerAccount |
GrantedRole
Example to map a grantedRole object (assign a role as a child of another role):
System attribute
|
Direction
|
Soffid attribute
|
---|---|---|
role_name | => | grantedRole |
parent_role_name | => | ownerRoleName |
AllGrantedRoles
Example to map a allGrantedRoles object in a holderGroup (assign a role to an account in a specific group):
System attribute
|
Direction
|
Soffid attribute
|
---|---|---|
role_name | => | grantedRole |
parent_role_name | => | ownerRoleName |
group_code | => | domainValue |
group_code | => | holderGroup |
userName | => | ownerUser |
Maillist object
Attribute
|
Type
|
Description
|
---|---|---|
id | Long | internal mail list id |
name | String | mail list name ( the initial part, before the @ sign) |
domain | String | mail list domain ( the remaining part after the @ sign) |
system | String | managed system (agent) name |
description | String | mail list description |
users | String array | user names that are bound to this mail list |
groups | String array | group names thta are subscribed to this mai list |
roles | String array | role names that grant access to this mail list |
lists | String array | Nested mail lists |
explodedUsers | String array | Names of the users that should be subscribed to this mail list, including the users that should be subscribed due to group or role membership |
explodedUserAddresses | String array | Mail addresses of any exploded User |
Membership object
A membership object contains the user account information as well as the group the user belongs to.
Attribute
|
Type
|
Description
|
---|---|---|
userName | String | User name |
user | Map<String,Object> | user object |
groupName | String | Group name |
group | Map<String,Object> | group object |
attributes | Map<String,Object> | Membership custom attributes |
dispatcherService
dispatcherService is an object available from agents' attribute translation rules.
This object contains four methods:
method name
|
parameters
|
result type
|
comments
|
---|---|---|---|
soffidToSystem | ExtensibleObject soffidObject | ExtensibleObject |
Uses attribute translation tables to transform a soffid object to a target system object. Mind to fill-in objectType property to use the proper object mapping |
systemToSoffid | ExtensibleObject systemObject | ExtensibleObject |
Uses attribute translation tables to transform a target system object to a Soffid object. Mind to fill-in objectType property to use the proper object mapping |
search | ExtensibleObject exampleObject | ExtensibleObject |
Uses the exampleObject to perform a query by example on the target system. If the object exists on the target system, it is returned. Mind to fill-in objectType property with the desired system object type |
invoke |
String verb String action Map parameters |
List of Map |
This method allows arbitrary executions on the target system, but it semantics can change depending on the connector used. For instance, it can be used to perform a GET on the target system in REST connector, can issue an LDAP query on ActiveDirectory connector, can execute a SELECT sentence on a SQL connector, or can execute an operating system command in Shell connector. The results are returned as a list of objects (map). |
Examples
Snippet to query the sys_id attribute for a grant owner
System.out.println("Searching id for "+ownerRoleName);
com.soffid.iam.sync.intf.ExtensibleObject eo = new com.soffid.iam.sync.intf.ExtensibleObject();
eo.setObjectType("ROLE");
eo{"name"} = ownerRoleName;
eo = dispatcherService.search(eo);
System.out.println("FOUND "+eo{"sys_id"});
return eo{"sys_id"};
Snippet that performs a REST query to get group to role assignments in ServiceNow
list = dispatcherService.invoke ("GET",
"https://arxusdev.service-now.com/api/now/table/sys_group_has_role?sysparm_exclude_reference_link=true&sysparm_display_value=all&sysparm_fields=role%2Cgroup&sysparm_query=group="+sys_id,
null).
get(0).get("result")
r = new java.util.LinkedList();
for ( d: list)
{
grant = new java.util.HashMap();
grant{"grantedRole"} = d.get("role").get("display_value");
grant{"grantedRoleSystem"} = "ServiceNow";
grant{"ownerRoleName"} = name;
grant{"ownerSystem"} = "ServiceNow";
r.add (grant);
}
return r;
Snippet of invoke usage on a relational database
// Table ITREPRT
role = source{"granted"}.size() == 0 ? "" : source{"granted"}.get(0);
System.out.println ("************** ROLE "+role);
args = new java.util.HashMap();
args.put("user", source{"accountName"}.toUpperCase());
if (role.equals ("Receptores PR") || role.equals("Jefes_Personal")) {
r = dispatcherService.invoke("select", "* from ITREPRT where IDUSER=:user", args);
if (r.size() == 0) {
dispatcherService.invoke("insert", "into ITREPRT(IDUSER,NOMECO) values (:user, 1)", args);
}
} else {
dispatcherService.invoke("delete", "from ITREPRT where IDUSER=:user", args);
}
// TABLE MRGEUCT
cc = source{"attributes"}{"dominio"};
if ( source{"userType"} .equals ("T")) {
cc = source{"userName"}.substring(1);
}
while (cc != null && cc.startsWith("0")) cc = cc.substring(1);
System.out.println ("************** COST CENTER "+cc);
if (cc != null && ! cc.trim().isEmpty())
{
args = new java.util.HashMap();
args.put("user", source{"accountName"}.toUpperCase());
args.put("cc", cc);
r = dispatcherService.invoke("SELECT", "* from MRGEUCT where IDUSER=:user and MOARPR=:cc", args);
if (r.size() == 0) {
dispatcherService.invoke("INSERT", "into MRGEUCT(MOARPR,CENTRA, IDUSER, NOTIFI ) "+
"values ('II', :cc, :user, 'S')", args);
dispatcherService.invoke("INSERT", "into MRGEUCT(MOARPR,CENTRA, IDUSER, NOTIFI ) "+
"values ('BM', :cc, :user, 'S')", args);
dispatcherService.invoke("DELETE", "FROM MRGEUCT WHERE CENTRA!=:cc AND IDUSER=:user", args);
}
}
return true;