Configuration > Global Settings
Configuration > Global Settings
- Tenants
- License and plugin
- Look & feel
- Soffid parameters
- User types
- Group types
- Metadata
- Network intelligence
- User backup configure & restore (backup addon)
- Export settings and objects (admin addon)
- Import settings and objects (admin addon)
Tenants
Definition
Soffid is multi tenant. This means that one can configure many differente tenants to manage disjoints groups of identities and applications.
Each Soffid object, including applications, systems, roles, users, and accounts are bound to a single tenant.
Of course, there is a special tenant named master. Master tenant administrators can jump to any other tenant with administration privileges.
Soffid recommends connecting directly to the specific tenant to configure it correctly. You have more information about this topic in the Tenant access section.
Screen overview
Related objects
Standard attributes
- Name: Set a short name for the tenant.
- Description: Enter a long description for the tenant
- Enabled: Usually set to yes. If it's set to NO, no user will be able to log in to that tenant, and no provisioning or automated task will be ran on that tenant.
- Disabled permissions: By default, tenant administrator permissions are restricted, so they are not able to bypass tenant borders and access to other tenant information. To achive this, the following permissions are disabled by default, but some others can be added:
- Open the tenants management page
- Use the tenant micro-service
- Manage sync servers
- Assigned servers: By default, the new tenant will not be able to use any sync server unless it is authorized to. So, one can create a sync server for a specific tenant that cannot be used by any other tenant.
Actions
Table actions
| Add new |
Allows you to create a new Tenant. |
| Download CSV file | Allows you to download a CSV file with the tenant information displayed in the table. |
Tenant actions
|
Apply changes |
Allows you to save the data of a new tenant or to update the data of a specific tenant. To save the data it will be mandatory to fill in the required fields. |
|
Export |
The process will generate a compressed file with all the information contained in the Tenant. It includes even the connectors configurations, mappings and global settings. |
|
Delete Tenant |
Allows you to delete the tenant. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Remember that this action will delete all data from the tentant. We recommend saving a backup using the Export option beforehand. |
|
Login |
If you have permission to log into a different tenant, you can use this option to access to it. This option is not intended for normal usage, but for administrative purposes |
|
Import |
The user can upload the previously exported tenant. The process will restore all the information contained in the Tenant, including connectors configurations, mappings and global settings.If the Tenant already exists, the process will not replace it. A new tenant will be created with a new name. If you want to replace the existing tenant, remove it before uploading the tenant export file. |
|
Undo |
Allows you to quit without applying any changes. |
Others
Tenant access
Option 1: direct access to the tenant
When users are connecting to Soffid console, the master tenant is displayed by default. In order to directly connect to any tenant, a DNS entry with the tenant name must be added to your DNS server.
For instance, if you have deployed a Soffid console with the DNS name console.soffid4.local, the DNS name test.console.soffid4.local will be used to access to the test tenant.
Note that you must configure the hostName Soffid parameter in the master with your DNS name
Option 2: access through the master
You can also configure the login page using the soffid.auth.showTenant Soffid parameter. If the parameter value is true, Soffid will display a new box in the login page to write the tenant name to login.
License and plugin
Definition
License
Soffid 4 requires a valid licence to enable its features.
The licence token must be provided by Soffid and will enable the modules you have contracted for the duration of the contract. A new licence token will be provided upon each renewal.
Plugin
Soffid provides you additional functionality that allows installing addons and server plugins. There are two main types of addons: system connectors and console addons.
You can download existing addons and plugins developed by Soffid by visiting http://download.soffid.com/download or http://download.soffid.com/download/enterprise if you have a Soffid user with authorization.
In Soffid version 4, a marketplace has been implemented that allows you to upload or update add-ons or connectors directly from the Console.
An addon or plugin, must be upload into a Master tenant, the other tenant will inherit these installed addons and plugins.
Addons and plugins can be developed using Addon Development Guide.
System connectors
Also referred as plugins, there are little pieces of software able to manage identities on some type of systems. They can be generic plugins (SQL or LDAP plugins) or custom specific plugins.
The system connector is configured when the administrator creates an agent. An agent can be viewed as a configured instance of a plugin.
In order to upgrade existing (running) plugins, the synchronization server that hosts this plugin must be restarted from the system monitoring screen.
A connector can contain one or more types of agents, and you can create as many agents (of the same type or not) as you want to connect to Soffid.
Console addons
Add important features to Soffid console. A console addon can contain common classes, data models, transactional services, web services, and web interfaces.
In order to apply addon changes, the console must be restarted. It can be restarted from this page by clicking on the restart console button.
Some add-ons, such as Federation, also require restarting the synchronisation servers.
From this page, you will be able to upload and upgrade server plugins, as well and enable or disable them.
Screen overview
Related objects
- Tenants: the plugins are managed in the master tenant.
- Agents: used to configure a system connector, agents are located inside the connector plugins.
Standard attributes
Table attributes
- Plugin: identified name of the plugin or addon deployed.
- Version: version of the plugin or addon.
- Deployed by: user that deployed the addon or plugin.
- Date: date and time of the deployment.
When a plugin is disabled, it is displayed as strikethrough.
Plugin attributes
- Name: identified name of the plugin or addon deployed.
- Version: name + version.
- Enabled: if enabled is Yes, the plugin or addon will be available to use it.
- Components: component list that make up the plugin or addon.
Actions
Table actions
| Add new |
Soffid 4 allows you to install and update plugins through the new Addons marketplace feature.
To access the marketplace, you must have a valid token to use Soffid and have configured the Console via https.
Images
|
| Upload | Allows you to upload and install a new plugin or addon. You must pick a file, that file has to be a valid add-on or plugin. Once the file is selected, it will be uploaded automatically. Then, you must restart the Sync server or Console depending on the uploaded plugin. Soffid will tell you which one to restart once the plugin has loaded. |
| Delete plugin | Allows you to delete one or more plugins or addons, you must select one or more records from the list and click this button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. |
| Download CSV file | Allows you to download a CSV file with all the information about plugins. |
| Restart Console | Allows you to restart the console to apply addon changes. That operation will be mandatory when you load an addon. |
| License manager |
To activate the features of Soffid 4, you must apply a token with the Soffid licence you have purchased.
Local testing or developer environments also require a token. The ‘Licence manager’ option lists valid tokens, old tokens, and tokens pending acceptance and use.
Images
|
Plugin actions
| Apply changes (dick button) |
Allows you to update the plugin. Only the "Enabled" attribute can be modified. |
| Delete plugin |
Allows you to delete and desinstall a specific plugin. To delete a plugin, you can click on the "three point" icon and then click the delete plugin button. Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation. |
| Undo | Allows you to undo any changes. |
| Apply changes | Allows you to update the plugin. Only the "Enabled" attribute can be modified. Once you apply changes, the plugin details page will be closed. |
Others
First access to Soffid
Once Soffid is installed and you access the console with the admin user, the only option enabled will be this screen.
Image
You should now access it and click "Licence manager" button to search for and accept the token that has been provided to you, but for this step to be possible, you must first configure the console in https. This step is explained in the Soffid 4 installation manual.
Once we have the console in https and have enabled the licence token, you will be able to access the contracted modules and this will be indicated in the page title.
Image
Access without token
When you access the ‘Licence manager’ and there are no tokens available, you must contact Soffid.
Please remember that the username used must be the one for the Soffid platform. It will be the same one that allows you to access our support portal or the downloads page.
Image
Look & feel
Definition
Soffid's Look & feel page allows you to adjust the Console styles to your organization.
In this configuration page, the customization of two sections is allowed:
- Images:
- You can change the image of the logo that appears on the login page.
- You can change the image of the logo that appears in the left bar.
- You can change the image of the logo that appears in the top bar.
- Colors:
- You can change the colors of the Soffid components and text.
Changes made on this page affect the entire Console.
Some changes may require updating the browser several times because some items are in the browser's cache.
Screen overview
Standard attributes
Images
|
Login image |
Logo used on the login and logout screens. Image in png or jpg format. |
|
Left bar image |
This image will appear in the menu on the left. Image in png or jpg format. |
|
Top bar image |
This image will appear in the menu on the top bar. Image in png or jpg format. |
Colors
|
Primary |
Login/logout background. Buttons. Page icons. Table selections. |
|
Secondary |
Icons in the menu pages. |
|
Terciary |
Buttons. Page icons. |
Actions
For the images
|
Pick a file |
Allows you to pick a file to load. The file must have a specific configuration |
For the page
|
Reset values |
Allows you to return to the default Soffid values. |
|
Confirm changes |
Allows you to apply the changes made. |
Examples
Top icon, left bar, icons page, and colors
Login page with logo and colors
Soffid parameters
Definition
Soffid allows you to customize the configuration of some attributes of the Console, Syncserver, connectors and add-ons.
There are several types of parameters.
- Informative parameters, such as the versions of internal components of Soffid.
- Parameters used as attributes in Soffid screens, such as the values of the look & feel fields.
- There are also parameters that can be modified, such as some configuration data for the synchronization server.
- There are new attributes that can be included to expand the functionality of Soffid, such as mail server data.
If you want to know the Soffid console version check the component.iam-core.version parameter.
Screen overview
Standard attributes
- Parameter: code/name used to identify the parameter.
- Value: parameter value.
- Network (optional): network to which this parameter would be assigned.
- Description (optional): a brief description of the parameter.
Actions
Table actions
|
Add new |
Allows you to add a new Soffid parameter. To add a new parameter it will be mandatory to fill in the required fields. |
|
Delete parameter |
Allows you to delete one or more Soffid parameters by selecting one or more records and next clicking this button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. |
|
Download CSV file |
Allows you to download a csv file with the basic information of all Soffid parameters. |
|
Import |
Allows you to upload a CSV file with the parameter list to add, update or delete parameters to Soffid. First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button. To delete a parameter, the values of the parameter have to be empty
|
Detail actions
|
Apply changes (disk button) |
Allows you to save the data of a new parameter or to update the data of a specific parameter. To save the data it will be mandatory to fill in the required fields. |
|
Delete parameter |
Allows you to delete a specific Soffid parameter. To delete a parameter you can click on the "three points" icon and then click the delete parameter button. Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation. |
|
Undo |
Allows you to quit without applying any changes. |
|
Apply changes |
Allows you to save the data of a new parameter or to update the data of a specific parameter. Once you apply changes, the plugin details page will be closed. |
List of parameters sorted by functionality
Console
|
Parameter
|
Description
|
|---|---|
|
soffid.auth.system |
Select the managed system where the account name will be searched on the user login. Defaults to soffid. |
|
soffid.auth.trustedLogin |
Set to true to enable the Soffid console to validate passwords on trusted systems. Setting it to false, the password will be validated against internal tables only. |
|
soffid.delegation.disable |
Set to true to prevent users to delegate permissions from self service page. |
|
soffid.entitlement.group.holder |
Set to optional enables the operator to set a group as the group holder for any entitlement assignment. Set to always enforce that any entitlement assignment must be bound to a holder group. Set to none to disable this feature. This parameter affects to role holder |
|
soffid.language |
Enforce user interface language. |
|
soffid.language.default |
Default user interface language (en). |
|
soffid.network.internet |
Sets the name for a generic subnet that will hold any host not included on any listed network. |
|
soffid.proxy.trustedIps |
Set the IP address of any reverse proxy in front of Soffid servers. This parameter can take a list of IP addresses, separated by commas, like the following ones:
To allow a range of network IPS, one can use the wildcard(*) symbol, as in the following example:
Starting with Soffid console 3.3.0, the network-address/bits notation is allowed, as in the following example:
|
|
soffid.propagate.timeout |
Timeout in seconds to retry the password validation needed to propagate a managed system notified password change (requires syncserver 1.5.4). |
|
soffid.server.sharedThreads |
Number of shared dispatcher threads per synchronization servers (by default 1) |
|
soffid.syslog.server |
Hostname or IP address of server hosts SIEM. The SIEM will receive audit information using the syslog protocol. |
|
soffid.task.limit |
The maximum number of tasks allowed per transaction. If a simple or complex transaction generates more tasks than specified, these tasks will be kept on hold. Administrators can release them through the monitoring page. (version 2.0+) |
|
soffid.ui.docPath |
The path where to store report and workflow documents. |
|
soffid.ui.docServer |
URL where is the server to store the files. |
|
soffid.ui.docStrategy |
Class responsible for managing report and workflow documents. |
|
soffid.ui.docTempPath |
The path where to store temporary files |
|
soffid.ui.docUsername |
Username of the doc server. |
|
soffid.ui.docUserPassword |
The password of the doc server. |
|
soffid.ui.maxrows |
The maximum number of rows to display in searches. The default value is 200 but you can change it. |
|
soffid.ui.timeout |
Max time (in milliseconds) a query can take to complete (version 2.0 +). |
|
soffid.ui.wildcarts |
Setting the auto value enables the user interface to add wildcards on user queries. Setting it to off disables this feature. |
|
soffid.externalURL |
External URL to access to Soffid console. |
|
soffid.kerberos.agent |
The name of the Windows server agent so that any incoming Kerberos packets will be authenticated against that domain. |
|
soffid.pam.search.recordings.timeout |
Timeout reached in the query, use the parameter to specify a longer timeout in milliseconds. By default, if you don't config this parameter is 60000 milliseconds. (version 3.5.18+) |
|
soffid.nameformat |
Parameter to configure how to display the users full name. Where:
For instance: |
|
soffid.issue.next |
Allows you to initialize the parameter to indicate what will be the ID of the next issue. 1 will be the default value. |
|
soffid.upload.maxsize |
Allows you to set a maximum value in bytes for uploading files to Soffid. |
Syncserver
|
Parameter
|
Description
|
|---|---|
| SSOServer | This parameter indicates which server acts on the workstations that run SSO. This parameter can have different values for any subnet. So you can define ESSO servers allowed for any subnet. |
| seycon.https.port | Port where synchronization server connects to. This parameter is used by ESSO clients to connect to synchronization servers. |
| seycon.server.list | Shows where Syncserver and SyncServer backup is installed. When installing the first server synchronization, this parameter is automatically updated. If you want to install a synchronization server backup you must update this parameter manually. Note that proxy synchronization servers are not on this list. See the Soffid installation guide. |
| soffid.sync.engine.threads |
This parameter allows you to configure the number of threads available to run the tasks. If you do not fill this parameter, Soffid will run 1 thread for every 50 systems, but never more than twice the number of CPUs of the server. The value of the parameter must be equal or greater than 1. (Available in Sync Server version 3.5.15+) |
Mail server
|
Parameter |
Description |
|---|---|
|
mail.host |
Host to send electronic mail messages. |
|
mail.from |
Recipient address that will be set as the email sender. |
|
mail.transport.protocol |
Set to SMTPS to get secure mail. Default value "SMTP" to use plain SMTP protocol. |
|
mail.auth |
Set to true if your mail server requires user authentication. |
|
mail.user |
Set your email user name if your mail server requires user authentication. |
|
mail.password |
Set your email password if your mail server requires user authentication. |
|
mail.port |
25 by default, with this parameter a new port can be set. |
|
mail.smtp.sasl.enable |
Set to true to enable SASL. |
Job notifications
|
Parameter |
Description |
|---|---|
|
soffid.scheduler.error.notify |
Users to notify when a scheduled task fails. |
|
soffid.bpm.error.notify |
Users to notify when a BPM task fails. |
|
soffid.bpm.error.retry |
Set to true to always retry any failed BPM task. |
Syncserver provisioning
|
Parameter
|
Description
|
|---|---|
| soffid.server.register |
Set to direct value to bypass standard workflow needed for a syncserver to join the syncservers security network. Otherwise, the standard approval workflow will be required(Since syncserver 2.6.0). You also can set it to no-direct |
Addon federation
|
Parameter
|
Description
|
|---|---|
| addon.federation.essoidp |
Set the Identity Provider identifier to indicate that this will be the authentication provider. For more information, you can visit the How to add to ESSO a second factor of authentication page. |
Identity Self Service and emails
|
Parameter
|
Description
|
|---|---|
| AutoSSOURL |
This parameter is used to retrieve the URL that the end user of Identiry Self Service will see. It is used in various Soffid modules: |
Exclude menu options
To exclude default menu options for all users of the Soffid console, the following steps can be followed
1. To exclude some menu options from your Soffid console, you must edit the system.properties file of this console. You can find this file in the following path: /opt/soffid/iam-console-3/conf/
2. Add the soffid.menu.hidden parameter to the system.properties file. The value of this parameter can be the menu options name that you can find in the console.yaml file.
3. Restart the Soffid console.
User types
Description
User type is the way to categorize users and allows configuring different password policies. Those policies can be more or less restrictive depending on the user's risk. For instance, internal users (automatically created) are different from external ones.
Therefore, this field is very useful for the following cases:
- Sort or list the users on the user's page or in the reports
- Apply different password policies
- Apply restrictions on the synchronization of Soffid to the target systems
- Ease configuration in automatic rules or custom scripts
Be in mind that a user always must belong to a User Type.
Screen overview
Related objects
- Users: each user must be assigned a user type.
- Accounts: the shared or privileged accounts also require having selected a user type to associate it with a password policy
- Agents: for agents not based on "Manual account creation", you must select the user types that can be synchronised.
Standard attributes
- Short name: internal code used to identify the user type.
- Description: brief description of the user type.
- Managed: (yes|no) if not managed, users belonging to this category will not be propagated to final systems. You must use it when you are developing a PoC.
Actions
User type table
| Add new | Allows you to create a new User type. To add a new User type it will be mandatory to fill in the required fields |
| Delete user type | Allows you to remove one or more User type by selecting one or more records and next clicking this button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. |
| Download CSV file | Allows you to download a csv file with the basic information of all user types. |
| Import |
Allows you to upload a CSV file with the User type list to add or update User types to Soffid. First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button. |
| View |
Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. |
User type detail
| Apply changes (disk button) | Allows you to save the data of a new User type or to update the data of a specific User type. To save the data it will be mandatory to fill in the required fields. |
| Delete |
Allows you to delete the User type. To delete a host you can click on the hamburger icon and then click the delete button (trash icon). Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation. |
| Undo | Allows you to undo any changes made. |
| Apply changes (disk button) | Allows you to save the data of a new User type or to update the data of a specific User type. To save the data it will be mandatory to fill in the required fields. Once you apply changes, the details page will be closed. |
Group types
Description
Companies are organized in different business units, departments or workgroups. In Soffid, they all are named as groups. These group can be categorized by a group type.
Group types can be used in the definition of Holder Groups. Some roles can be assigned to a user only through a group enabled for it. When a user no longer belongs to a group, it is not allow assign that role to the user.
A user always belongs to a user type, but groups do not necessarily have to belong a group type.
Screen overview
Related objects
- Groups: the group type is an attribute of groups.
- Users: users belong to a group or secondary group.
- Metadata: to add atrributes for the holder group relation in the com.soffid.iam.iga.api.UserGroup object.
Standard attributes
- Name: name (or code) of the organizational unit.
- Description: description of the organizational unit.
- Role holder: (yes|no), when this attribute is active (yes), all the groups of this type of organizational unit could be assigned to a user as a domain of a role.
Actions
Group type table
|
Add new |
Allows you to create a new Group type. To add a new Group type it will be mandatory to fill in the required fields |
|
Delete group type |
Allows you to remove one or more Group types by selecting one or more records and next clicking this button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. |
|
Download CSV file |
Allows you to download a csv file with the basic information of all groups types. |
|
Import |
Allows you to upload a CSV file with the Group type list to add or update Group types to Soffid. First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button. |
Group type detail
|
Apply changes (disk button) |
Allows you to save the data of a new Group type or to update the data of a specific Group type. To save the data it will be mandatory to fill in the required fields. |
|
Delete group type |
Allows you to delete the Group type. To delete a host you can click on the "three potins" icon and then click the delete group type button. Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation. |
|
Undo |
Allows you to undo any changes made. |
|
Apply changes |
Allows you to save the data of a new Group type or to update the data of a specific Group type. To save the data it will be mandatory to fill in the required fields. Once you apply changes, the details page will be closed. |
About role holder (and holder group)
In some organizations is necessary to assign roles that affect only a part of the structure, for instance, a department, a division or a country. A Holder Group can be defined as a collection of entities (referred to as "holders") that share similar characteristics, roles, permissions, or access requirements. The concept of a Holder Group simplifies the management of identities by enabling administrators to apply policies, assign roles, and manage permissions at the group level rather than individually.
The role holder is the role that requires to be assigned to a group, and the holder group is the group that can be assigned role permission.
To configure correctly this functionality you have to apply the next steps:
- Create at least one organizational unit (Group Type) with the role holder attribute active (yes).
- Assign groups to the organizational unit (with the attribute type of the group).
- Also, you can include new custom attributes to this membership relation, go to Metadata page and select the GroupUser to add these attributes.
- In the soffid parameters page, create a new parameter named soffid.entitlement.group.holder. It can have one of these three values:
- Set to optional enables the operator to set a group as the group holder for any entitlement assignment.
- Set to always to enforce that any entitlement assignment must be bound to a holder group.
- Set to none to disable this feature
Now you can start to apply this configuration to the users:
- In the Users page, select a user.
- In the Groups tab, add a new group.
- In the Roles tab, add a new role and select the holder group in the optional scope.
- If the holder group column is hidden, you can add with the option Add or remove columns.
Metadata
Description
The Metadata functionality allows expanding the Soffid objects, their attributes, and their data types. Also, it allows expanding custom objects.
By default, there is a list of built-in objects, but it is possible to create new custom objects and add new custom attributes to each of them.
It is usual to add custom attributes in the User built-in object to hold additional information.
Each attribute has a data type, it may be a basic type as a String (simple text), integer value, date, or something more complex as a reference to a custom object, or a popup to select a manager. In this way, one can build relationships between objects.
Built-in objects
The built-in objects are the objects that are part of the Soffid core. It can not be removed, but more custom attributes can be added.
The following objects are Soffid well-known objects that can be customized by means of this screen. All of them are tagged as Built-in objects.
- Account
- Group
- Host
- InformationSystem
- MailList
- ProcessInstance
- Role
- RoleAccount
- User
- UserGroup
Custom objects
The custom objects are the objects created by the administrator to extend the Soffid underlying data model. All of them are marked as Built-in type No.
Each custom object type created by the administrator is displayed at the custom objects menu options.
Screen overview
Related objects
- Account : account object
- Group : group object
- Host : host object
- InformationSystem : informationSystem object
- MailList: mailList object
- ProcessInstance : workflows:
-
My tasks : pending workflows where the user has to perform an action in order to continue their workflow.
-
My requests : the workflows that the user can initiate are listed here.
-
My requests > Query request status : to search for all processes started by oneself.
-
Process Search : to search for all processes.
-
- Role : role object
- RoleAccount : this is the grant, the relation between user and role
- User : user object
- UserGroup : seconday group relation in user page
Standard attributes
Table attributes
- Name: name of the custom object. This field is mandatory.
- Description: a brief description of the custom object. This field is mandatory.
- Built-in type: yes when is a native object, no when it is a created custom object
- Write access: allows you to select the proper roles with permissions to write. This field is only displayed when the Public object value is No
- Read access: allows you to select the proper roles with permissions to read. This field is only displayed when the Public object value is No
- Public object: if you select the Yes option, the object will be visible to all the users with the proper permissions. If you select the No option, you must indicate what roles can Read and what roles can Write this object.
- Use textual index: allows you to check the Yes option if you want to use the Textual index for searching data in this object.
Object attributes
- Object type: code/name to identify a built-in type or a custom object.
- Description: a brief description of the object.
- Use textual index: allows you to select the Yes option if you want to use the Textual index for searching data in this object.
- Public object: only for custom objects. If you select the Yes option, the object will be visible to all the users with the proper permissions (role with authorization). If you select the No option, you must indicate what roles can Read and what roles can Write this object.
For more information, you can visit the Textual index page.
Attribute attributes
- Code: short name used by scripts and connectors to access the underlying information. It is suggested to use short names without blanks or special characters to make it easier to use.
- Label: text displayed just beside the attribute value. It is advised to use short descriptions in order to keep the screen cleaner.
In Soffid 4, labels are now multilanguage. Once you have saved a new attribute, you can modify it by clicking on the language icon.
Image
- Data type: The attributes can have different data types
- Basics
-
- String: a text
- Number: a number
- Password: a text that will be stored encrypted in the database. This field will never be displayed to the end user.
- Binary: raw information, probably images or documents.
- Boolean: true/fasle, it is displayed as a switch button
- Photo: an image that is displayed as a small image.
- Date: a date with a calendar popup.
- Date and time: a date and time with a calendar popup.
- E-mail: a text with email format. the mail domain must exist in Soffid to be saved.
- HTML: rich text.
- Separator: a separator is a label to group attributes according to some criteria
- SSO HTML input: used primarily for the web SSO engine includes an input field and a value.
- Attachment: files starored as files
-
- Soffid objects
-
- Account
- User
- Group
- Group type
- Role
- Information System
- Host
- Network
- User Type
- Mail domain
- Mail list
- Operating system
- Printer
- Target system (agent)
-
- Custom objects: any other custom object created by the administrator.
- Basics
- Letter case: different options for modifying the text once it has been entered
- Keep as entered by the user
- Upper case letters
- Lower case letters
- User hint: Text used to indicate to the user how the text should be entered.
Image
- Description: text field to write a brief description of the attribute. In Soffid
In Soffid 4, you can now see it in the attribute by hovering over the round information icon.
Image
- Required: enabling this box will enforce the user to enter a value for this attribute at any object. Set no to allow objects without value. If you try to save without a value, an error message is displayed.
Image
- Include in quick search: the system will find any object that contains all the words included in the text search at any of the most relevant attributes. For instance, a quick search of "John Joe" will find users named "Joe Johnson" or "Johnathan Joel" as the first and last marked to be included in the quick search. If you enable the quick search for any new attribute, the same query will find a user named "Joe Williams" whose new attribute value is "John".
- Prevent duplicated values: mark this field as a unique key for the object type. There is no chance of two objects with the same attribute value. Soffid smart engine will avoid the creation of duplicated objects.
- Multiple values: some attributes can contain multiple values for the same object. For instance, an attribute containing the languages a user can speak can be multi-valued, as a user can speak multiple languages.
- Maximum number of rows to display: when an attribute is multivalued, the screen size can grow a lot. To prevent such a big form, the system will only display a maximum number of values, and a scroll bar will appear to browse through the attribute values.
- Size: primarily for string attributes, specify the maximum length in characters of the attribute value.
- Values: primarily, for attributes of data type String, you can specify the allowed values for the attribute. Then, the text box to the data type String is replaced by a drop-down list. Also, you can define a "code:label" for the value, the "code" is used internally and the "label" is displayed in the drop-down list, e.g. "ESP:Spain".
- Administrator visibility: sets the maximum visibility level for administrators. If the visibility level is set to read-only, the administrator will not be allowed to modify it. If the visibility is set to hidden, the administrator will not be able to query it. A user is considered as administrator when has the role SOFFID_ADMIN.
This field is only used in the user object built-in attributes.
- Operator visibility: sets the maximum visibility level for operators. If the visibility level is set to read-only, the operator will not be allowed to modify it. If the visibility is set to hidden, the operator will not be able to query it. A user is considered as an operator when has permission to open the users management page but lacks the role SOFFID_ADMIN.
This field is only used in the user object built-in attributes.
- User visibility: sets the maximum visibility level for end-users. If the visibility level is set to read-only, the user will not be allowed to modify it. If the visibility is set to hidden, the user will not be able to query it. Mind that even an administrator is considered to be a user rather than an administrator or operator when accessing their own identity.
This field is only used in the user object built-in attributes.
- Visibility expression: write an optional BeanShell expression to check if the field should be displayed or not. The expression should return true or false. The following variables are exposed to the expression:
-
ownerObject: current object owning the attribute.
-
value: current attribute value.
-
requestContext: tip about the screen using the attribute.
-
inputField: the ZK input object (ZK Framework).
-
inputFields: a map to get access to any other ZK input object (ZK Framework).
-
serviceLocator: locator to use any Soffid engine microservice.
-
// Sample to enable company name attribute only when the user is of type E (external)
return "E".equals(object{"userType"});- Validation expression: write an optional BeanShell expression to check if the field value is acceptable or not. The expression should return true if the value is acceptable. If the expression returns false or any other object, a warning message will be displayed. When the expression returns a string value, the return value will be considered the warning message to present to the end-user.
The following variables are exposed to the expression:
- ownerObject: current object owning the attribute
- value: current value to evaluate.
- requestContext: tip about the screen using the attribute
- inputField: the ZK input object (ZK Framework).
- inputFields: a map to get access to any other ZK input object (ZK Framework).
- serviceLocator: locator to use any Soffid engine microservice.
// Sample for checking birthDate is greater than 18 years old
c = java.util.Calendar.getInstance();
c.add(-18, c.YEAR);
if (birthDate == null || birthDate.before(c.getTime()) return true;
else return "Birth date should be before "+ new java.text.SimpleDateFormat().format(c.getTime());
- onLoad trigger: write an optional BeanShell expression that will be executed just after preparing the user interface. The script can modify in any way the inputField object before it is displayed, but cannot modify other input fields.
The following variables are exposed to the expression:
- ownerObject: current object owning the attribute
- value: current value to evaluate.
- requestContext: tip about the screen using the attribute
- inputField: the ZK input object (ZK Framework).
- inputFields: a map to get access to any other ZK input object (ZK Framework).
- serviceLocator: locator to use any Soffid engine microservice.
// Sample to set contract number attribute to read only if the attribute company is empty
// Place as an on-load trigger in the contract number field
if (ownerObject.attributes.get("company") == null || ownerObject.attributes.get("company").trim().isEmpty())
inputField.setReadonly(true);
else
inputField.setReadonly(false);- onChange trigger: write an optional BeanShell expression that will be executed just after the user has changed the object value. The script can modify in any way the inputField object or any other input fields.
The following variables are exposed to the expression:
- ownerObject: current object owning the attribute.
- value: current value to evaluate.
- requestContext: tip about the screen using the attribute.
- inputField: the ZK input object (ZK Framework).
- inputFields: a map to get access to any other ZK input object (ZK Framework).
- serviceLocator: locator to use any Soffid engine microservice.
// Sample trigger to set contract number attribute to read only when the company attribute gets empty
// Place as an on-change trigger in the contract field
contractField = inputFields.get("contractNumber");
if (value == null || value.trim().isEmpty())
contractField.setReadonly(true);
else
contractField.setReadonly(false);
contractField.invalidate(); // Redraw contract number field
......
inputFields.get("contractNumber").getValue();- You can add a SCIM expression: exclusive for Soffid objects (users, groups, roles...). Write an optional SCIM query using the SCIM standard to filter valid results for a specific field.
You can access to SCIM Chapter for more information
Actions
Table actions
|
Add new |
Allows you to add a new custom object in the system. To add a new custom object it is necessary to fill in the required fields. By default, it will have two mandatory attributes, name and description. |
|
Delete metadata |
Allows you to remove one or more custom objects by selecting one or more records and next clicking this button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. |
|
Download CSV file |
Allows you to download a CSV file with the basic information of all metadata. |
|
View |
Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. |
Metadata detail
|
Refresh |
Allows you to refresh all the metadata information. |
|
Download CSV file |
Allows you to download a CSV file with the basic information of the metadata object. |
|
Import |
Allows you to upload a CSV file with the attribute metadata to add or update attribute metadata to Soffid. First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and click the Import button. |
|
Delete metadata |
Allows you to delete the metadata object. To delete a metadata you can click on the "three points" icon and then click the delete metadata button. Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation. |
|
Set to default |
Only for built-in objects. Allows you to set the factory setting. Sometimes, usually after an upgrade, it is advisable to reset the built-in attributes of a built-in object. In that case, the properties of the attribute will be changed to the factory setting ones. |
| Expand all | Displays all the attributes of the different blocks. |
| Collapse all | Hide all attributes of the different blocks. |
| "Types of views" | Change the view type: Classic view, Modern view, Compact design. |
|
Add new |
Allows you to add a new attribute metadata. |
| Delete | Allows you to remove one or more attributes by selecting one or more records and next clicking this button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. |
|
Undo |
Allows you to quit without applying any changes made. |
|
Apply changes |
Allows you to save the data of a new metadata object or to update the data of a specific metadata object. To save the data it will be mandatory to fill in the required fields. |
Metadata attributes detail
|
Delete |
Allows you to delete the metadata object. Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation. |
| Expand all | Displays all the attributes of the different blocks. |
| Collapse all | Hide all attributes of the different blocks. |
| "Types of views" | Change the view type: Classic view, Modern view, Compact design. |
|
Undo |
Allows you to quit without applying any changes made. |
|
Apply changes |
Allows you to save the data of a new metadata object or to update the data of a specific metadata object. To save the data it will be mandatory to fill in the required fields. |
Network intelligence
Description
Two extended Soffid features are activated on this page.
Network intelliegence
On the one hand, we have Network intelligence, which enables the possibility of validating that accounts and passwords have not been compromised in the end systems with which Soffid is integrated.
Once this feature is activated, you will be able to use two new functionalities: on the one hand, more detailed geolocation information about the IP address used to access Soffid, and on the other hand, external validation of your account and password to confirm that this data has not been compromised in any previously published security breach.
To activate password validation, you must enable it in the password policies.
- Check breached password
Four new issues will also appear that can be configured:
- breached-account-password
- breached-email
- breached-password
- expired-breached-password
A new process has been created to plan for the validation of email domains.
-
Network intelligence verify domains
And algo
AI in Soffid
On the other hand, we have the Chat-bot, which enables our AI to be consulted both on its specific screen and in all components that allow scripts to be written.
Once this feature is activated, you will be able to access the chat box page to consult information about Soffid. You will also be able to use the AI assistant that appears in all script-type fields.
The token used can be obtained by you yourself by accessing the Gemini page for this purpose, see the Request a token for the AI point.
Screen overview
Related objects
- Network intelligence
- Password policies : to enable the validation accounts
- Issue policies : for the new issues type
- Scheduled tasks : a new process can be scheduled to check the current accounts and systems
- Users : when changing a password.
- Accounts : when changing a password.
- Chat-bot
- Soffid chat-bot : to chat with our AI.
- Custom scripts : to use the AI.
- All pages with script can use the AI to help you with the scripting:
- Agents : properties, mappings and triggers.
- Account naming rules : Create account condition and script.
- Role assignment rules : Expression.
- Password policies : Password validation script.
- PAM policies : Expression.
- BPM editor : Scritps.
- Attribute definition : Value.
- Metadata : attribute value scripts
Standard attributes
- Network Intelligence License
- Token : token that enables this functionality. This token is provided by Soffid if your licence includes it.
- Token : token that enables this functionality. This token is provided by Soffid if your licence includes it.
- Gemini token
- Token : token that enables this functionality. You can generate this token yourself; we will explain how to do so later on.
- Token : token that enables this functionality. You can generate this token yourself; we will explain how to do so later on.
Actions
| Expand all | Displays all the attributes of the different blocks. |
| Collapse all | Hide all attributes of the different blocks. |
| "Types of views" | Change the view type: Classic view, Modern view, Compact design. |
| Apply changes | Save the tokens in case they are valid. |
Others
Token not allowed
The token for network intelligence is only saved if it is valid.
Access without a token
When attempting to use this feature without having previously enabled it, the console displays the error: No token configured. Please configure it on the network intelligence page.
Request a token for the AI
To use our AI functionality, you must request a token from the Gemini service. Here's how to do it.
Go to the next page: https://ai.google.dev/gemini-api/docs/api-key
Go to "Google AI Studio".
Login with a Google account.
Select "Get API key".
"Accept".
Click on "Create API key" button.
Wait a few seconds.
You finally have your key to be used on Soffid.
User backup configure & restore (backup addon)
Description
On the User backup configure & restore page, you could search, check and restore the user's snapshots.
Also on this screen, you can also configure the frequency and number of backups to be performed.
Screen overview
Related objects
- Users: new Backups tab in the Users page, user object has backups
- Groups: user assignments to groups have backup
- Accounts: user's accounts have backup
- Roles: user's roles (grants) have backup
- Mail lists: user's mail lists have backup
Standard attributes
- User Name: userName of a user
- Valid since: date and time when this backup started
- Valid until: if it is not the last backup, date and time when this backup finished
- Download: XML file with the user snapshot info.
Actions
Table actions
|
Query |
Allows you to query users through different search systems, Basic and Advanced. |
|
Restore |
Allows you to restore one or more user's snapshots. First of all, you need select one or more snapshots. Second, you need to click the "Restore" button. Then Soffid will run the restore process.
Image
|
|
Download CSV File |
Allows you to download a CSV file with the basic information of all backups, with the same columns as displayed in the table. |
|
Configure backup |
Allows you to configure the backup parameters. |
| View |
Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. |
|
Download |
Allows you to download an XML file with the user. You only need to click on the download icon of one of the records and save the file on your computer. |
Configure backup button
With the "Configure backup" button, you can configure the frequency and number of backups. These are the available parameters:
- Minimum delay between backups: if the value is 1, when a backup is created, the system will not create a new backup until 1 day later, even if there has been more than one change during that period.
-
Number of backups to keep alive: if the value is 10, when 10 backups are reached, the oldest backup will be deleted when the next one is created.
-
Enable entitlements history: enable the history of roles assigned to users.
Image
Others
Backup tab on user's page
On the users screen, when you select a user, this addon enables the Backups tab.
Image
This tab displays the user's backups.
Image
There are also several buttons with the rest of the items that can have backup.
Image
These are the buttons:
- Groups History: user assignments to groups have backup
- Accounts History: user's accounts have backup
- Roles History: user's roles (grants) have backup
- Mail lists History: user's mail lists have backup
Image
In any of the four options, when selecting an old record, the ‘Restore’ button will appear and this object can be restored to the user.
Image
Export settings and objects (admin addon)
Description
Soffid has the functionality that allows you to export configuration, Soffid objects, and objects from target systems in a ZIP file.
Every object or configuration will be downloaded into the ZIP in a binary file. This ZIP file could be imported into another Soffid tenant to be used.
For more information, you can visit the Import settings and objects page.
Once you open the Export settings and objects, you must select the configuration, objects, and target system objects you want to export. Then you only need to click the Generate export file button to download the ZIP that will contain all the previous information selected.
It is not allowed to export the basic configuration and configuration parameters of an agent for security reasons. You must create them manually and make sure you put the same names as in the source system if you are going to import accounts.
Screen overview
Related objects
Configuration
- Metadata
- Plugins
- Business process definition
- Custom scripts
- User types
- Group types
- Account naming rules
- Password policies
- Mail domains
- Authorizations
Objects
- Users
- Information systems
- Groups
- Hosts
- Networks
- Mail lists
- Role assignment rules
- Segregation of duties
- Application access tree
- Custom objects : the custom objects created on the Metadata page
Web SSO settings
Target system objects
Actions
| Expand all | Displays all the attributes of the different blocks. |
| Collapse all | Hide all attributes of the different blocks. |
| "Types of views" | Change the view type: Classic view, Modern view, Compact design. |
| Generate export file | By clicking this button, Soffid will generate a ZIP file with the objects and configuration that you have selected and will download it to your computer. |
Others
Exporting and importing
You can export all the components you are using in your Soffid implementation, so you can use them as a backup in case something happens, or to generate a new test environment.
Once the zip file has been generated, you can import it on the Import settings and objects page, but do not worry about the exported objects. On the import screen itself, once the zip file has been uploaded, the screen will allow you to choose the objects you want to update in your Soffid instance.
Import settings and objects (admin addon)
Description
Soffid has the functionality that allows you to import configuration, Soffid objects, and objects from target systems from a ZIP file.
This ZIP file must be generated by the export action from another Soffid tenant.
For more information, you can visit the Export settings and objects page.
Once you pick the file to import, Soffid will display all the objects and configurations that you can load. You must select the proper objects and settings to import or enable the Load everything option. And finally, you must click the Proceed buttons to launch the import process. Once the process is finished, Soffid will display the result and allows you to download the log file.
It is not allowed to import the basic configuration and configuration parameters of an agent for security reasons. You must create them manually and make sure you put the same names as in the source system if you are going to import accounts.
Screen overview
Related objects
Configuration
- Metadata
- Plugins
- Business process definition
- Custom scripts
- User types
- Group types
- Account naming rules
- Password policies
- Mail domains
- Authorizations
Objects
- Users
- Information systems
- Groups
- Hosts
- Networks
- Mail lists
- Role assignment rules
- Segregation of duties
- Application access tree
- Custom objects : the custom objects created on the Metadata page
Web SSO settings
Target system objects
Actions
Pick up page
| Pick a file | Select the backup's file |
Configuration page
| Load eveything | Enable it if you want to load all the backup, disable it if you want to select the object to import |
| Remove objects not present in the export file | Remove the Soffid objects not present in the export file, enable it if you want the exact image of the source system, disable it if you want to keep the object that only exist in this Soffid instance |
| Back | Go back to "Pick a file" |
|
Proceed |
Allows you to start the import process. |
Results page
| Restart | Go back to the configuration page |
| Download log | Allows you to download a log with the details of the importation |