Soffid 4 reference guide Soffid 4 reference guide šŸ”Ž Overview Introduction The Soffid 4 reference guide wants to present all the functionality contained in version 4 of the Soffid Console, explaining the functionality of all the screens and the functionality of each of them. The documentation is organized as the options menu of Soffid Console, to try to facilitate access and comprehension of the information. For each screen we try to define the following attributes: Description : a brief description of the screen functionality. Screen overview : an overview of the functionality. Related objects : list of the related objects and a link to view the object documentation. Custom attributes : attributes of the screen and the associated functionality. Actions : operations that the users could perform on the page. Others : furhter information, examples, about some functionalities, errors explained, etc Identity self service Identity self service Introduction to Identity self service What is identity self service? Soffid Console provides the identity self service, where the end-users can consult or change their credentials, request new permissions or access to applications, manage their profile, or launch applications. All from a single point of entry.Ā  Another purpose of the identity self service is to reduce the workload of theĀ  IT department , as well as improve the overall security of the IT system.Ā  Soffid allows administrator users to configure access to the different options depending on the end-users roles defined to use Soffid. In this way, end-users will be able to access the identity self service Portal to manage their own requirements always depending on the defined business processes. Screen overview Brief description of each option My tasks My tasks display all the tasks in which the user is involved, like a supervisor, manager, o person how has to approve or deny that task.Ā  For more information, vist My Task page. My issues My issues display all the issues that the user will be able to check, and this option allows the user to manage this issues. For more information, visit My Issues page. My requests My requests display all the processes or workflows that the user will be able to run. And also the included page Query request status displays all the processes that the user has initiated and allows the user to consult all the information about the workflow. For more information, vist My Request page. Process search That functionality allows to users search for processes initiated or requested by themselves. Here the users will be able to consult all the information related to the processes and their status and if there are any pending tasks to be completed. If there are pending tasks, the user will be able to browse the task and manage it. Administrator users will be able to consult all the information about all the processes which have been executed by any user. For more information, visit the Process search page. My applications My applications display all the corporate applications and third-party applications as well to which the user has permission to connect. Those applications have to be configured into Soffid Console The password vault folder will be displayed as well. In this folder, the users will be able to find the shared accounts on the Soffid vault folder and will be able to save their personal accounts. For more information, vist My Applications page. My authentication My OTP devices My OTP devices display all the OTP devices configured by the user and allow to the user config new ones. For more information, vist My OTP devices page. My certificates and FIDO tokens My certificates and FIDO token display all the configured certificates and allow to the user config new ones. For more information, visit My certificates and FIDO tokens page. My accounts My Accounts display all the personal user accounts registered into Soffid Console and with which the user will log into the target system. In this section, if a user has permissions, they can view or change their password. For more information, visit My Accounts page. Soffid chat-box (new functionality) The new Chat-box Soffid functionality is our AI and relies on Soffid's expertise to provide documentation or apply changes directly in the system, feel free to ask your questions. For more information, visit Soffid chat-box page. My tasks Description Displays the tasks in which the user is involved like a supervisor, manager, or person responsible for approving or rejecting those tasks. My tasks provides information about the process, the task, the start and due date and the asigned user. By clicking a record, it will be shown de task details and to perform actions will be allowed. Manual tasks are assigned to named users, groups or roles.Ā  Whatever strategy is followed, each one of the assigned users will see the task at their tasks page.Ā  You can differentiate tasks by their highlighted style: Highlighted bold : when the task is pending for the user to take ownership. Highlighted blue : task close to completion date Highlighted red : task after the completion date Normal : started task The purpose of My tasks as a part of Identity seft serviceĀ  is to reduce the workload of IT department, as well as improve overall security of IT system. Soffid console is concerned about task delegation and workflow management.Ā  Screen overview Related objects Configure Workflow engine : where the workflow engine is configured. Business process definition : where workflows are published. BPM editor : where to create or modify workflows. My tasks : pending workflows where the user has to perform an action in order to continue their workflow. My requests : the workflows that the user can initiate are listed here. My requests > Query request status : to search for all processes started by oneself. Process Search : to search for all processes. Metadata : to add attributes to display in the search tables. Scheduled jobs : shows active workflows pending asynchronous tasks. Standard attributes Table Process id : unique process identifier in the system that stars from zero and increases by one. Process : process name (this is the name of the workflow). Task : name of the task in which the process is running. Start date : date and time when the process was started. Due date : date and time when the process will finish. Assigned : user who has been assigned the task. Detail Below you can see the workflow information, which has several tabs. Task tab Displays information about the work performed in this task. This information varies for each workflow but is almost always structured as a form. Image Action logs tab The action logs tab shows basic information about the process and a list with the summary of all the successive phases through which the task has passed. Start date : date and time the task starts Last task date : date of last task update. End date : date and time the process ends. Status : shows the point of the task (pending, on going or End/Completed) Approve pending permissions: Summary of all the successive phases through which the task has passed, providing information on the start date and time of the phase, the user assigned, and the action that was done. Image Attachments tab This option only appears if it has been enabled in the workflow settings. This screen lists the documents attached to the task. Allows you to download those documents and to verify any digital signature attached to them. Some tasks even allow the user to upload documents. Comments tab Displays the comments list added during the business process execution. Displays the comments list added during the task execution providing information about the user who wrote the comment, the date and time of that writing, and the comment that was writed. Actions Table Refresh This action refresh the task table with the last current data. Download CSV file This action allows you to download a csv file with the list of all tasks. View Allows you to add or remove columns to the table. It is also possible to change the order of the columns. "Open task" By clicking on a record, the task detail will be shown. Detail Close Allows you to closes the task window,Ā  you can add new comments and those will be saved. Take ownership Enables the user to self-assign the task to authorize or deny it. Schedule Allows you to schedule the task execution. Delegate Allows you to to reassign the task to another user, who will must approve or deny it. Approve Allows you to authorize the task. When you authorize a task all defined operations for this task will be performed. Reject Allows you to deny the task. When you deny a task none defined operations for this task will be performed. My issues Description Soffid provides a tool to manage all issues and allows you to perform the operations available for each type of task. The actions to be performed will depend on each kind of task. The incidents that appear on this screen are those that the user has initiated or those for which the user has yet to take action in order to continue with their progress. Screen overview Related objects Issue policies Ā : where the issues are configured Issues Ā : list all issues My issues Ā : issues started by a user or the user has pending an acction Pages related to the different issues: User Ā  Accounts Ā  Network intelligence Ā  Agents Ā  Sync server monitoring Ā  Hosts Ā  Scheduled jobs Ā  My OTP devices Ā  PAM rules Ā  Roles Ā  Segregation of duties Ā  Standard attributes Issue type : issue list defined by Soffid. Description : a brief description of the issue. Status : Ā possible task status. There are three available statuses: New Acknowledged Solved Created on : date of creation Standard attributes Issue number :Ā  an incremental number to identify the issue. Created on : date of creation. Issue type : issue list defined by Soffid. Description : a brief description of the issue. Status : Ā possible task status. There are three available statuses: New Acknowledged Solved Times : number of times the issue has been repeated. Aknowledged on Solved on Percentage of failed login Human confidence metric System OTP divice Exception : Error occurred Risk Role grant PAM Rule jobName Country Account Actor : owner of this issue. loginName Hosts Users Actions log : each of the actions that have been carried out on the issue Requester Breached email Data breach Breah description Created by Modified on Modified by Actions Issues query action Download CSV file Allows you to download a CSV file with the issue data. Add or remove columns Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. The selected columns and order will be saved for the next time Soffid displays the page.Ā  Issue detail Close Allows you to quit without applying any changes. Acknowledge Allows you to check as Acknowledged Solve issue Allows you to mark as solved the issue. Send custom email Allows you to send a custom email to one recipient. Add Comments Allows you to add comments to the Action logs. account-created šŸ’» Image Unlock account If you click this option, Soffil will unlock the account. Look affected accounts Ā If you click this option, Soffil will lock affected accounts.Ā  Disable user If you click this option, Soffid will disable the user. disconnected-system šŸ’» Image discovered-host šŸ’» Image discovered-system šŸ’» Image duplicated-user šŸ’» Image Mege users If you click this option, Soffid will allow you to merge the identities by selecting the data of each of them. šŸ’» Image failed-job šŸ’» Image enabled-account-on-disabled-user šŸ’» Image Unlock account If you click this option, Soffil will unlock the account. Look affected accounts Ā If you click this option, Soffil will lock affected accounts.Ā  global-failed-login šŸ’» Image integration-errors šŸ’» Image locked-account šŸ’» Image Unlock account If you click this option, Soffil will unlock the account. Look affected accounts Ā If you click this option, Soffil will lock affected accounts.Ā  Disable user If you click this option, Soffid will disable the user. Lock affected host If you click this option, Soffid will lock the affected host. Unlock host If you click this option, Soffid will unlock the host. login-different-country šŸ’» Image Unlock account If you click this option, Soffil will unlock the account. Look affected accounts Ā If you click this option, Soffil will lock affected accounts.Ā  Disable user If you click this option, Soffid will disable the user. Lock affected host If you click this option, Soffid will lock the affected host. Unlock host If you click this option, Soffid will unlock the host. login-from-new-device šŸ’» Image Unlock account If you click this option, Soffil will unlock the account. Look affected accounts Ā If you click this option, Soffil will lock affected accounts.Ā  Disable user If you click this option, Soffid will disable the user. Lock affected host If you click this option, Soffid will lock the affected host. Unlock host If you click this option, Soffid will unlock the host. login-not-recognized šŸ’» Image Unlock account If you click this option, Soffil will unlock the account. Look affected accounts Ā If you click this option, Soffil will lock affected accounts.Ā  Disable user If you click this option, Soffid will disable the user. Lock affected host If you click this option, Soffid will lock the affected host. Unlock host If you click this option, Soffid will unlock the host. otp-failures šŸ’» Image Unlock account If you click this option, Soffil will unlock the account. Look affected accounts Ā If you click this option, Soffil will lock affected accounts.Ā  Disable user If you click this option, Soffid will disable the user. Lock affected host If you click this option, Soffid will lock the affected host. Unlock host If you click this option, Soffid will unlock the host. pam-violation šŸ’» Image Unlock account If you click this option, Soffil will unlock the account. Look affected accounts Ā If you click this option, Soffil will lock affected accounts.Ā  Disable user If you click this option, Soffid will disable the user. Lock affected host If you click this option, Soffid will lock the affected host. Unlock host If you click this option, Soffid will unlock the host. password-changed šŸ’» Image permissions-granted šŸ’» Image Unlock account If you click this option, Soffil will unlock the account. Look affected accounts Ā If you click this option, Soffil will lock affected accounts.Ā  Disable user If you click this option, Soffid will disable the user. risk-increase šŸ’» Image Unlock account If you click this option, Soffil will unlock the account. Look affected accounts Ā If you click this option, Soffil will lock affected accounts.Ā  Disable user If you click this option, Soffid will disable the user. robot-login šŸ’» Image Unlock account If you click this option, Soffil will unlock the account. Look affected accounts Ā If you click this option, Soffil will lock affected accounts.Ā  Disable user If you click this option, Soffid will disable the user. Lock affected host If you click this option, Soffid will lock the affected host. Unlock host If you click this option, Soffid will unlock the host. security-exception šŸ’» Image Disable user If you click this option, Soffid will disable the user. My requests Description Soffid provides a complete workflow engine that allows you to incorporate business processes or define new business processes as needed. End-users with the appropriate permissions will be able to request these processes. You can visit Self service portal examples page for more information. My request screen allows to users: On the one hand, in the Query request status screen the user canĀ consult the processes they have executed and view the process details and status. On the other hand, they will be able to execute the processes for which they have been assigned the proper permissions. For example "Reconcile process" or "Request permissions", see the "Screen overview". More information about process and workflows on BPM Editor Book Screen overview Related objects Configure Workflow engine : where the workflow engine is configured Business process definition : where workflows are published BPM editor : where to create or modify workflows My tasks : pending workflows where the user has to perform an action in order to continue their workflow. My requests : The workflows that the user can initiate are listed here. My requests > Query request status : to search for all processes started by oneself Process Search : to search for all processes Metadata : to add attributes to display in the search tables Scheduled jobs : shows active workflows pending asynchronous tasks My requests > Query request status Description Displays a table with all the processes initiated by the end-user. The end-user can consult processes detail and perform actions depending on the user permissions. You can visit Self service portal examples page for more information. Screen overview Related objects Configure Workflow engine : where the workflow engine is configured Business process definition : where workflows are published BPM editor : where to create or modify workflows My tasks : pending workflows where the user has to perform an action in order to continue their workflow. My requests : The workflows that the user can initiate are listed here. My requests > Query request status : to search for all processes started by oneself Process Search : to search for all processes Metadata : to add attributes to display in the search tables Scheduled jobs : shows active workflows pending asynchronous tasks Standard attributes Identifier: unique process identifier in the system (starts at 1 and increases). Description : generic process name Start : date and time the process starts End : date and time the process ends. A process without end date it is a process in progress Current task : displays the point in progress on the defined process diagram. Depend on the process status, you could perform some operations or others. Initiator : the soffid user who started the workflow (this attribute must be added beforehand in the Metadata screen and selected in View) Created on Created by Updated on Updated by Actions The operations to be performed depend on the user permission and the business processes defined with the workflow engine. You can find documentation about the business processes on BPM Editor Book. Table Refresh Allows you to refresh the processes list with updated data. Download CSV file Allows you to download a CSV file with all the information from the list of processes contained in the table. View Allows you to add or remove columns to the table. It is also possible to change the order of the columns. Process The actions to perform to each process, depend on the business process definition and the user permissions. You can find more information about the most commons process actions if you go to Process detail actions Process search Description A process is a series of actions, connected by transitions. An action could be either an automatic action or a manual task. A process is what we commonly refer to as a workflow in Soffid. Soffid console is concerned about task delegation and workflow management. Any user is able to create new processes or any user can be assigned as an actor for a task belonging to a process. Process Search page allows users to search process by different criteria, to view the process details and to perform the proper actions depending on the user roles. In order to view a task, a security constraint must be accomplished. The user must have granted the observer or administrator role on the specific project version or has been assigned as a potential actor of it at some time. Screen overview Related objects Configure Workflow engine : where the workflow engine is configured Business process definition : where workflows are published BPM editor : where to create or modify workflows My tasks : pending workflows where the user has to perform an action in order to continue their workflow. My requests : The workflows that the user can initiate are listed here. My requests > Query request status : to search for all processes started by oneself Process Search : to search for all processes Metadata : to add attributes to display in the search tables Scheduled jobs : shows active workflows pending asynchronous tasks Standard attributes Table The search and the view table can be performed by setting certain parameters, which are as follows: Search text : search by a certain text, as user name or application, etc (only for Quick search).. Identifier : all the processes have an assigned an identifier. Start : allows you to establish a date range when the process was started. End Ā of the process. These filters will be available if you check the Include completed option. Current task : task in which the workflow is being executed. Initiator : user who has started the workflow. Process Each process has commons attributes and specific attributes depending on the business process definition. You can find documentation about the business processes on BPM Editor Book Commons process attributes Name : shows process name and the versiĆ³n of the addon you are using. Process : each proces has an unique identifier Other process information Specific process attributes : these attributes depend on the process definition. Work in progress : details the specific point in which the process and associated tasks are. You can find information about the process ID, the job description for each one of them, the start date and time, and the current status. The users with the proper roles could view the task details, browse and perform actions by clicking on it. Actions log: summary of all the successive phases through which the process has passed, providing information on the start date and time of the phase, the user (task manager) assigned, and the action that was done.Also when it is defined,Ā  the diagram of the workflow is diplayed. Attachments :Ā  in some cases, for example in massive user upload processes using a CSV file, files are attached to the process so that it can be executed. These files can be consulted, by downloading or opening them directly, from this page. Additionally, if needed, it is possible to see the certificates used by the process owner. Comments :Ā  displays the comments added by the user who initializes or performs actions on the process. Actions Table Actions to be performed on the process list: Search (quick, basic, advanced) Allows you to query the processes with the indicated parameters. Download CSV file Allows you to download a CSV file with the list of processes. You can open the hamburger icon and Download CSV File. View Allows you to add or remove columns to the table. It is also possible to change the order of the columns. "Open task" By clicking on a record, the task detail will be shown. Detail Each process has a specific action defined on the business process definition. You can find documentation about the business processes on BPM Editor Book The most commons actions are below: Close Allows you to close the process detail page and return to the previous page. Reload Allows you to reload all process data with the updated data. Take ownership Allows you to take the ownership to approve o deny the process. Approve Allows you to approve the process and perform the actions defined for that process. Deny Allows you to reject the process. Work in progress actions Edit task Allows you to edit a task by clicking on the record. When you click the task, you will browse to the task detail and it will be allowed to perform actions defined to users with the proper permissions. Attachments Download Allows you to download the available attached files. My applications Description My application is a part of the Identity self-service that allows end-users to start corporate applications and third party applications .Ā Also, the end-user can view and use theĀ  shared accounts available for the user defined on the Password vault. Applications That option shows to each user, all the corporate and third party applications to which the user can connect and the applications with public access. These applications have to be configured on the Application Access Tree option by an administrator user. Password vault My Applications option shows the PasswordVault folder. On the vault folder you can find two kind of folders, one a personal folder and other a shared folder .Ā  Inside the personal folder, you can create your own accounts, those accounts will not be shared with any other user. The shared folders could be used or managed by the owner/manager/SSO users. Screen overview Ā  Related objects Application access tree . to configure the applications Password vault . :Ā  to configure the shared accounts. Actions "Folder selection" When you select a folder, its contents will be displayed on a new page. "Application selecction" When you select an application, a new page will open with access to the application depending on its type. Ā  If only access is visible but it is not configured, nothing will happen. Ā  If there is a configuration but you do not have access, you will be notified on screen. Ā  My authentication Description This screen groups together the different options available to users when authenticating, especially as a second factor in an MFA login. Screen overview Related objects My authentication > My certificates and FIDO tokens My authentication > My OTP devices OTP settings Ā  My authentication > My OTP devices (addon otp) Description My OTP devices are part of a Soffid Self-service portal that allows end-users to access their OTP devices configured. That option display to each user, all their OTP devices and also allows you to manage those and add new OTP devices. Soffid Administrator user can configure the available OTP types. For more information, you can visit the OTP settings page . This option will only be available if the OTP addon is installed in the Soffid console. Visit the Two factor authentication book for more information Screen overview Related objects My authentication > My certificates and FIDO tokens OTP settings Standard attributes Name : automatic name assigned to the OTP device Created : created date and time. Last use : last used date and time. Type : the type of the OTP device: TOTP (Time based HMAC Token) HOTP (Event based HMAC Token) EMAIL SMS PIN (Security PIN) Status : status of the OTP device: Created Enabled Locked Disabled Fails : failed attempts collected when logging in with the OTP device value Created by Created on Modified by Modified on Actions Add new Allows you to add a new OTP device. To add new OTP devices you need to click the "Add new" button, then Soffid will display a new wizard to config the OTP devices. First of all, you need to select the OTP device Type, once the type is selected, you need to fill in the required fields, which depend on the Type selected. If you select an Event-based or Time-based HMAC Token, you will need to scan the QR code and write the PIN. Finally, you must Apply changes. Ā  Ā  Images Ā  Delete OTP device Allows you to delete one or more OTP devices. To delete OTP devices first select the devices, then click on the Delete, then Soffid will ask you to confirm or cancel the operation. View Allows you to add or remove columns to the table. It is also possible to change the order of the columns. My authentication > My certificates and FIDO tokens (addon federation) Description My certificates and FIDO tokens are part of the Identity self service that allows end-users to access their OTP devices configured. This option shows each user all their configured OTP devices, which can be certificates, FIDO tokens, and Soffid authenticators. It also allows you to add new devices or delete existing ones. Certificates You can use these *.p12 certificates to add them to your favourite browser and use them as a second factor of authentication. FIDO tokens If you or your organisation has FIDO devices, I can register them with Soffid and use them as a second factor of authentication. Soffid authenticator Soffid has made the Soffid authenticator app available on the Play Store and the App Store, which will allow you to easily and simply perform two-factor authentication from your mobile device. Screen overview Related objects Identity providers : to create a Soffid IDP Soffid authenticator : more information about this option Standard attributes Type : there are two available options: Certificate. FIDO token. Soffid Authenticator. Serial number : internal Soffid id Description : the description of the OTP device Last use : date of the last use of this OTP device Actions Table Add new Allows you to add new object: Certificate, FIDO token or Soffid authenticator. Soffid will display a new wizard to configure each type of object. First of all, you need to select the Type, once the type is selected, you need to follow the required steps which depend on the Type selected.Ā  Delete token Allows you to delete one or more objects. To delete them first you must select one or more objects, then click on the "Delete" button, then Soffid will ask you to confirm or cancel the operation. Download CSV file Allows you to download a CSV file with all the information about the objects.Ā  Add new Adding a new certificate Select the "Certificate"Ā  type. Save the *.p12 file in a secure location. Finish with the "Close" button. Adding a new FIDO token Select the "FIDO token"Ā  type. Adding a Soffid authenticator Select the "Soffid authenticator"Ā  type. Others IDP for FIDO and authenticator To add a FIDO token or a Soffid authenticator, you must have a Soffid IDP configured. My accounts Description My Account is a part of the Identity self service that allows end-users to access and manage their personal accounts. That option displays all personal accounts for each user and allows you to set and/or view the password for each account if they have been enabled by configuration. The accounts that are displayed are those belonging to Soffid's own systems. For external systems, only accounts belonging to active systems are displayed. If an external system (agent in Soffid) is disabled, the account will not be displayed on this page. Disabled accounts are displayed, but it is not allowed to set or view the password. Screen overview Related objects Agents : where the target systems are configured Password policy : where the set password and query password are enabled by configuration, and also there are configured the password plicies when you set a new password. Users : to view the accounts of a user Accounts : to list the accounts of a user Standard attributes System : target system for which this account has been created (agent in Soffid). System description : a brief description of the target system. Name : user account name. Actions : available actions. Set password : to set a new password for the target system. Query password : to view the current password assigned to the target system in Soffid. Actions Download CSV file Allows you to download a CSV file with all the information about your accounts.Ā  Set password Allows you to set a new password for this account. This change will be applied to different target systems. The new password must comply with the defined password policies. Query password Allows you to query and copy the password and the user name. Soffid chat-bot Description This new feature included in Soffid 4 allows you to interact with our AI to request information, or better yet, ask it to apply changes directly in the Console. This feature is not enabled by default, you must activate a token in order to use it. The power offered by this new tool is limitless. Our imagination, combined with training in Soffid's documentation and internal structure, enables us to accomplish many tasks. Screen overview Related objects Network Intelligence :Ā  to configure the token to use this feature Soffid chat-bot :Ā  to chat with our IA Custom scripts : to use the IA All pages with scripts can use the IA to help you with the scripting Standard attributes Chat box : Type your query or request for our AI in the chat box. Actions Process Send the request to our AI for processing. Others Access without a token When attempting to use this feature without having previously enabled it, the console displays the error: No token configured. Please configure it on the network intelligence page . For more information go to Network intelligence page . Resources Resources Users Description The user is the core object of the system. In Soffid, a user means an identity (usually a person). Every user can have a number of accounts spread on different information systems. In traditional system management, one can assign roles and permissions to accounts. Then, the administrator uses to grant the account to one single user. In Soffid you can have a global view of permissions assigned to any user. Being the user and the main management object, you have a more clear perspective in terms of operation, security, and end-user engagement. It is important to know that dependency rules can be established between systems, so a user with a role or permission in one system will automatically be assigned a role or permission in another system, according to the system policies. The administrator can also identify the potential users of shared or system management accounts. These accounts are managed in a slightly different way. See the Accounts and Password Vault Ā pages for more information. Sometimes is possible to find that there is any user with duplicated user data. To solve that problem, Soffid provides the merge functionality. That allows you to combine two user records, selecting the proper data to fix that situation. Screen overview Related objects User types : users types of the users Groups : primary group and secondary groups of the users Hosts : home server and profile server of a user Mail domain :Ā  mail domain of the user's mails Metadata : to add more attributes to a user Accounts : to review the single user accounts or the shared accounts of a user Roles : roles granted to a user Information systems : roles granted to a user throught the information systems Sessions : sessions opened by the user Process search : user processes related to the user Issues : issues related to the user My certificates and FIDO tokens :Ā  tokens of a user My OTP devices : OTP devices of a user OTP settings : where administrators can enable differentes OTP typs Audit : to review the audit logs to the user Access logs : to check the acces logs of a user Sync server monitoring : to check the pending tasks of a user Standard attributes Basics On the basic user tab, you can view all the user attributes. If you need to add additional attributes , you can go to the Metadata page, select the User Ā object, and add the attributes. Common attributes : User name : short name to identify the user. It uses can be either a name abbreviation, an employee Id, or a system. generated number. First name: Ā name of the user. Last name: first surname. Middle name: used like a second surname. Full name: firstName + lastName + middleName. Organization : Type : identifies the password policy that is to be applied. Primary group : select which organization unit this user belongs to. Home server : select which server will host its user folder. It is linked to the Home Drive attribute on Active Directory. Profile server : select which server will host its user profile. It is linked to Roaming UserProfile on Active Directory. Mail service : EMail : this will be the mail address that will appear on outgoing emails from this user. Mail alias : In this box, there will be a comma-separated list of mail addresses that will be forwarded to this user mailbox. It will you one to one aliases and one to many distribution lists. Mail server : select which server will host its user mail. User status : Enable : uncheck in order to prevent this user from logging into any system. Multi session : uncheck to prevent this user from using more than one device at a time. If the user logs into the system when another session is active, the single sign-on agent will manage it in order to close the first session before opening a new one. This checkbox is only effective when using Soffid ESSO Comments. Ā  Audit information : Created by : user who created it. Created on : when this one was created. Modified by : responsible for the user's last change. Modified last on : date of last user modification. Image Groups Your company is organized into different business units, departments, or workgroups. In Soffid, they all are named as groups. Some systems, like Active Directory, use groups to control or restrict resource access. A Soffid Group is more like an Active Directory OU. On the group tab, you can manage all the groups that the user belongs to. Be in mind that all users have to belong to a Primary Group defined on the Basic user attributes. By clicking on a record, Soffid shows group membership details. It is possible to change the group, and the start date and add comments. It is also possible to assign a new membership by clicking the " Add new " button, and revoking the group membership from the group details with the " Delete " button, or by selecting one or more records from the list and clicking the " Delete secondary group ". If you need to add additional attributes , you can go to the Metadata page, select the UserGroup object, and add the attributes. Image Accounts An account is a way a user is presented on a target system.Ā On the accounts tab, you can view the accounts that belong to the user that is currently displayed, grouped by password domains . About visibility : The account can be displayed inĀ  black or gray color. TheĀ  gray color is used to indicate that the account is unmanaged, that is because the agent is disconnected or because the agent is in Read-Only Mode. TheĀ  strikethrough accounts are all those whose status is not considered active. Soffid smart engine could automatically create, disable or remove user accounts depending on the system policies. Also, you can manually add a new account for a specific system with the Add new button. On clicking on an account you can rename or edit an existing one, delete it or change its password . You can also see when the password was last set and its expected expiration date. Mind that you cannot change a single account password, as long as any password belongs to a password domain, so each password belonging to the same user and password domain will be changed at a time. When you apply user changes, automatically they will be forwarded to target systems. Mind that Soffid smart engine can revert some of your changes if those changes are violating any system policy. Each change made at the Soffid console is asynchronously replicated into the managed system. At the accounts tab, the administrator can check when each account was updated last. When the Soffid console notices there the replication process is failing, an exclamation icon will appear next to the account name. When the settings for a managed system exclude a user to be replicated, no account will be created for him. In case the user was replicated and due to user attributes changes it should be excluded, its account will be disabled and it will appear with line-through style. At the agent configuration screen, the administrator can configure when to create or enable user accounts depending on the user type or the group the user belongs to. When the settings for a managed system exclude a user, no account will be created for him. In case the account exists and due to user attributes changes it should be excluded, its account will be disabled and it will appear with line-through style. Regarding automatic account creation, it's important to know that if a user needs an account with a name, based on the user domain configuration, and that such an account already exists as a shared or single user account, this account won't be created or assigned. Nevertheless, if such account already exists as an unmanaged account, this existing account will be assigned to the user along with their role grants. By clicking on a record Soffid displays more accurate information about the account. It will be allowed to rename the account, change it, change the account status or delete the account (logic delete). Also, Soffid allows you to query the properties if the account on the target system. Finally, Soffid will display custom attributes defined for the specific agent on the agent "Account metadata"Ā  tab, you can visit the Agents page for more information. On the accounts tab, you can check the failed login attempts and if the account has been blocked, it is displayed until how long it has been blocked. šŸ’» Image Roles A role is a collection of permissions that can be granted to a user. With these permissions, the user will access to another system and perform some operations. On the roles tab, you can assign or revoke roles to any user. Each role needs an account to be applied to. So, if a user has no account on a system and a role on that system is granted, a new account will be created on this system. In case a user has more than one account on a system, you should indicate which of the suitable accounts will be granted the role. More and more, when the role should be scoped, the operator must select the right scope for the role. The scope and its allowed values are defined on the information systems page. By clicking on a record Soffid shows more information about the role, this information can not be updated. On this screen, you can browse through the different roles. It is also possible to revoke the role to the user from the entitlement details or by selecting one or more records from the list and clicking the button with the subtraction symbol. The roles list shows a column to display when there are risks with the roles assigned to the user. If you click on a record, Soffid will show the entitlement details including the SoD rules with the detail of the risk.Ā  For more information about SoD visit theĀ  Segregation of Duties Additionally, you can download a CSV file with the user's role information, or upload a CSV file to assign or revoke roles to the user. Image Effective Roles Hierarchy of permissions assigned to or inherited.Ā  This page details the effective roles of the selected user. Effective roles are all roles assigned to a user either directly or indirectly. By direct assignment of the role : when you assign a role to a user, you are assigning to the user all the permissions defined for that role. By belonging to a role : A role can have inherited roles. Roles assigned to a user through another role cannot be revoked. To remove them, you must revoke the parent role or remove this role from the inheritance configuration. By belonging to a group : when you add a user to a group, the user will have all the roles assigned to the group By rules defined in the system : when a rule is satisfied for a user, the system assigns the roles defined in the rule to the user. Image Shared accounts Accounts that can be used by several users, those accounts can be privileged or shared. On the shared account tab, you can see all shared user accounts. You can view information about the system, the account, the date of update, when was the last login, when the password was changed, and the expiration date. By clicking on a record, you can browse the share account details page. Image Sessions On the sessions tab, you can view sessions opened by the user. Here will be displayed any openĀ  ESSO session , showing the host that has created the session and the host where the user is connected from, if applicable. The port number is the TCP/IP port number the ESSO session manager is listening to. It is used by the synchronization server to check for session validity. ESSO Integration Multi-session attribute: ESSO will prevent any user from having more than one session at a time unless it has the multisession attribute checked. If ESSO detects the user trying to log in has an active session, it will do the following job: The previous session will be noticed of such a duplicate session. The new session will have the choice to: Give up and not log in. Wait until the previous session is closed. Force the previous session to log out. If the user selects to close the remote session, the remote user will still have the chance to accept or reject such action. No user with an active flag unchecked will be allowed to log in or use any system managed through ESSO. Image User Processes In the user processes tab you can view the business processes in which the user has been managed. It shows information about the process, the status process and when it was initiated and ended. Mind that this page does not displays the business processes where the user has acted. Image Issues In the Issues tab, Soffid displays all the issues in which the user is involved. If you click one issue, Soffid will display the issue detail and will allow you to perform any available operation if you have the proper permissions to do that. For more information, you can visit the Issues page. Image Tokens In the Tokens tab, you can manage the user tokens. You can add or delete the users' tokens. Currently, the available options areĀ  Certificate , theĀ  FIDO token and the Soffid authenticator . Certificate If you select the certificate option, you only need to register the certificate description . Then Soffid will read the existing certificates registered into Soffid, at the Digital certificates page, and finally, Soffid will give you a p12 file and a password to install the certificate in the browser. If there are no registered certificates, Soffid will not allow you to add new certificate tokens for any user.Ā  FIDO token If you select the FIDO token option, you need to full fill in the following data: Identity provider : You need to select one Identity provider from the available list. Registration method : Soffid offers three different registration methods. To use one of them you will need to insert and touch the FIDO key to create a new token. Register now : Soffid allows you to register a new FIDO key related to a specific user. Once you select this option, you need to register the FIDO key, and Soffid automatically will register the key related to the user. Generate secure link : Soffid generates a secure link related to a specific user to register. You can follow the link and then register the FIDO key. Once you register the FIDO key, you can close this page. You only need to register the FIDO key and this page will close automatically. Generate insecure link : Soffidl will generate an insecure link, this link is not related to any user. Then you need to browse to the insecure link and type the user name, and then the password. Finally, you need to register the FIDO key. Once you register the FIDO key, you can close this page. You can use the Generate secure or insecure link option to send it to users to complete the registration process. When you register a FIDO token, this will be displayed on the proper user "My certificates and FIDO tokens" page and it will be available for this user. Soffid authenticator If you select Soffid authenticator option, you will need to install the Soffid token app and then open the URL or scanĀ  the QR code with this app. Backups (addon backup) The backup functionality is available when the backup addon is loaded in the Soffid Console. By clicking on the Backups tab, Soffid will display all the snapshots available for the user, and you could restore what you need. Image Ā  You can also check other available snapshots by clicking on the hamburger icon and a specific option. Those are the options: Groups History You can check all the group history changes for a specific user, and decide if you want to restore an earlier versiĆ³n. Image Accounts History You can check all the account history changes for a specific user, and decide if you want to restore an earlier versiĆ³n. Image Roles history You can check all the role history changes for a specific user, and decide if you want to restore an earlier versiĆ³n. Image Ā  Mail list history You can check all the mail list history changes for a specific user, and decide if you want to restore an earlier version. Image Ā  Download CSV file Allows you to download a CSV file with the data of all backups. OTP devices (addon otp) In the OTP devices tab, Soffid displays all the OTP devices configured by this user. For each OTP device, Soffid displays the info about the name, the created date, the last time used, and the status. Soffid allows you to manage all the OTP devices for each user. By clicking on a record, Soffid shows OTP device details, including the failed number. It is also possible to change the status. This option will only be available if the OTP addon is installed in the Soffid console. Pending tasks When a user has pending tasks, an icon will be appearing at the right corner. If the status of pending tasks is "Error", the icon will be a highlight alert icon, if the status is "Pending", the icon will be a wifi icon. That window displays the most relevant task data, the task name, the agent that manages the task, the status task, and the schedule to will be executed, ... That pending task information is only available in consultation mode.Ā  Actions Users query actions "Query" Allows you to query users through different search systems, Quick, Basic and Advanced . Add new Allows you to add a new user in the system. To add a new user it will be mandatory to fill in the required fields Delete Allows you to remove one or more users by selecting one or more records and next clicking the button with the subtraction symbol (-).To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Download CSV file Allows you to download a CSV file with the basic information of all users.Ā  Import Allows you to upload a CSV file with the user list to add or update users to Soffid. First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and click the Import button. Bulk actions Allows massive operations to be performed on all system users.Ā  With that operation, updates can be made to any of the user's parameters. First of all, you must select the records that you want to update, once you have selected them, you must choose the bulk action on the hamburger icon. For more information visit the Bulk action page. Merge Allows you to merge two or more identities when you identify that is necessary. First of all, you must select the identities to merge. Second, you need to click the hamburger icon and select the merge action. Then Soffid will display a window where you can choose if you want to merge right now, if you want to create an issue, or if you want to quit without applying any changes. šŸ’» Image If you select Solve now , Soffid will display a new window where you can choose the correct value for each standard and custom parameter. Finally, you need to apply changes to save the updates, or back to cancel that action. šŸ’» Image If you select Create issue ,Ā  Soffid will create an issue that you could check the issues page for more information. Ā  šŸ’» Image View Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. User detail actions Synchronize to target systems Allows you to propagate the user changes to the repository systems configured. It is only necessary when the task engine mode is configured as Manual, but you can also do it when the engine is in automatic mode. Visit the smart engine setting page for more information. Refresh Allows you to refresh all the user information. Apply changes Allows you to save the data of a new user or to update the data of a specific user. To save the data it will be mandatory to fill in the required fields. When you apply changes, automatically they will be forwarded to target systems. Delete user Allows you to remove a specific user. You can choose that option on the hamburger icon. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Printers List the printers of the user Audit Browse to the Audit page and display all the detailed actions performed over the user. It is allowed to filter the information displayed and also to download a CSV file with the audit information. Access logs Browse to the Logs page and display all the detailed logs about the user actions. It is allowed to filter the information displayed and also to download a CSV file with the logs information. Expand all Displays all the attributes of the different blocks. Collapse all Hide all attributes of the different blocks. "Types of views" Change the view type: Classic view, Modern view, Compact design. Undo Allows you to quit without applying any changes.Ā  Groups actions Group query actions Add new Allows you to add a new group membership. Select a group the user will belong to it. Next, you need to define, if it is necessary the membership properties. And finally, you need to apply changes. Delete secondary group Allows you to delete group membership.Ā To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. View Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. Group detail actions Delete Allows you to delete a group membership. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Undo Allows you to quit without applying any changes.Ā  Apply changes Allows you to save the updates of the group. Accounts actions Accounts query actions Change password Allows you to change the password for the accounts of a password domain. Generated password: the password is generated automatically by soffid. Set Password: admin user can set the password and check the option that requires the end-user must change the password on first use. Send current password: soffid sends the current password to the target systems. šŸ’» Image It will be mandatory the password complies with the Password policies defined for the domain. Add new Allows you to add a new account for a user and a specific target system.Ā  First of all, you need to select the target system, then Soffid will show the target system name and the account name. The account name could be updated, but always with an account name which no be already in use on the target system. Then you need to choose the account status and finally, you can set the system properties. That properties depend on the target system and do not be mandatory. View Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. Accounts detail actions Delete Once you are in the rename account modal, by clicking on the hamburger icon, you could choose the delete option. This option will delete the account selected. šŸ’» Image Show actual account properties Once you are in the rename account modal, by clicking on the hamburger icon, you could select this option. When you click this option, Soffid will display a modal with all the info about this account in the target system. Apply changes Allows you to save the updates of the account. You can change theĀ  name and status of the account. Also you can check the events history. šŸ’» Image Undo Allows you to quit without applying any changes.Ā  Roles actions Roles query actions Add new Allows you to assign a new role to the user. Select a role from the role list. If it is necessary, the next step will be to set the scope. Then you need to check and fill in the membership properties. And finally, apply changes. Delete role Allows you to revoke one by one or to revoke some roles at the same time.Ā  To revoke some roles at the same time, you need to select the roles, and then click the button with the subtraction symbol (-).Ā  To revoke one role, you can click the role, and then Soffid will show a form with the details. Then you can click the delete button (trash icon).Ā  Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation.Ā  Import Allows you to upload a CSV file with the role list to assign permission. First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and click the Import button. Download CSV file Allows you to download a CSV file with all the information about user roles.Ā  View Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. Role detail action Delete role Allows you to revoke a role. Click the delete button (trash icon).Ā  Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation.Ā  Shared accounts Download CSV file Allows you to download a CSV file with all the information about user shared accounts.Ā  View Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. Sessions actions Download CSV file Allows you to download a CSV file with all the information about sessions.Ā  View Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. User processes actions Download CSV file Allows you to download a CSV file with all the information about the user processes.Ā  View Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. Issues actions Download CSV file Allows you to download a CSV file with all the information about the user issues.Ā  View Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. Tokens actions Add new Allows you to add a new token. To add a new token device you need to click the add button (+), then Soffid will display a wizard to config the token. First of all, you need select the token Type and then Apply changes. Delete token Allows you to delete one or more token for a specific user. To delete token first select the token, then click on the subtract button (-), then Soffid will ask you to confirm or cancel the operation. OTP devices actions Add new Allows you to add a new OTP device. To add a new OTP device you need to click the add button (+), then Soffid will display a wizard to config the OTP device. First of all, you need select the OTP device Type and then Apply changes. Delete OTP device Allows you to delete one or more OTP devices for a specific user. To delete OTP devices first select the devices, then click on the subtract button (-), then Soffid will ask you to confirm or cancel the operation. Download CSV file Allows you to download a CSV file with all the information about the user OTP devices.Ā  View Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. Groups Description Groups are a convenient way to apply policies to a collection of users. Groups allow administrator users to specify permission for multiple users in a quick and easy way. Groups are managed in a hierarchical way. A user can belong to a group, and that user will be assigned the roles of this group and all the roles that this group inherits from its parent. Companies are organized in different ways as business units, departments, or workgroups. In Soffid, they all are named as groups.Ā  Some systems, like Active Directory, use groups to control or restrict access to resources. A Soffid Group is more similar to an Active Directory organisational unit (ou) than to the group itself. Screen overview Related objects Group types : a group can be a group type. Hosts : a group can have a drive server. Users : users belong a one or more groups Roles : a group can have granted roles Authorizations : related to a manager Standard attributes Group table Group attributes that you can select in the table: Name : short name to identify the group. The group name must be unique. Description : a brief description of the group. Drive letter : if specified, a shared folder for this user will be created. This shared folder can be mounted on ESSO hosts by using a startup script. Parent group : name of the parent within the hierarchy. Only the root group doesn't have value. Be in mind the groups have a tree structure. Type : a group can be categorized by organizational unit types. You have more information about Group Type page. Drive server name : the server where the shared folders can be located. Disabled : allows you to enable and to disable the group. When a group is disabled, the group's role hierarchy is no longer available to the group's users. Active since Active until Created on Created by Update on Updated by Basic tab On the basic group tab, you can view all the group attributes. It is allowed to add new groups, and update or delete existing groups. The group attributes are the same than in the group table description. šŸ’» Image Users tab Administrator users can manage the users who belong to the group. These users will have assigned all the permissions granted to that group and permissions inherited from its parent. On the user's tab, you can add new users to the group, you must select the user to add, and select the membership properties. It is also allowed to delete one or more users from a specific group, you can do it from the group membership details or by selecting one or more records from the list and clicking the delete userĀ  button. Additionally, you can Ā download a CSV file with the user's information and you can also upload a CSV file to add new users or update existing users. The attributes are same than in the user page: User :Ā  userName Full name Group type Created on Created by Updated on Updated by Common attributes User name First name Last name Middle name Organiztion Type Primary group Home server Profile server Mail service Email Mail alias Mail server User status Enabled Multi session Comments Audit information Created by Created on Modified by Modified last on šŸ’» Image Granted roles tab Administrator users can manage the permissions to a group, this is the way to establish an access policy to a collection of users. The users who belong to a group will inherit all the permissions granted of that group. On the granted roles tab, you can assign or revoke roles to the group. To assign a new role, you must click the button add new , then select the role,Ā  in some cases specify the scope, and finally set membership properties. To revoke role, you can do it from the group membership detail or by selecting one or more records from the list and clicking the delete role button. Additionally, you can Ā download a CSV file with the granted roles information and you can also upload a CSV file to assign roles, modify or delete assigning roles. The attributes: Role Domain System Information system Description šŸ’» Image Managers tab On the tab Managers, Soffid displays the Roles with Domain equals to Group and the proper authorization. Here you can grant the role to one or more users. You can also assign the role to users on the Roles page or on the Users page. Users who have been assigned this role will be displayed in the Managers tab. Be in mind, to query the information about the roles and users on the managers tab, it will be mandatory to give authorization to query users or groups, you must add the role to the authorization (user:query or group:query). The attributes: Role / managers : role with domain type groups and assigned to this group Description :Ā  description on the role šŸ’» Image ** Role ** Authorization Actions Group query actions "Query" Allows you to query groups through different search systems, Quick, Basic and Advanced . Add new Allows you to add a new group in the system as a root element. It can be more than one root element. To add a new group it will be mandatory to fill in the required fields Download CSV file Allows you to download a csv file with the basic information of all groups.Ā  Import Allows you to upload a CSV file with the group list to add or update groups to Soffid. First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button. View Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. Ā  Ā  Historical view This is part of the addong backup. Allows you to check all the group's historical data. Soffid will display a new modal window to manage the historical view.Ā  Add child group Allows you to add a child to a specific group. You can choose that option below the father group. To add a child it is necessary to fill in the required fields Historical view (addon backup) Switch to current view Allows you to come back to the current data view. Apply changes Once you have pickup the proper date at the date component, you can apply changes and Soffid will display all the group data at the selected date time. Then you can browse the Groups tree and check the information Undo Allows you to quit without applying any changes. Group detail actions Synchronize to a target systems Allows you to propagate the group changes to the repository systems configured. It is only necessary when the task engine mode is configured as Manual, but you can also do it when the engine is in automatic mode. Visit the smart engine setting page for more information. Refresh Allows you to refresh all the group information. Apply changes Allows you to save the data of a new group or to update the data of a specific group. To save the data it will be mandatory to fill in the required fields Delete group Allows you to remove a specific group. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Undo Allows you to quit without applying any changes. Users Add or remove columns Allows you to show and hide columns in the table. Add new Allows you to add new user to a group. Fist of all, you need to select the user. Then you need to set the system properties. And finally you need to apply changes. Delete user Allows you to delete one by one or to delete some users at the same time from a group . To delete some users at the same time, you need to select the users, and then click the button with the subtraction symbol (-).Ā  To delete one user, you can click the user, and then Soffid will display a form with the details. Then you can click the delete button (trash icon).Ā  Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation.Ā  Download CSV file Allows you to download a CSV file with all the information about users.Ā  View Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. Granted roles Add new Allows you to assign a role to the group. You can choose that option on the hamburger menu or click the add button (+). Then you need to select a role from the role list. If it is necessary, the next step will be to set the scope. Then you need to check and fill in the membership properties. And finally, apply changes. Delete role Allows you to revoke one by one or to revoke some roles at the same time. To revoke some roles at the same time, you need to select the roles, and then click the button with the subtraction symbol (-). To revoke one role, you can click the role, and then Soffid will show a form with the details. Then you can click the delete button (trash icon). Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation. Download CSV file Allows you to download a CSV file with all the information about roles assigned to the group.Ā  View Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. Managers Grant role Allows you to grant the role, , to one or more users. You need to click on the "Grant role", under the role you want to grant. Then, Soffid will display a modal window that allows you to search for the users. Here you are able to write the user name and select it to grant the role. Finally, you need to accept by clicking on the "Accept" button. If you click on the "Cancel" button, no changes will be applied. Accounts Description An account is the way an user is presented on a target system.Ā  There can be user accounts as well as system-purpose accounts. An account belongs to a system and that account can have specific permissions assigned to it. An account must have defined the account type, that is if the account is a single user, privileged, shared, or unmanaged. The password policy is also mandatory to create an account. That password policy determines the conditions that the password must meet. It is allowed to set a password for an account, which can be a generated password by the system, or a password set by the administrator user. That password must comply with the password policies defined. When the account is unmanaged, if the password change, it will not be sent to the target system. The account can be displayed in black or gray color. The gray color is used to indicate that the account is unmanaged, that is because the agent is disconnected or because the agent is in Read-Only Mode. Screen overview Related objects Users : ownerĀ users to the accounts Agents : the target system in which that account is used (AD, Exchange, etc). User type : user type of the onwer user or another one selected in the other account types Password policies : password policy of the onwer user or another one selected in the other account types Roles : the permissions that this account has associated with the system in which it is used. They can be assigned or revoked by users with administrator privileges. Information systems : where the roles are gathered Password vault : password vault information Standard attributes Basic On the basic account tab, you can view all the account attributes. It is allowed to add new accounts,Ā  update or delete existing accounts and other options. Commons attributes System : target system to which the account will be connected. When SSO is the system selected, the account name is assigned by Soffid, that is because SSO is a multi-system connector and can be many accounts with the same login name. Name : name used to identify the account. Login name : login name used in PAM navigations Description :Ā plain text with information about the account. Type : there are four kinds of accounts: Single user : these are accounts with a single use owner; we also refer to them as linked accounts. As these accounts are linked to a user, they are part of the userā€™s lifecycle; when the user is modified, the account can also be updated and synchronised, and if the user is desabled, so too is the account. We can also view these accounts on the users page, under the accounts tab; all of them are single user accounts. Shared : these are accounts that may be associated with no users or with multiple users. Unlike single user accounts, these are not part of a userā€™s lifecycle and are not linked to them. They have an access control list to prevent unauthorised use. These accounts may also be referred to as service accounts and may have their own roles assigned to them. These accounts have their own password; even if they are associated with a user, password management is handled separately. Privileged : these are typically administrator accounts, specific to a particular system and with no associated users by default. Users who need to use these accounts can do it via the Identity Self-Service module; when they log in with this account, a specific password is set, and when the session ends, it is randomised to prevent unauthorised use. Consequently, a privileged account is usually used by only one user at a time. These accounts are usually associated with the PAM module and may require additional steps, such as requesting access via a workflow or adding an authentication factor Unmanaged : these are accounts that Soffid does not manage; if changes are made to them, these changes are not synchronised with the end system. Although they can be created manually, these accounts are usually created in Soffid when performing a reconciliation with an end system. This status exists as a preliminary step before deciding what to do with them: either link them to users and convert them to single user accounts, or change them to shared or privileged accounts. Unmanaged accounts in Soffid that exist in an end system represent a potential risk; they must be monitored or permanently deleted. Status : Enabled : the account can be used by the user. Soffid engine will disable it when the user does not match the access requirement policy. Manually enabled : the account can be used by the user. Soffid engine will keep it enabled, even when the user does not match the access requirement policy. Locked : the account is locked when a user tries to access with a fail password too many timesĀ  (5 times). The account will be enabled in a specific period of time (5 minutes). Disabled : the account cannot be used by the user. Soffid engine will enable it when the user does matches the access requirement policy. Manually enabled : the account cannot be used by the user. Soffid engine will keep it disabled, even when the user matches the access requirement policy. Removed : the account no longer exists in the target system, but its image is kept in Soffid for audit purposes. Archived : same status as "Removed" but useful if you need to differentiate it for a business process Credential type : this field will be available when the system is filled with the SSO option. Password : this is the default value. This option will allow you to set the account password. SSH key : this option will allow you to add a SSH key. This SSH key could be an existing key or a generated new key. Kubernetes key : this option will allow you to enter a Yaml descriptor to configure the access. Password policy : the policy applied to this account. It is mandatory select a password policy. You can see more information on the User Type and Password policies pages.Ā  šŸ’» Image Owners, Managers, and SSO users Specify the list of users authorized to use this account. For accounts of type "single user", only one user can be specified. Other accounts can have more than one user. The users that can use this account can be specified either directly, by entering the user name, or indirectly, by entering a group or role name. At the latest, any user having that group or role will automatically be entitled to use this account. There are three access levels for each account and user: Owner : can use it, modify the access control list, and set or query the password sing self-service portal or single sign-on engine. Manager : can use it, and set or query the password (using self-service portal), depending on the password policy restriction. SSO User : can use it by means of the SSO or PAM engines. They cannot change their password, not even through single sign on engine. šŸ’» Image Password synchronization Server type : type of the server. Linux Windows Database Server name : descriptive name of the server SSH Public key : SSH key for linux servers šŸ’» Image Password vault Vault folder : personal or shared folder, depending on the account type, in which account data are stored. Inherit new permissions : determines if the account will inherit the permissions granted to the folder that contains it. šŸ’» Image Launch properties Defines the properties to connect to the target system. Login URL : URL to connect. You can add the port when you need it Launch type : connection type. Simple WebSSO PAM Jump server : it is mandatory to select the Jump server group. šŸ’» Image Audit information ExternalId : new attribute in Soffid 4 to keep a record of the unique identifier of the object in the final system (useful for synchronisation and renaming). Last login : last registered access. Last synchronization : last registered synchronization. Last password set : date of last password change. Password expiration : password expiry date. In use by : account owner Password synchronization : password synchronization date. Created : account creation date. Last change : last modified. Created by : user who created the account Updated by : last user who updated the account Image System properties From data : to add parameters Type: possible values: Windows Linux Database SSH Private key : private key that establishes trust to be able to access the system without requiring a password. SSH Public key : public key that establishes trust to be able to access the system without requiring a password. Password synchronization : possible values: Valid Expired Invalid Events history List of events on this account šŸ’» Image Services List of services on this account. The account type must be shared to view those services. All these services appear after agent reconciliation. šŸ’» Image Ā  Soffid allows you to manage the existing services, you can add, update or remove services as well. This makes sense in the case of Linux machines.Ā  šŸ’» Image Ā  Roles The roles are a collection of permissions that can be granted. On the roles tab, you can view the roles assigned to the account, it is shown information about the role name, description, application or start (and, if proceed, end) date of the role assignment.Ā  You can also assign roles to the account, you can click the "Add new" button, select the role that you want to assign, depending on the role you must fill the scope, and finally set memberships properties. It is also possible to revoke roles to the account from the entitlement details or by selecting one or more records from the list and clicking the "Delete role" button.Ā  By clicking on a record, it is shown the detailĀ  role assignment information. Additionally, you can download a CSV file with the roles information and you can also upload a CSV file to assign or revoke roles. The attributes: Role : name used to identify the role. Description : detailed role description. Information system : asset or application, from a functional point of view, on which the permissions are granted or revoked. Start date : at this date, Soffid will connect to the system and will assign the role. If there is no approval start, it will be assigned at the moment. End date : at this date, Soffid will connect to the system and will revoke the role. Risk : risk related with SoD rules Category : category value of the role Domain value : you can set a limitation of the role scope Ā by selecting the domain. Initially, there are two domains defined, Groups and Information Systems. Soffid allows you to add more domains. Domain description : domian description šŸ’» Image Effective roles Hierarchy of permissions assigned to or inherited.Ā  This screen details the effective roles for the selected account. By direct assignment of the role: when you assign a role to an account, you are assigning to the account all the permissions defined for that role. By belonging to a group: when you add a user to a group, the user will have all the roles assigned to the group. By rules defined in the system: when a rule is satisfied for a user, the system assigns the roles defined in the rule to the user. The attributes: Object type / name : object type owner of the role / name used to identify the role. System : target system owner of the role. Description : detailed role description. šŸ’» Image Actions Account query actions "Query buttons" Allows you to query accounts through different search systems, Quick, Basic and Advanced . "Table filter" It allows you to filter a column in the table based on the results loaded in it. Add new Allows you to add a new account in the system. To add a new account it will be mandatory to fill in the required fields Delete Allows you to remove one or more accounts by selecting one or more records and next clicking this button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Download CSV file Allows you to download a CSV file with the basic information of all accounts.Ā  Bulk actions Allows massive operations to be performed on all system accounts.Ā  With that operation, updates can be made to any of the account's parameters. First of all, you must select the records that you want to update, once you have selected them, you must choose the bulk action on the hamburger icon. For more information visit the Bulk action page. View Allows you to add or remove columns to the table. It is also possible to change the order of the columns. Account detail actions Apply changes (dick button) Allows you to save the data of a new account or to update the data of a specific account. To save the data it will be mandatory to fill in the required fields Delete Allow you to remove the account. You can choose that option on the hamburger icon To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Undo Allows you to quit without applying any changes. Set password This option depends on the credential type selected. Password :Ā  Allows you to set a new password to the account or a SSH key. The password can be generated automatically, or you can set the password.Ā  It will be mandatory the password complies with theĀ  Password policies Ā defined for the domain. If an account is unmanaged, the password will not be sent to the target system. šŸ’» Image SSH key : Allows you to generate a new key or enter an existing key. Ā  Kubernetes key : Ā Allows you toĀ  add a YAML descriptor Show actual account properties Display the account attributes at the target system.Ā To perform that action, Soffid needs to connect with the target system and get the account attributes that will be shown. Expand all Displays all the attributes of the different blocks. Collapse all Hide all attributes of the different blocks. "Types of views" Change the view type: Classic view, Modern view, Compact design. Roles Add new Allows you to assign a new role to the account. Then you need to select a role from the role list. If it is necessary, the next step will be to set the scope. Then you need to check and fill in the membership properties. And finally, apply changes. Delete Allows you to revoke one by one or to revoke some roles at the same time. To revoke some roles at the same time, you need to select the roles, and then clicking this button. To revoke one role, you can click the role, and then Soffid will show a form with the details. Then you can click the delete button (trash icon). Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation. Import Allows you to upload a CSV file with the role list to assign permission. First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button. Download CSV file Allows you to download a CSV file with all the information about account roles.Ā  View Allows you to add or remove columns to the table. It is also possible to change the order of the columns. Information systems Description Information systems are the systems that Soffid will protect granting and revoking roles. Each role and entry point is bound to an information system. The information system can be created hierarchically. These information systems are managed in a tree structure.Ā  Soffid allows you to categorize the information systems to facilitate the management, the available categories are Application, Container and Business. That categories are for information purposes only. The permission can be granted by using workflows.Ā  You can access to Workflows page for more information. Screen overview Related objects Users Ā : users belong a one or more groups Roles Ā : roles granted to a user BPM editor : roles and information system need to be BPM enabled to be menaged on worlkflows Standard attributes Basics Type : information system category. Parent :Ā parent within the hierarchy. Name : short name to identify the information system. Qualified name : short name to identify the information system. Description : detailed description information system. Source : documentation. Owner : is the information owner, and has the capability to appoint security manager. Soruces : documentation. Binaries : documentation. Database : documentation. BPM enable : if enabled, permissions can be granted by using workflows. Notification emails : this list will be notified on a daily about grants and revokes performed. Approval process : allows you to select a Permissions management process. This process will be initiated when a role, in this information system, is assigned or revoked to a user. It is an advanced function for workflows. You can see an example of the Approval process . Role definition process : allows you to select a Role definition process. This process will be initiated when the definition of a role, in the information system, is updated. It is an advanced function for workflows. Ā You can see an example of the Role definition process . Single role : if checked, the roles of this application are mutually exclusive: if a user has the role X and want to assign him the role Y, X will be removed to give him Y. Created on : creation date Created by : user who created the object Updated on : last updated date Updated by : last user who update the update Image Ā  Role scopes Role scope or domains are properties that can be assigned to some entitlements, limiting the scope of that entitlement. This can be used to limit, for instance, the maximum amount allowed for a money transfer, or the commercial zones to manage. On this tab, you can add new domains, you must click the button with the add symbol and fill the information about the new domain. You can also delete a domain or update the domain information. Other operations allowed are to download a CSV file with the domain data and toOther operations allowed are to download a CSV file with the domain data and to upload a CSV file to add new domains, or update existed domains to add new domains, or update existing domains Attributes: Domain / Value : name of the domain Description: descripton ot the domain šŸ’» Image Roles A role is a collection of permissions that determine what operations a user or a group of users can perform on that information system. On the roles tab is allowed to create, update and delete roles. The effective privileges bound to each role are managed from each application. To add a new role you must click the button with the "Add new" button and fill all the role data. You can update a specific role by clicking on the right record, making and applying changes. It is also possible to delete roles from the role details or by selecting one or more records from the list and clicking the "Delete" button.Ā  Additionally you canĀ  download a CSV file Ā with the roles information and you can alsoĀ  upload a CSV file to add new roles, or modify existing roles. Attributes: Name : name used to identify the role. Description : detailed role description. System : agent of the target system owner of the role Category : category value of the role Information system : asset or application, from a functional point of view, on which the permissions are granted or revoked. Domain type : domian type of the role BPM enabled : when enabled the role can be managed on the workflows ExternalId : new attribute in Soffid 4 to keep a record of the unique identifier of the object in the final system (useful for synchronisation and renaming). Approval start : at this date, Soffid will connect to the system and will assign the role. If there is no approval start, it will be assigned at the moment. Approval end :Ā at this date, Soffid will connect to the system and will revoke the role. Risk : risk related with SoD rules Created on : text Created by : text Updated on : text Updated by : text šŸ’» Image Users On the user's tab, Soffid displays all the user with granted roles for this information system. It is allowed to download a CSV file with all the user data. Attributes: Name : name of the account where the role is granted Full name : full name of the user owner of the account Group : primary group of the user Role : name used to identify the role. System : agent of the target system owner of the role Domain : domian type of the role Recertification : date of the last recertification šŸ’» Image Effective users Hierarchy of permissions assigned to or inherited from an account. If you visit the accounts page , you could see the roles on the Roles tab from a specific account. Attributes: Name : name of the account where the role is granted Full name : full name of the user owner of the account Group : primary group of the user Role : name used to identify the role. System : agent of the target system owner of the role Domain : domian type of the role Recertification : date of the last recertification šŸ’» Image Managers On the tab Managers, Soffid displays the Roles with Domain equals to Information System and the proper authorization. Here you can grant the role to one or more users. You can also assign the role to users on the Roles page or on the Users page. Users who have been assigned this role will be displayed in the Managers tab. Be in mind, to query the information about the roles and users on the managers tab, it will be mandatory to give authorization to query applications, you must add the role to the authorization (application:query). Attributes: Role / Managers : name of the role / managers with the role and domain granted Description : description of the role / full name of the user šŸ’» Image Ā ** Role Ā  ** Authorization Actions Information system table actions "Query buttons" Allows to query groups through different search systems, Quick, Basic and Advanced . "Table filter" It allows you to filter a column in the table based on the results loaded in it. Add new Allows to create a new information system. To add a new information system it will be mandatory to fill in the required fields Import Allows you to upload a CSV file with the information system list to add or update information systems to Soffid. First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button. Download CSV file Allows to download a csv file with the basic information of all information systems.Ā  Add child information system (+) Allows to add a child to a specific information system. You can choose that option below the father information system. To add a child it is necessary to fill in the required fields Information system detail actions Apply changes (disk button) Allows you to save the data of a new information system or to update the data of a specific information system. To save the data it will be mandatory to fill in the required fields Delete system Allows you to remove a specific information system. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Expand all Displays all the attributes of the different blocks. Collapse all Hide all attributes of the different blocks. "Types of views" Change the view type: Classic view, Modern view, Compact design. Undo Allows you to quit without applying any changes. Apply changes Allows you to save the data of a new information system or to update the data of a specific information system. To save the data it will be mandatory to fill in the required fields Role scopes actions Add new Allows you to add a new domain to limit the scope. You can choose that option on the hamburger menu or clicking the add button (+). To add a new domain it will be mandatory to fill in the required fields Im port Allows you to upload a CSV file with the domain list to add or update domains to Soffid. First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button. Download CSV file Allows you to download a CSV file with all the information about domains.Ā  Add domain value (+) Allows you to add a domain value to a domain type (second node of the tree) Roles actions Add new Allows you to create a new role for that information system. You can choose that option on the hamburger menu or clicking the add button (+). To add a new role it will be mandatory to fill in the required fields Delete Allows you to delete one by one or to delete some roles at the same time from an information system . To delete some roles at the same time, you need to select the roles, and then click the button with the subtraction symbol (-).Ā  To delete one role, you can click the users, and then Soffid will show a form with the details. Then you can click the delete button (trash icon).Ā  Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation.Ā  Import Allows you to upload a CSV file with the roles list to add to the information system. First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button. Download CSV file Allows to download a csv file with the basic role data View Allows you to add or remove columns to the table. It is also possible to change the order of the columns. Bulk actions Allows massive operations to be performed on all roles selected.Ā  First of all, you must select the records that you want to update, once you have selected them, you must choose the bulk action on the "three points" icon. For more information visit the Bulk action page. In addition for each role you can perform the specific operations defined on the Role page Users actions Import Allows you to upload a CSV file with the users list to add to the roles to be granted. First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button. Download CSV file Allows to download a CSV file with all the information about users. EffecdtUsers actions Download CSV file Allows to download a CSV file with all the information about users. Example Approval process Example 1. Assign a role a to a User: this role belong to an information system with an Approval process configured.Ā  šŸ’» Image Information system definition šŸ’» Image Assign a role a to an user 2. A task to approve o reject is created šŸ’» Image Role definition process example 1. Update a role definition.This role belong to an information system with an Approval process configured.Ā  šŸ’» Image Assign a role a to an user šŸ’» Image 1) This assignation is pending to approve 2) This deletion is pending to approve 2. A task to approve o reject is created Image Roles Description Soffid allows you to create roles to specify permissions that can be assigned to a user, a group, or an account. These permissions determine what operations are allowed on a resource. You can use roles to delegate access to users, applications, or services. The main goal is to achieve optimal security administration. Roles can be defined at different levels: Organizational permissions. Application permissions. Low-level permissions. When needed, generic roles can be created. When such a role is granted to any user, it is converted into a specific role by specifying an organization unit, information system, or a specific value. So, for instance, a generic emergency coordinator role can be created. The master emergency coordinator will have this role granted for the whole organization, while a remote office emergency coordinator will have this role granted for his single unit. Note that a role can belong to an information system with a defined role definition process. Screen overview Related objects Users : owner users of the accounts Accounts : a role is granted to a user throght an account Agents : the target system owner of the role Roles : a role can be inherited from another role Groups : a role can be inherited from a group Role assignment rules : Ā a role can be inherited from a rule Information systems Ā : where the roles are gathered BPM editor Ā : roles and information system need to be BPM enabled to be menaged on worlkflows Scheduled tasks : the roles can managed from the reconcile process Standard attributes Role detail Name : name used to identify the role Description : detailed role description. System : information storage system from a technical point of view (active directory, database, CSV, ...). Category : this attribute can be used as a label to define the type of group, its use, or any other distinction you consider useful. Information system : asset or application, from a functional point of view, on which the permissions are granted or revoked. Domain type : you can set a limitation of the role scope Ā by selecting the domain. Initially, there are two domains defined, Groups and Information Systems . Soffid allows you to add more domains. (*1) (*2) BPM enabled : if you check this option (value selected is Yes) this role will be available in the Permissions management workflows. External id : new attribute in Soffid 4 to keep a record of the unique identifier of the object in the final system (useful for synchronisation and renaming). Approval start : at this date, Soffid will connect to the system and will assign the role.Ā If there is no approval start, it will be assigned at the moment. Apploval end : at this date, Soffid will connect to the system and will revoke the role. Created : account creation date. Last change : last modified. Created by : user who created the account Updated by : last user who updated the account Domain example (*1) First, you can define the scope for one specific Role, for instance, you define role manager in Soffid System, with the scope Groups: Then, you can assign this role to one or more users. To do this you must indicate the scope (can be one or more scoped): So the user will have the role in the scopes indicated: If you try to assign the role without domain, this error will be displayed: Domain example (*2) You can define the scope for one specific Role, for instance, you define role manager in Soffid System, with the scope Information Systems: Then, you can assign this role to one or more users. To do this you must indicate the scope (can be one or more scoped): So the user will have the role in the scopes indicated: If you try to assign the role without domain, this error will be displayed: Granted roles On the granted roles tab, you can assign the privileges of this role to another role in another system. Role : (parent) name used to identify the role. Database : (parent) agent of the target system owner of the role Domain : (parent) domian type of the role Role : (child) name used to identify the role. Database :(child) agent of the target system owner of the role Domain :(child) domian type of the role Mandatory : the roles with this flag checked will be displayed in the user's effective roles tab Assign privileges To assign privileges you should click the button with the "Add new" button, then select the target role, the domain values when necessary, and click the finish button. At this point the record will be added to the list.Ā  Now you can check or uncheck the mandatory field. Mandatory : Ā the roles with this flag checked will be displayed in the user's effective roles tab. No Mandatory : roles with this flag unchecked will be displayed in the user's roles tab and can be managed. It is not automatically assigned to users who already had the parent role. And finally, you should click the Apply changes button to save the changes. With this operation, all the permissions of this will be assigned to the target role. šŸ’» Image šŸ’» Image This role belong to an Information System with a defined Role definition process.Ā  This assignation is pending to approve This deletion is pending to approve Revoke permissions If you want to revoke permissions,Ā  you must select one or more records from the list and click the "Delete granted role" button and then click the "Apply changes" button to save the changes. šŸ’» Image Preview changes In addition, you can check the preview changes, it display information about the action, the user or account, and the role or domain, and you can apply them. šŸ’» Image Grantee roles On the grantee roles tab, you can assign the privileges of a role of any other system to this role. Role : (parent) name used to identify the role. Database : (parent) agent of the target system owner of the role Domain : (parent) domian type of the role Role : (child) name used to identify the role. Database :(child) agent of the target system owner of the role Domain :(child) domian type of the role Mandatory : the roles with this flag checked will be displayed in the user's effective roles tab Assign privileges To assign privileges you should click the button with the add (+) symbol, then select the source role, the domain values when necessary, and click the finish button. At this point the record will be added to the list.Ā  Now you can check or uncheck the mandatory field. Mandatory : Ā the roles with this flag checked will be displayed in the user's effective roles tab. No Mandatory : roles with this flag unchecked will be displayed in the user's roles tab and can be managed. It is not automatically assigned to users who already had the parent role. And finally, you should click the Apply changes button to save the changes. With this operation, all the permissions of this will be assigned to the target role. Image šŸ’» Image This role belong to an Information System with a defined Role definition process.Ā  This assignation is pending to approve This deletion is pending to approve Revoke permissions If you want to revoke permissions,Ā  you must select one or more records from the list and click the button with the subtraction symbol (-) click the Apply changes button to save the changes. Preview changes In addition, you can check the preview changes, it display information about the action, the user or account, and the role or domain, and you can apply them. Grantee groups On the grantee groups tab, you can assign the privileges from a specific group to this role, or revoke the privileges. Group : (parent) name of the group. Role : (child) name used to identify the role. Database :(child) agent of the target system owner of the role Domain :(child)Ā domian type of the role Mandatory : the roles with this flag checked will be displayed in the user's effective roles tab Assign privileges To assign privileges you must click the button with the "Add new" button, then select the group, finish, and apply changes. Thus, the roles indicated, in the corresponding system, will be assigned to all users belonging to this group. Now you can check or uncheck the mandatory field. Mandatory : Ā the roles with this flag checked will be displayed in the user's effective roles tab. No Mandatory : roles with this flag unchecked will be displayed in the user's roles tab and can be managed. It is not automatically assigned to users who already had the parent role. And finally, you should click the "Apply changes" button to save the changes. With this operation, all the permissions of this will be assigned to the target role. šŸ’» Image Revoke permissions If you want to revoke permissions,Ā  you must select one or more records from the list and click the "Delete granted role" button and click the "Apply changes" button to save the changes. Preview changes In addition, you can check the preview changes, it display information about the action, the user or account, and the role or domain, and you can apply them. Users On the users tab, you can assign or revoke roles.Ā To assign a role you must click the button with the "Add new" and choose one or more users, fill the scope when it is mandatory, and set membership properties. Each role needs an account to be applied to, so, if a user has no account on a system and a role on that system is granted, a new account will be created on this system. In case a user has more than one account on a system, you should indicate which of the suitable accounts will be granted the role. It is also possible to revoke roles to the user from the entitlement details or by selecting one or more records from the list and clicking the "Delete user" button. The users with the role assigned by rules will be displayed with different colors. Soffid does not allow to revoke roles, on that page, that were assigned by rules.Ā  Additionally, you can download a CSV file with the basic users data. Attributes: Account : account owner of the role Description : description of the account (usually the user full name). Start date : at this date, Soffid will connect to the system and will assign the role.Ā If there is no approval start, it will be assigned at the moment. End date : at this date, Soffid will connect to the system and will revoke the role. Domain value : domain value of the granted role Domain description : domain type of the granted role Risk : risk related with SoD rules Category : this attribute can be used as a label to define the type of group, its use, or any other distinction you consider useful. Recertification : date of the last recertification Holder group : holder group of the granted role šŸ’» Image 1) This assignation is pending to approve 2) This deletion is pending to approve 3) This assignation is by an assignment rule Role assignment rules You can consult the Role assignment rules related to this role. Name : name of the role assignment rule Description : decription of the role assignment rule šŸ’» Image For more information, you can visit the Role assignment rules page. Actions Roles table "Query buttons" Allows you to query roles through different search systems, Quick, Basic and Advanced . "Table filter" It allows you to filter a column in the table based on the results loaded in it. Add new Allows you to add a new role in the system.Ā  To add a new role it will be mandatory to fill in the required fields Delete role Allows you to remove one or more roles by selecting one or more records and next clicking this button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Download CSV file Allows you to download a csv file with the basic roles data. Import Allows you to upload a CSV file with the role list to add or update roles to Soffid. First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button. Bulk actions Allows massive operations to be performed on all system roles.Ā  With that operation, updates can be made to any of the role's parameters. First of all, you must select the records that you want to update, once you have selected them, you must choose the bulk action on the hamburger icon. For more information visit the Bulk action page. Role details Apply changes (disk button) Allows you to apply the pending changes. Delete role Allows you to delete a role. You can choose that option on the hamburger icon. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Expand all Displays all the attributes of the different blocks. Collapse all Hide all attributes of the different blocks. "Types of views" Change the view type: Classic view, Modern view, Compact design. Preview changes Shows the pending changes on users or accounts.Ā  Soffid displays the information about the user or accounts, the action and de Role. You can choose if you want to apply the changes, or close the previer changes window. Undo Allows you to quit without applying any changes. Apply changes Allows you to apply the pending changes. Granted roles Add new Allows you to add a new granted role. To add a granted role, first you need to click the "Add new" button. Second, you need to write or search for a role. Once you have selected the role, if it is necessary, the next step will be to set the scope. Then, you need to finish the process. And finally, you need to apply changes. Delete granted role Allows you to delete one or more granted roles. To delete you need to select the records and then click this button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. And finally, you need to apply changes. Download CSV file Allows you to download a CSV file with the granted roles.Ā  View Allows you to add or remove columns to the table. It is also possible to change the order of the columns. Preview changes Shows the pending changes on users or accounts.Ā  Soffid displays the information about the user or accounts, the action and de Role. You can choose if you want to apply the changes, or close the previer changes window. Undo Allows you to quit without applying any changes. Apply changes Allows you to apply the pending changes. Grantee roles Add new Allows you to add a new grantee role. To add a grantee role, first you need to click the "Add new" button. Second, you need to write or search for a role. Once you have selected the role, if it is necessary, the next step will be to set the source scope and the scope. Then, you need to finish the process. And finally, you need to apply changes. Delete granted role Allows you to delete one or more grantee roles. To delete you need to select the records and then click this button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. And finally, you need to apply changes. Download CSV file Allows you to download a CSV file with the grantee roles.Ā  View Allows you to add or remove columns to the table. It is also possible to change the order of the columns. Preview changes Shows the pending changes on users or accounts.Ā  Soffid displays the information about the user or accounts, the action and de Role. You can choose if you want to apply the changes, or close the previer changes window. Undo Allows you to quit without applying any changes. Apply changes Allows you to apply the pending changes. Grantee groupsĀ  Add new Allows you to add a new grantee group. To add a grantee group, first you need to click the "Add new" button. Second, you need to write or search for a group. Once you have selected the group, if it is necessary, the next step will be to set the scope. Then, you need to finish the process. And finally, you need to apply changes. Delete grantee group Allows you to delete one or more grantee groups. To delete you need to select the records and then click this button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. And finally, you need to apply changes. Preview changes Shows the pending changes on users or accounts.Ā  Soffid displays the information about the user or accounts, the action and de Role. You can choose if you want to apply the changes, or close the previer changes window. Undo Allows you to quit without applying any changes. Apply changes Allows you to apply the pending changes. Users Add new Allows you to add users or accounts to assign the role. To add users or accounts, fist of all, you need to click the "Add new" button. Second, you need to search the users and/or accounts and select the users and/or accounts you want to add. Once you have selected the users and/or accounts, if it is necessary, the next step will be to set the scope. Then you need to fill in the membership properties and finish the process. Finally, you need to apply changes. Delete user Allows you to delete one or more users and/or accounts, that is, Soffid will revoke the role. To delete one, you can select the record and click this button. To delete more at the same time, you need to select the records and then click this button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. And finally, you need to apply changes. Download CSV file Allows you to download a CSV file with all the information about users.Ā  Import Allows you to upload a CSV file with the user list to assign permission. First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button. View Allows you to add or remove columns to the table. It is also possible to change the order of the columns. Preview changes Shows the pending changes on users or accounts.Ā  Soffid displays the information about the user or accounts, the action and de Role. You can choose if you want to apply the changes, or close the previer changes window. Undo Allows you to quit without applying any changes. Apply changes Allows you to apply the pending changes. Role assignment rules Description Soffid console provides an option that allows you to customize policies to assign or revoke roles automatically to specific users. To assign or revoke roles, the users must comply with the defined requirements. This option allows you to Preview changes before to Apply new Ā the changes, to verify that the actions to be performed are the correct ones.Ā  To Apply now the role assignment rule, it is mandatory to have previously saved any changes made in the customization of the role assignment rule using the Apply changes Ā button. The rule evaluation is performed asynchronously. When a user is updated, no matter from where, Soffid will launch the role assignment rules defined. If the rule is correct, the roles will be assigned; otherwise, they will be revoked. Screen overview Related objects Users : where the rule is executed after the changes. Roles : roles to be granted or revoved. Standard attributes Rules table Name :Ā name of the rule. Description : brief description of the rule. Ru le details Rule details Name :Ā name of the rule. Description : brief description of the rule. Expression : the script of the rule. When returns true, the roles will be granted, when returns false the roles are revoked. Image Roles to apply when rule expression returns true "Roles list" : roles to apply when rule expression returns true. Script to assign roles : allows you to customize the rules to apply roles. That roles will be added to the role list. The roles result will be a Role list, or RoleAccount list, or String list.Ā  Image Others Rule progress : displays the time remaining to finish applying the rule. Only display while the changes are being applied. Actions Rules table Add new Allows you to add a new role assignment rule in the system. To add a new role assignment rule it will be mandatory to fill in the required fields. Delete rule Allows you to remove one or more role assignment rule by selecting one or more records and next clicking this button. To perform this action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Download CSV file Allows you to download a CSV file with the basic information of all role assignment rule.Ā  Rule details Apply changes Allows you to save the changes made on the rule specification, or to save a new rule. Delete Allows you to remove the role assignment rule. To perform this action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Expand all Displays all the attributes of the different blocks. Collapse all Hide all attributes of the different blocks. "Types of views" Change the view type: Classic view, Modern view, Compact design. Undo Allows you to undo any changes made on the rule, except the roles added or deleted to the role list. Add new (roles list) Allows you to add a role to be applied with the rule. Delete (roles list) Allows you to delete a role that will no longer be managed by the rule. Preview changes Displays a list with the changes that would be applied with that rule definition. Apply now Allows you to launch the role assignment rule process. When users comply with the rule specification, their roles will be updated. Examples Scripts The roles will only be applied to active users. return user.active; The roles will only be applied to users who are assigned to the primary group ā€˜Writersā€™. return "Writers".equals(user.getPrimaryGroup()); The roles will only apply to users who have the ā€˜employeeā€™ attribute with the values 1001, 1002, or 2001. return "1001".equals(user.attributes.get("employee")) || "1002".equals(user.attributes.get("employee")) || "2001".equals(user.attributes.get("employee")); Segregation of Duties Description The segregation of duties (SoD) is a fundamental element of internal controls, defined to prevent error and fraud. Segregation of duties ensure that at least two individuals are responsible for the separate parts of any task. For each user, the roles tab displays the list of roles assigned to the user and the possible risks. If you click on a role record, Soffid will show the entitlement details including the SoD rules with the detail of the risk.Ā  Screen overview Related objects Information systems : information systems and roles where the SoD rule is applied Roles Ā : roles granted to a user Users : where you can check if a granted role has a comment related to the SoD. Standard attributes SoD table Qualified name : asset or application, from a functional point of view, on which the permissions are granted or revoked. Name : name of the segregation of duties. SoD detail Name : name of the segregation separation of duties. Information system : asset or application, from a functional point of view, on which the permissions are granted or revoked. Type : type of segregation. Trigger on all permissions : no user can be assigned the roles added to the role list. Trigger on some permissions : if you select that option, you have to fill in the number of roles that can not match. Soffid will not allow you to assign to a user more than the number indicated of the roles added to the role list. Query permissions matrix : Soffid displays a matrix that allows you to select the risk between pairs of roles, those roles are the roles added to the role list. Risk : level of risk: Low : allows the user to have all roles, but a small warning is displayed on the user screen when viewing the role details. High : allows the user to have all roles, but a big warning is displayed on the user screen when viewing the role details. Forbidden :Ā  it is not allowed that one user to have assigned the roles defined on the role list. None : there is no risk. Role List : list of roles to keep in mindĀ on the segregation of duties. Name : name of the role Description : description of the role System : target system owner of the role Actions SoD table "Query" Allows you to query Segregation of Duties through different search systems, Basic and Advanced . Add new Allows you to add a new segregation of duties in the system. To add a new segregation of duties it will be mandatory to fill in the required fields Delete segregation of duties Allows you to remove one or more segregation of duties by selecting one or more records and next clicking this button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Download CSV file Allows you to download a CSV file with the basic segregation of duties data. Import Allows you to import a CSV file with the list of segrefation of duties to be created or updated. SoD detail Apply changes Allows you to save the data of the segregation of duties. To save the data it will be mandatory to fill in the required fields Delete segregation of duties Allows you to delete the segregation of duties. Soffid will ask you for confirmation, you could confirm or cancel the operation. Undo Allows you to quit without applying any changes. Add new (role list) Allows you to add a new role to the role list. Soffid will show a form to search and select one or more roles. Finally, you need to click the apply changes button and the roles will be added to the role list. Delete (role list) Allows you to delete one or more roles from the role list. You can select one or more roles and then click this button. The roles will be deleted from the role list without Soffid asking for confirmation. Preview changes Allows you to quickly see which users are affected by this role segregation rule. Others SoD granting a role When a role that is included in a SoD rule is granted, it will be indicated in the SoD rules field. Image Networks Description Operators can define the subnets that compose the internal network, in order to manage the IP address space. The main goal is to manage a limited resource as the IP address is. Soffid supports both static and dynamic IP assignments. Anyway, static IP management does not exclude the use of DHCP o BOOTP protocols in order to get them. Screen overview Related objects Hosts : host of the system each one in a network. Detected browsers : detected browners in a network. Printers : configured printers in a network. Soffid parameters : you can specify a parameter to be applied only in a network. Standard attributes Networks table Name : short name that identifies the network. Description : network description. IP Address : IP range of this network. IP Address mask : IP mask of this network. Internal network : activate this check box to indicate if this network is fully managed or not. What fully managed means changes in each organization. It used to mean corporate office versus branch office. It affects mainly to access the menu tree. Application entry points have different scripts or URLs for internal and external networks. Support DHCP : if enabled (selected value is Yes), hosts belonging to this network will be automatically registered.Ā  DHCP attributes : allows to enter additional parameters that the DHCP server will use to assemble DHCP response. Usually, it will have a gw=0.1.2.34 like parameter. It is only needed when a DCHP connector is configured. Networks detail > basics tab On the network group tab, you can view all the network attributes. It is allowed to add new networks,Ā  update or delete existing networks. The attributes are the same than the networks table plus the next one. Used IPs : IP addresses used. This data is auto calculated Image Network detail > access control tab In order to delegate the management of IP addresses in this network range, the Access Control List allows to select which users, groups or roles will be allowed to manage it. Restrict ESSO login : allows to restrict the access to the workstations of this network, otherwise, any Soffid users can log in. Each Access Control List Entry has the following attributes: Level : four levels are defined: Without access : denies everything. Query : allows to know about hosts on this network. Support : allows to know about hosts on this network, and allows to manage the workstations on it. This option is fully tied to Single Sign On module . Administration : allows to create, modify or remove hosts on this network. Login. Mask : specifies a pattern that will be check against the host name in order to apply this authorization level. Identity : specifies a user, group or role name. Description. To add a new access control you can click the Add new button, you have to select the grantee type (user, group or role), then you have to choose an user, group or role depending on the grantee selected, and finally set the acces level and the mask and apply the changes. If you want to delete access controls,Ā  you must select one or more records from the list and clicking the Delete button. Image Actions Networks table "Query" Allows you to query networks through different search systems, Quick, Basic and Advanced . Add new Allows you to create a new network. To add a new network it will be mandatory to fill in the required fields Delete network Allows you to remove one or more networks by selecting one or more records and next clicking this button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Download CSV file Allows you to download a csv file with the networks information. Import Allows you to upload a CSV file with the network list to add or update networks to Soffid. First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button. View Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. Network detail > basics tab Apply changes Allows you to save the data of a new network or to update the data of a specific network. To save the data it will be mandatory to fill in the required fields Delete network Allows you to remove the network by selecting one or more records and next clicking this button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Undo Allows you to quit without applying any changes. Network detail > access control tab Apply changes Allows you to save the data of the network access log. To save the data it will be mandatory to fill in the required fields Add new Allows you to create a new access control. First, you will select the Grantee type, which could be a role, a user or a group. Second, you will select the Grantee, it will depend on the Grantee type selected. Then, you will fill in the access level. And finally you will apply changes. Delete Allows you to remove one or more access controls by selecting one or more records and next clicking this button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Import Allows you to upload a CSV file with the access control list to add or update access controls to Soffid. First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button. Download CSV file Allows you to download a csv file with the basic access controls data. Hosts Description The host screen lets the administrator manage a static IP address assigned to any host. Dynamic IP addresses are automatically managed by Soffid ESSO. From the PAM module, when configuring the network discoverer, Soffid will register the machines found on this page. The same will happen in the SSO module when users access the system for the first time. Screen overview Related objects Hosts Ā : host of the system each one in a network. Detected browsers Ā : detected browners in a network. Printers Ā : configured printers in a network. Soffid parameters : you can specify a parameter to be applied only in a network. Network discovery : to discover the mĆ”quinas and systems in the configured networks. Standard attributes Hosts table Name : host name. Description : location, owner and whatever other information you want. IP Address : host IP Network : to which it belongs DHCP server parameters : used by the DHCP agent in order to generate DHCP configuration files. Operating system : used by the Active Directory agent in order to know if this host must be have an Active Directory host account. Using this functionality, no operator needs to be authorized to add or remove hosts on Active Directory. Soffid will do it for them. More and more, whenever this hosts is left off its IP address, the host account will be removed from Active Directory. This behavior can, of course, be customized. Mail server:Ā  if enabled (selected value is Yes), the user will be able to create mailboxes in the host. Shared folders server : if enabled (selected value is Yes), the user will be able to create shared folders in the host. MAC Address : used by the DHCP agent in order to generate DHCP configuration files. Alias : This field is used to identify the possible IP addresses that may be associated with a single hostname. In complex and segmented environments, it is common for the same machine identifier to be used across multiple networks, whether for service replication, geographic redundancy, or the deployment of parallel test and production environments. This field enables such configurations by linking a hostname to multiple IP addresses, each corresponding to a different network where that hostname is resolvable and operational. As such, the alias acts as an abstraction mechanism that simplifies host identity management in multi-network or multi-site contexts, allowing a single logical identifier (machine name) to be present and active across several network domains, each with its respective IP addressing. The use of the alias field is particularly relevant in distributed architectures, hybrid infrastructures (on-premises and cloud), and high-availability environments, where logical name uniqueness does not imply a single physical address, but rather a flexible, context-dependent association with multiple IP representations of the same functional entity. Shared printer server : if enabled (selected value is Yes), the user will be able to create a printer queues in the host. Dynamic IP Serial number Last connection Created on Locked Device type Internet browser CPU type Created on Created by Updated on Updated by Host details > basics tab The same attributes than the hosts table. Image Host detail > access control In the access control tab, you can delegate host management to certain users. This feature requires the Soffid ESSO. If you add a user authorization, you will allow the user to execute any task as a local administrator on this server or workstation. ESSO must be installed in the target host. To add a user authorization you can click the Add new button, then select the user and expiration date, and finally apply changes. It is also allowed to delete one or more user authorizations, you can do it from the entitlement details or by selecting one or more records from the list and clicking the Delete button. Additionally, you can download a CSV file with the access control data and you can also upload a CSV file to add user authorizations, and modify or delete user authorizations. You also can view the administrator password. Attributes: User : user with the access. Name : full name of the user. Request date : date of the row creation. Expiration date : expiration date until the user has access. Image Sessions On the sessions tab, you can view the information about the last connection of a user to this host. Shows data about the user, server, client, port used and date of connection. You can download a CSV file with the user sessions data. Attributes: User : user with the access. Name : full name of the user. Client :Ā  Port :Ā  Date : date when the session has been started.. Type : Image Host detail > tokens To do. Actions Host table "Query" Allows you to query host through different search systems, Quick, Basic and Advanced . Add new Allows you to create a new host. You can choose that option on the hamburger menu or by clicking the add button (+). To add a new host it will be mandatory to fill in the required fields Delete host Allows you to remove one or more hosts by selecting one or more records and next clicking this button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Download CSV file Allows you to download a csv file with the hosts information. Import Allows you to upload a CSV file with the host list to add or update hosts to Soffid. First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and click the Import button. Operating systems This option allows you to manage the Operating Systems. You can add new, update, or delete OS. Undo and Apply changes to confirm it. Image View Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. Host detail > basics tab Apply changes Allows you to save the data of a new host or to update the data of a specific host. To save the data it will be mandatory to fill in the required fields. Delete Allows you to delete the host. Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation. Assign free IP Address Allows you to assign a free IP address. It is necessary to select the network first. View password Will show the administrator password if it is available.Ā This utility is linked to the PAM module along with the password rotation functionality. Undo Allows you to quit without applying any changes. Host detail > access control tab Add new Allows you to create a new access control. First, you will select the user and the expiration date of that authorization. Finally you need to apply changes. Delete Allows you to remove one or more access controls by selecting one or more records and next clicking this button. To delete one access control, you can click the access control, and then Soffid will show a form with the details. Then you can click the delete button (trash icon). To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Download CSV file Allows you to download a csv file with the access control information Import Allows you to upload a CSV file with the access control list to add or update access controls to Soffid. First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button. Host detail >Ā sessions Download CSV file Allows you to download a csv file with the sessions information Host detail > tokens To do. Detected browsers Description The Browsers Detected screen allows the administrator to view the browsers and versions being used by SSO users. Screen overview Related objects Hosts Ā : host of the system each one in a network. Detected browsers Ā : detected browners in a network. Printers Ā : configured printers in a network. Soffid parameters Ā : you can specify a parameter to be applied only in a network. Network discovery : to discover the mĆ”quinas and systems in the configured networks. Standard attributesĀ  Browsers table Operating system : used by the Active Directory agent in order to know if this host must be have an Active Directory host account. Using this functionality, no operator needs to be authorized to add or remove hosts on Active Directory. Soffid will do it for them. More and more, whenever this hosts is left off its IP address, the host account will be removed from Active Directory. This behavior can, of course, be customized. Browser name : browser name detected. IP Address : host IP. Last user : last user connected. Host name : host name. Serial number Device type CPU Last connection Locked Created on Created by Updated on Updated by Actions Browsers table "Query" Allows you to query detected browsers through different search systems, Quick, Basic and Advanced . Download CSV file Allows you to download a csv file with the hosts information. View Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. Printers Description Soffid lets administrator users manage system printers. A printer must always be attached to a host. A network attached printer is composed of a host (network print server) and a printer (printer queue). Printers can be assigned to specific users or to user groups. The effective assignment can be done on session startup by using a Single Sign On client script. To do that, it is necessary to add a script on a Login entry point with type x-mazinger-script. Screen overview Related objects Hosts : host of the system the requires to have "Shared printers server"=yes. Detected browsers Ā : detected browners in a network. Printers Ā : configured printers in a network. Soffid parameters Ā : you can specify a parameter to be applied only in a network. Network discovery : to discover the machines and systems in the configured networks. Standard attributes Name: identifier name of the printer. Description : additional printer information. Printing server : where the printer is hosted. Model:Ā  printer model. Restricted : if checked, only users and groups of users assigned can be access to that, in another case any user could access to that printer. Users : assignment of printer queues to users. Groups : assignment of printer queues to groups Actions Printers table "Query" Allows you to query printers through different search systems,Ā  Quick, Basic and Advanced . Add new Allows you to create a new printer. To add a new printer it will be mandatory to fill in the required fields Delete printer Allows you to remove one or more printers by selecting one or more records and next clicking this button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Download CSV file Allows you to download a csv file with the basic information of all printers.Ā  Import Allows you to upload a CSV file with the printer list to add or update printers to Soffid. First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button. View Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. Printer detail Add new Allows you to create a new printer. To add a new printer it will be mandatory to fill in the required fields and apply changes. Delete Allows you to remove one printer. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Undo Allows you to quit without applying any changes. Mail Domains Description The mail domains identify each single mail domain that is going to be managed and used in Soffid. Mail domains are validated when you enter an email in the attributes of type email. You cannot use mail domains that have not been previously registered. If a mail domain is marked as obsolete, it won't be assigned to a user anymore. Screen overview Related objects Users : email type attributes Mail lists : email type attributes Standard attributes Code : domain, it will be as in email address is written. Description : a brief description about domain name usage. Obsolete : enabled to indicate that the domain will not be used and therefore should not be assigned. Actions Mail domains table Add new Allows you to create a new mail domain. To add a new mail domain it will be mandatory to fill in the required fields Delete mail domain Allows you to remove one or more mail domains by selecting one or more records and next clicking this button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Download CSV file AllowsĀ you to download a CSV file with the mail domains information. Import Allows you to upload a CSV file with the mail domain list to add or update mail domains to Soffid. First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button. View Allows you to add or remove columns to the table. It is also possible to change the order of the columns. Mail domain detail Delete mail domain Allows you to delete the mail domain. To delete a mail domain can click on the three points icon and then click the delete button (trash icon). Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation. Undo Allows you to undo the changes made. Apply changes Allows you to save the data of a new mail domain or to update the data of a specific mail domain. To save the data it will be mandatory to fill in the required fields. Mail Lists Description The mail lists identify addresses that are going to be delivered to one or more users, just as distribution mail lists do. Screen overview Related objects Mail domain : mail domain of the list Mail lists : nested lists Users : assigned users Standard attributes Name:Ā  identifier name of the mail list. Mail domain : an existing domain in the system. It is a predictive field that facilitates the search. Description : a brief description of the mail list. Nested lists : nested mail lists. External address : other mail addresses not managed by Soffid that will be on the mail list. Roles : the users who have been assigned those roles, will be on the mail list. Groups : the users who belong to that groups, will be on the mail list. Users : users who will be on the mail list. Subscribed to lists : subscribed to lists. Computed target users : breakdown list of users that are on the mailing list. Created on Created by Updated on Updated by Actions Mail List query "Query" Allows you to query mail list through different search systems,Ā  Quick, Basic and Advanced . Add new Allows you to create a new mail list. To add a new mail list it will be mandatory to fill in the required fields Delete mail list Allows you to remove one or more mail domains by selecting one or more records and next clicking the button with the subtraction symbol (-). To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Download CSV file Allows you to download a csv file with the mail domains information. Import Allows you to upload a CSV file with the "mail list" list to add or update mail lists to Soffid. First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button. View Allows you to add or remove columns to the table. It is also possible to change the order of the columns. Mail List detail Apply changes Allows you to save the data of a new mail list or to update the data of a specific mail list. To save the data it will be mandatory to fill in the required fields. Delete mail list Allows you to delete the mail list. To delete a mail list can click on the three points icon and then click the delete button (trash icon). Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation. Undo Allows you to quit without applying any changes. Application access tree Description The entry points could be to connect to information systems defined on Soffid, or to connect to other applications. These applications can be Web applications or Native applications. Each information systems can have one or more application entry points. The entry points are managed in a tree structure, that allows creating new menus and new application access. Each member of the tree can be tied to a list of users, account groups, or roles. Also, you can choose if the application menu entry will be visible or not by unauthorized users. After logging on to a managed workstation, the system will apply such restrictions and will update the Windows or Linux start menu. Each application entry point will have different execution methods for fully managed workstations, loosely managed workstations, or external devices. Each of them can be a web browser URL or a javascript piece. Each application entry point can have a single sign on rule. Those roles are fully explained in the ESSO reference guide. For more information, you can visit the ESSO chapter. The defined entry points allow to final users open applications from the self service portal. For more information can visit My applications page. Screen overview Related objects Information systems : information system configured Agents : systems configured Users : authorizations Groups : authorizations Roles : authorizations Accounts : authorizations My applications : where the applications are published for the end users Networks : executions StandardĀ attributes Table Name of the item. It can be a folder or an application. It's a tree view. Basics tab Menu : (yes|no) when the menu is Yes, this application will be like a folder to contain and organize other applications. Name : application identifier name. Description : description of the application. Code : code of the application. Information system : asset or application, from a functional point of view, on which the permissions are granted or revoked. System (only for application items) : information storage system from a technical point of view (active directory, database, CSV, ...). These systems are the agents configured on Soffid. Menu type (only for folder type) : List / Icons / Tree. Differents view of the folder in the My applications page. Public access : when it is Yes, this application will be displayed as public at the self-service portal of all users. Visible without permissions : when it is Yes, this application will be displayed at the self-service portal, but only users with permissions will be allowed to connect. Icon : folder or application identification icon, you can see the new icon in the My application page. Authorizations tab Allows you to grant access permissions to users , groups , roles , or accounts .Ā  To give authorization it is necessary, first of all, to select the grantee type, then to choose the user, group, role, or account, and finally choose the access level. The access level allows two options: Manage : allows to update the entry point. Execute : When the entry point has selected the option public access to NO, only users with the assigned access level as execute could execute that entry point. When the entry point has selected the option public access to YES, all users can execute that entry point. Image Executions tab Allows Administrator users to configure the entry point access. It is only available to entry points with the option Menu not selected. There are three options to configure the executions. Administrator users can configure one or more: Running from Intranet : if you select the Yes option, Soffid will check if the host that is trying to run this entry is located in a network flagged as internal, if so, Soffid will allow to run the entry.Ā  Running from Extranet : if you select the Yes option, Soffid will check if the host that is trying to run this entry is located in a network NOT flagged as internal, if so, Soffid will allow to run the entry.Ā  Running on the Internet : if you select the Yes option, Soffid will check if the host that is trying to run this entry is located in an unknown network, if so, Soffid will allow to run the entry. For each execution option it is possible to configure the following parameters:Ā  Enabled : if the option is available to configure. Type : access connection type. Content : text/html : a URL to access to the application. x-application/x-mazinger-script: scripts that will be executed on ESSO clients Recorded session: configuration to use PAM service. Web Single Sign On: a URL to access the application with SSO. ESSO Allows you to customize a script to define a pattern to detect when an application is used and how to inject the credentials. For more information, you can visit the ESSO chapter. Actions Table "Query" Allows to query the entry points through different search systems, Quick, Basic and Advanced . Create new entry Allows you to add a new entry point. To create a new entry point you can click the Create new entry button, then Soffid will display a new window to fill in the entry point data. To add a new entry point it will be mandatory to fill in the required fields. Basics tab Apply changes Allows you to save the data of a new entry point or to update the data of a specific entry point. To save the data it will be mandatory to fill in the required fields. Delete Allows you to delete the entry point. To delete an entry point, you can click the hamburger icon and then click the delete button (trash icon). Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation. Expand all Displays all the attributes of the different blocks. Collapse all Hide all attributes of the different blocks. "Types of views" Change the view type: Classic view, Modern view, Compact design. Undo Allows you to quit without applying any changes made. Authorizations tab Add new Allows you to add a new authorization. šŸ’» Image First,Ā  you will select the Grantee type, which could be a role, a user, an account, or a group. Second, you will select the Grantee, it will depend on the Grantee type selected. Then, you will fill in the access level. And finally, you will apply changes. Delete Allows you to remove one or more authorizations by selecting one or more records and next clicking this button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Import Allows you to upload a CSV file with the authorization list to add or update them to Soffid. First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button. Download CSV file Allows you to download a CSV file with the authorizations. Executions tab Apply Changes Allows you to save the execution configuration. Test Check if the settings for a specific type are correct. ESSO tab Validate Allows you to validate and save the script. Password vault Description Soffid provides a protected storage, to save and manage accounts for multiple applications, that is the Password vault. Here you can save the accounts and passwords to access to critical systems and to your applications as well. Password vault allows you to handle the access control list to these accounts. Sometimes these accounts can be used by a specific user or a set of users. The accounts are organized in folders depending on the permissiĆ³n, and the criticality level, .... These accounts can be system accounts or user accounts. The Password vault exposes a subset of accounts to some users. These accounts are available through the Self-services portal. You can visit My applications page for more information. When a privileged account is being config, it will be able to assign a workflow or approval process to request in order to use that account. For more information visit the link How to apply policies .Ā  Users can be authorized to manage their own personal accounts, sso:manageAccounts.Ā  For more info visit the Authorizations page. Folders In the password vault, two kinds of folders are used:Ā  personal folders Ā andĀ  shared folders , which depend on the Owners configuration you define. On one hand, each user has their own personal folder. Inside this folder, the user can create accounts. That account will not be shared with any other user. On the other hand, the shared folders could be used or managed by the owner/manager/SSO users. Accounts Soffid allows you to create new accounts on a specific folder on the password vault page, to add a new account will be mandatory to fill in some attributes, like System, name, and login name. You can consult the existing accounts related to a folder. For each account, you can update or delete the account, view and set a password. Also, you can create accounts on the Account page and assign the appropriate vault folder. Soffid allows administrator users to configure a workflow to request permissions when a user try to change the password of a privileged account in the password vault. That process can be defined with the BPM Editor as an Account reservation type. For more information you can visit the BPM Editor book . Screen overview Related objects Users : owner users, managers or sso users of the the account Roles : owner users, managers or sso users of the the account Groups : owner users, managers or sso users of the the account Accounts : information related to the accounts Agents Ā : the target system in which that account is used (AD, Exchange, etc). Password policies Ā : password policy of the onwer user or another one selected in the other account types Information systems Ā : where the roles are gathered Configure PAM session servers : configured PAM servers Network discovery Ā : services discovered fot he account StandardĀ attributes Folder attributes Name : folder name which will be displayed in My Applications. Description : folder description. PAM policy : when using PAM system, you could choose the policy that will comply with for each folder. When you define a policy for a folder, that policy will apply to all accounts hanging from this folder. For more information you can visit the Configure PAM page . Owners : list of users, groups or roles who will be the folder owners. Manages : list of users, groups or roles who can manage the folder. Those users can view the password depending on the password policy. SSO users : list of users, groups or roles whose can use the account of that folder. Browse folder : list of users, groups or roles who can browse the folder, but can not perform any action. Accounts attributes Actions Tab This tab shows the read-only attributes of the user account: Description : a brief description. System : target system to which the account will be connected. Login name : login name to connect to the target system. Login URL : URL to connect. Credential type : password In use by : user name who is using that account. Also, this tab allows you to "Launch" the connection to the target system, view the password, set the password to launch the connection, and unlock the use of that account. All those options depend on the account definition and user privileges. Image Ā  Basics Tab This tab displais all the account attributes and allows you to update the account configuration. Visit the Account page to view more information about the standard attributes of an account. Actions Folders query actions "Query buttons" Allows you to query folders through, only Quick search is available. Add new Allows you to create a new folder. To add a new folder it will be mandatory to fill in the required fields. A folder needs to have, at less, an owner to manage it. Add vault to password manager This option is configured in Soffid's Password Manager. For more information, please refer to the Password Manager guide. Ā  Once this option is selected, the browser will ask you to confirm the installation of the extension. Select Add to Chrome (or other browser). Confirm the installation with "Add extension". Remember pin the extension. Ā  Image Ā  Ā  Create new folder (+) When you hover over a folder, the (...) button will appear, showing you this option. Once selected, you can create a subfolder of the selected folder. Create new account (+) When you hover over a folder, the (...) button will appear, showing you this option. Once selected, you can create a child account within the selected folder. Folder actions Apply changes (disk button) Allows you to save a new folder or update an existing folder. To save the data it will be mandatory to fill in the required fields. Be in mind that is important to indicate who are the owners of the folder. Delete Allows you to delete a folder if you have the right permissions. To delete a folder you can click on the hamburger icon and then click the delete button (trash icon). Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation. Expand all Displays all the attributes of the different blocks. Collapse all Hide all attributes of the different blocks. "Types of views" Change the view type: Classic view, Modern view, Compact design. Undo Allows you to quit without saving any change made. Account actions View password It allows you to view the account password, if this feature is enabled in the password policies. Set password This option depends on the credential type selected. Password :Ā  Allows you to set a new password to the account or a SSH key. The password can be generated automatically, or you can set the password.Ā  It will be mandatory the password complies with theĀ  Password policies Ā defined for the domain. If an account is unmanaged, the password will not be sent to the target Ā system. šŸ’» Image SSH key : Allows you to generate a new key or enter an existing key. šŸ’» Image Ā  Kubernetes key : Ā Allows you toĀ  add a YAML descriptor šŸ’» Image Ā  Apply changes (disk button) Allows you to save a new account. To save the data it will be mandatory to fill in the required fields. Be in mind that is important to indicate who are the owners of the folder. If the account exists on the system, you can assign the vault folder to the account window. Delete Allows you to delete an account from a folder if you have the right permissions. To delete a host you can click on the hamburger icon and then click the delete button (trash icon). Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation. Expand all Displays all the attributes of the different blocks. Collapse all Hide all attributes of the different blocks. "Types of views" Change the view type: Classic view, Modern view, Compact design. Undo Allows you to quit without saving any change made. Apply changes Allows you to save a new account. To save the data it will be mandatory to fill in the required fields. Be in mind that is important to indicate who are the owners of the folder. If the account exists on the system, you can assign the vault folder to the account window. Example How to apply policies Soffid allows you to define policies and rules to apply to a specific folder or a set of folders. To do that is needed to install the XACMLĀ  addon and configure the proper policies and rules.Ā  Also, you can config a workflow or approval process to request in order to use accounts saved on a folder. It is mandatory to enable the Password Vault PEP and populate the information about the XACML policy set and the version which applies. XACML PEP config It is mandatory to enable the Password Vault PEP and populate the information about the XACML policy set and the version which applies. Password Vault: XACML PEP config: XACML Policy Management You need to configure the access to the folder "VaultFolder", that folder can contain other folders and accounts. It will be mandatory to config the access list, who are the owners, managers, and so on. You need to know if you need to config the control access list by accounts, by folders, or both. For instance, the policies you need to implement are the following: 1. Only users between 6:00 and 18:00 could use the accounts inside the "demoFolder". 2.- User "bob" never could use the accounts of demoFolder. 3. Users with result permits, need the authorization to use the accounts. You need to config the workflow that will be called, to config you need to include the bpm obligation on the policy. Also, you can include a message to the user, or other obligations.Ā  Visit theĀ  XACML Book for more information. Visit the BPM Editor Book for more information. Custom objects Description The custom objects are the objects created by the administrator to extend the Soffid underlying data model. This allows you to store additional information that is not natively supported by Soffid.Ā  This option allows administrator users to provide objects with content. For more information about how toĀ  create a new Custom object you can visit the Metadata page . Screen overview Ā  In the metadata page: Related objects Metadata : where the custom object is configured Standard attributes Attributes by default: Name : identification name. Description : brief description. Every single custom object could have specified attributes defined by the administrator users when they create the object type in the Metadata page. Actions Custom object query "Query" Allows you to query custom object through different search systems, Quick, Basic and Advanced . Add new Allows you to create a new custom object. You can choose that option on the hamburger menu or clicking the add button (+). To add a new custom object it will be mandatory to fill in the required fields Delete custom object Allows you to remove one or more custom objects by selecting one or more records and next clicking the button with the subtraction symbol (-). To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Download CSV file Allows you to download a csv file with the custom objects information. Import Allows you to upload a CSV file with the custom object list to add or update custom objects to Soffid. First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button. View Allows you to add or remove columns to the table. It is also possible to change the order of the columns. Custom object detail Apply changes Allows you to save the data of a new custom object or to update the data of a specific custom object. To save the data it will be mandatory to fill in the required fields Delete custom object Allows you to remove a custom object.Ā  You can choose that option on the trash icon. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Undo Allows you to undoĀ  any changes made Examples How to use custom objects in the scripts Example 1: Retrieve the list of the records of the custom object Country. lCusObj = serviceLocator.getCustomObjectService().findCustomObjectNames("Country"); Example 2: Retrieve a custom object value by name of the custom object Country. cusObj = serviceLocator.getCustomObjectService().findCustomObjectByTypeAndName("Country","ES"); Example 3: List the values of the custom object Country that the name starts with "A". lCusObj = serviceLocator.getCustomObjectService().findCustomObjectByJsonQuery("Country", "name sw " + "\"A\""); for (var i=0; i Global Settings Configuration > Global Settings Tenants Definition Soffid is multi tenant. This means that one can configure many differente tenants to manage disjoints groups of identities and applications.Ā  Each Soffid object, including applications, systems, roles, users, and accounts are bound to a single tenant.Ā  Of course, there is a special tenant named master. Master tenant administrators can jump to any other tenant with administration privileges. Soffid recommends connecting directly to the specific tenant to configure it correctly. You have more information about this topic in the Tenant access section . Screen overview Related objects Authorizations : to exclude authorizations in the tenants Synchronization servers : syncservers availbles to manage the tenant Standard attributes Name:Ā  Set a short name for the tenant.Ā  Description: Enter a long description for the tenant Enabled: Usually set to yes. If it's set to NO, no user will be able to log in to that tenant, and no provisioning or automated task will be ran on that tenant. Disabled permissions:Ā  By default, tenant administrator permissions are restricted, so they are not able to bypass tenant borders and access to other tenant information. To achive this, the following permissions are disabled by default, but some others can be added: Open the tenants management page Use the tenant micro-service Manage sync servers Assigned servers : By default, the new tenant will not be able to use any sync server unless it is authorized to. So, one can create a sync server for a specific tenant that cannot be used by any other tenant. Actions Table actions Add new Allows you to create a new Tenant. Download CSV file Allows you to download a CSV file with the tenant information displayed in the table. Tenant actions Apply changes Allows you to save the data of a new tenant or to update the data of a specific tenant. To save the data it will be mandatory to fill in the required fields. Export The process will generate a compressed file with all the information contained in the Tenant. It includes even the connectors configurations, mappings and global settings. Delete Tenant Allows you to delete the tenant. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Remember that this action will delete all data from the tentant. We recommend saving a backup using the Export option beforehand. Login If you have permission to log into a different tenant, you can use this option to access to it. This option is not intended for normal usage, but for administrative purposes Import The user can upload the previously exported tenant. The process will restore all the information contained in the Tenant, including connectors configurations, mappings and global settings.If the Tenant already exists, the process will not replace it. A new tenant will be created with a new name. If you want to replace the existing tenant, remove it before uploading the tenant export file. Undo Allows you to quit without applying any changes. Others Tenant access Option 1: direct access to the tenantĀ  When users are connecting to Soffid console, the master tenant is displayed by default. In order to directly connect to any tenant, a DNS entry with the tenant name must be added to your DNS server. For instance, if you have deployed a Soffid console with the DNS name console.soffid4.local , the DNS nameĀ  test.console.soffid4.local Ā will be used to access to the test Ā tenant. Note that you must configure the hostName Soffid parameter in the master with your DNS name Option 2: access through the master You can also configure the login page using the soffid.auth.showTenant Soffid parameter. If the parameter value is true, Soffid will display a new box in the login page to write the tenant name to login. License and plugin Definition License Soffid 4 requires a valid licence to enable its features. The licence token must be provided by Soffid and will enable the modules you have contracted for the duration of the contract. A new licence token will be provided upon each renewal. Plugin Soffid provides you additional functionality that allows installing addons and server plugins. There are two main types of addons: system connectors and console addons . You can download existing addons and plugins developed by Soffid by visiting http://download.soffid.com/download Ā  or http://download.soffid.com/download/enterprise if you have a Soffid user with authorization. In Soffid version 4, a marketplace has been implemented that allows you to upload or update add-ons or connectors directly from the Console. An addon or plugin, must be upload into a Master tenant, the other tenant will inherit these installed addons and plugins. Addons and plugins can be developed using Addon Development Guide. Ā  System connectors Also referred as plugins, there are little pieces of software able to manage identities on some type of systems. They can be generic plugins (SQL or LDAP plugins) or custom specific plugins. The system connector is configured when the administrator creates an agent. An agent can be viewed as a configured instance of a plugin. In order to upgrade existing (running) plugins, the synchronization server that hosts this plugin must be restarted from the system monitoring screen. A connector can contain one or more types of agents, and you can create as many agents (of the same type or not) as you want to connect to Soffid. Console addons Add important features to Soffid console. A console addon can contain common classes, data models, transactional services, web services, and web interfaces. In order to apply addon changes, the console must be restarted. It can be restarted from this page by clicking on the restart console button. Some add-ons, such as Federation, also require restarting the synchronisation servers. From this page, you will be able to upload and upgrade server plugins, as well and enable or disable them. Screen overview Related objects Tenants : the plugins are managed in the master tenant. Agents : used to configure a system connector, agents are located inside the connector plugins. Standard attributes Table attributes Plugin : identified name of the plugin or addon deployed. Version : version of the plugin or addon. Deployed by : user that deployed the addon or plugin. Date : date and time of the deployment. When a plugin is disabled, it is displayed as strikethrough. Plugin attributes Name: Ā identified name of the plugin or addon deployed. Version : name + version. Enabled : if enabled is Yes, the plugin or addon will be available to use it. Components : component list that make up the plugin or addon. Actions Table actions Add new Soffid 4 allows you to install and update plugins through the new Addons marketplace feature. Ā  To access the marketplace, you must have a valid token to use Soffid and have configured the Console via https. Ā  Images Ā  Ā  Ā  Ā  Upload Allows you to upload and install a new plugin or addon. You must pick a file, that file has to be a valid add-on or plugin. Once the file is selected, it will be uploaded automatically. Then, you must restart the Sync server or Console depending on the uploaded plugin. Soffid will tell you which one to restart once the plugin has loaded. Delete plugin Allows you to delete one or more plugins or addons, you must select one or more records from the list and click this button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Download CSV file Allows you to download a CSV file with all the information about plugins. Restart Console Allows you to restart the console to apply addon changes. That operation will be mandatory when you load an addon. License manager To activate the features of Soffid 4, you must apply a token with the Soffid licence you have purchased. Ā  Local testing or developer environments also require a token. The ā€˜Licence managerā€™ option lists valid tokens, old tokens, and tokens pending acceptance and use. Ā  Images Ā  Ā  Plugin actions Apply changes (dick button) Allows you to update the plugin.Ā Only the "Enabled" attribute can be modified. Delete plugin Allows you to delete and desinstall a specific plugin. To delete a plugin, you can click on the "three point" icon and then click the delete plugin button. Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation. Undo Allows you to undo any changes. Apply changes Allows you to update the plugin. Only the "Enabled" attribute can be modified. Once you apply changes, the plugin details page will be closed. Others First access to Soffid Once Soffid is installed and you access the console with the admin user, the only option enabled will be this screen. Image You should now access it and click "Licence manager" button to search for and accept the token that has been provided to you, but for this step to be possible, you must first configure the console in https. This step is explained in the Soffid 4 installation manual. Once we have the console in https and have enabled the licence token, you will be able to access the contracted modules and this will be indicated in the page title. Image Ā  Access without token When you access the ā€˜Licence managerā€™ and there are no tokens available, you must contact Soffid. Please remember that the username used must be the one for the Soffid platform.Ā It will be the same one that allows you to access our support portal or the downloads page. Image Look & feel Definition Soffid's Look & feel page allows you to adjust the Console styles to your organization. In this configuration page, the customization of two sections is allowed: Images: You can change the image of the logo that appears on the login page. You can change the image of the logo that appears in the left bar. You can change the image of the logo that appears in the top bar. Colors: You can change the colors of the Soffid components and text. Changes made on this page affect the entire Console. Some changes may require updating the browser several times because some items are in the browser's cache. Screen overview Standard attributes Images Login image Logo used on the login and logout screens. Image in png or jpg format. Left bar image This image will appear in the menu on the left. Image in png or jpg format. Top bar image This image will appear in the menu on the top bar. Image in png or jpg format. Colors Primary Login/logout background. Buttons. Page icons. Table selections. Secondary Icons in the menu pages. Terciary Buttons. Page icons. Actions For the images Pick a file Allows you to pick a file to load. The file must have a specific configuration For the page Reset values Allows you to return to the default Soffid values. Confirm changes Allows you to apply the changes made. Examples Top icon, left bar, icons page, and colors Ā  Login page with logo and colors Soffid parameters Definition Soffid allows you to customize the configuration of some attributes of the Console, Syncserver, connectors and add-ons. There are several types of parameters. Informative parameters, such as the versions of internal components of Soffid. Parameters used as attributes in Soffid screens, such as the values of the look & feel fields. There are also parameters that can be modified, such as some configuration data for the synchronization server. There are new attributes that can be included to expand the functionality of Soffid, such as mail server data. If you want to know the Soffid console version check the component.iam-core.version parameter. Screen overview Standard attributes Parameter : code/name used to identify the parameter. Value : parameter value. Network (optional): network to which this parameter would be assigned. Description (optional): a brief description of the parameter. Actions Table actions Add new Allows you to add a new Soffid parameter. To add a new parameter it will be mandatory to fill in the required fields. Delete parameter Allows you to delete one or more Soffid parameters by selecting one or more records and next clicking this button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.Ā  Download CSV file Allows you to download a csv file with the basic information of all Soffid parameters.Ā  Import Allows you to upload a CSV file with the parameter list to add, update or delete parameters to Soffid. First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button. To delete a parameter, the values of the parameter have to be empty Ā  "Parameter","Network","Value","Description" "addon.backup.test","","","" Detail actions Apply changes (disk button) Allows you to save the data of a new parameter or to update the data of a specific parameter. To save the data it will be mandatory to fill in the required fields. Delete parameter Allows you to delete a specific Soffid parameter. To delete a parameter you can click on the "three points" icon and then click the delete parameter button. Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation. Undo Allows you to quit without applying any changes. Apply changes Allows you to save the data of a new parameter or to update the data of a specific parameter. Once you apply changes, the plugin details page will be closed. List of parameters sorted by functionality Console Parameter Description soffid.auth.system Select the managed system where the account name will be searched on the user login. Defaults to soffid. soffid.auth.trustedLogin Set to true to enable the Soffid console to validate passwords on trusted systems. Setting it to false, the password will be validated against internal tables only. soffid.delegation.disable Set to true to prevent users to delegate permissions from self service page. soffid.entitlement.group.holder Set toĀ  optional Ā enables the operator to set a group as the group holder for any entitlement assignment. Set toĀ  always enforce that any entitlement assignment must be bound to a holder group. Set toĀ  none to disable this feature.Ā  This parameter affects to role holder soffid.language Enforce user interface language. soffid.language.default Default user interface language (en). soffid.network.internet Sets the name for a generic subnet that will hold any host not included on any listed network. soffid.proxy.trustedIps Set the IP address of any reverse proxy in front of Soffid servers. When an incoming request is made from any of these trusted IP addresses, the X-Forwarded-for header is taken as the real source IP of the request. In any other case, the X-Forwarded-for header is ignored. This parameter can take a list of IP addresses, separated by commas, like the following ones: 127.0.0.1 192.168.120.1, 192.168.120.2 To allow a range of network IPS, one can use the wildcard(*) symbol, as in the following example: 127.0.0.1, 192.168.120.* Starting with Soffid console 3.3.0, the network-address/bits notation is allowed, as in the following example: 127.0.0.1, 192.168.120.128/25 soffid.propagate.timeout Timeout in seconds to retry the password validation needed to propagate a managed system notified password change (requires syncserver 1.5.4). soffid.server.sharedThreads Number of shared dispatcher threads per synchronization servers (by default 1) soffid.syslog.server Hostname or IP address of server hosts SIEM. The SIEM will receive audit information using the syslog protocol. soffid.task.limit The maximum number of tasks allowed per transaction. If a simple or complex transaction generates more tasks than specified, these tasks will be kept on hold. Administrators can release them through the monitoring page. (version 2.0+) soffid.ui.docPath The path where to store report and workflow documents. soffid.ui.docServer URL where is the server to store the files. soffid.ui.docStrategy Class responsible for managing report and workflow documents. soffid.ui.docTempPath The path where to store temporary files soffid.ui.docUsername Username of the doc server. soffid.ui.docUserPassword The password of the doc server. soffid.ui.maxrows The maximum number of rows to display in searches. The default value is 200 but you can change it. soffid.ui.timeout Max time (in milliseconds) a query can take to complete (version 2.0 +). soffid.ui.wildcarts Setting the auto value enables the user interface to add wildcards on user queries. Setting it to off disables this feature. soffid.externalURL External URL to access to Soffid console. soffid.kerberos.agent The name of the Windows server agent so that any incoming Kerberos packets will be authenticated against that domain.Ā  soffid.pam.search.recordings.timeout Timeout reached in the query, use the parameter to specify a longer timeout in milliseconds. By default, if you don't config this parameter is 60000 milliseconds. (version 3.5.18+) soffid.nameformat Parameter to configure how to display the users full name. Where: %1$s is the first name. %2$s is the middle name. %3$sĀ  is the last name For instance: %2$s %3$s, %1$s soffid.issue.next Allows you to initialize the parameter to indicate what will be the ID of the next issue.Ā  1 will be the default value. soffid.upload.maxsize Allows you to set a maximum value in bytes for uploading files to Soffid. If this parameter is not configured, the value will be 100000000 bytes (100Mb). Syncserver Parameter Description SSOServer This parameter indicates which server acts on the workstations that run SSO. This parameter can have different values for any subnet. So you can define ESSO servers allowed for any subnet. seycon.https.port Port where synchronization server connects to. This parameter is used by ESSO clients to connect to synchronization servers. seycon.server.listĀ  Shows where Syncserver and SyncServer backup is installed. When installing the first server synchronization, this parameter is automatically updated. If you want to install a synchronization server backup you must update this parameter manually. Note that proxy synchronization servers are not on this list. See the Soffid installation guide. soffid.sync.engine.threads This parameter allows you to configure the number of threads available to run the tasks. If you do not fill this parameter, Soffid will run 1 thread for every 50 systems, but never more than twice the number of CPUs of the server. The value of the parameter must be equal or greater than 1. (Available in Sync Server version 3.5.15+) Mail server Parameter Description mail.host Host to send electronic mail messages. mail.from Recipient address that will be set as the email sender. mail.transport.protocol Set to SMTPS to get secure mail. Default value "SMTP" to use plain SMTP protocol. mail.auth Set to true if your mail server requires user authentication. mail.user Set your email user name if your mail server requires user authentication. mail.password Set your email password if your mail server requires user authentication. mail.port 25 by default, with this parameter a new port can be set. mail.smtp.sasl.enable Set to true to enable SASL. Job notifications Parameter Description soffid.scheduler.error.notify Users to notify when a scheduled task fails.Ā  soffid.bpm.error.notify Users to notify when a BPM task fails. soffid.bpm.error.retry Set to true to always retry any failed BPM task. Syncserver provisioning Parameter Description soffid.server.register Set to direct value to bypass standard workflow needed for a syncserver to join the syncservers security network. Otherwise, the standard approval workflow will be required(Since syncserver 2.6.0). You also can set it to no-direct Addon federation Parameter Description addon.federation.essoidp Set the Identity Provider identifier to indicate that this will be the authentication provider. For more information, you can visit the How to add to ESSO a second factor of authentication page . Identity Self Service and emails Parameter Description AutoSSOURL This parameter is used to retrieve the URL that the end user of Identiry Self Service will see. It is used in various Soffid modules: - When the soffid.externalURL parameter has not been specified - In the reports add-on for emails Ā  Exclude menu options To exclude default menu options for all users of the Soffid console, the following steps can be followed 1. To exclude some menu options from your Soffid console, you must edit the system.properties file of this console. You can find this file in the following path: /opt/soffid/iam-console-3/conf/ 2. Add the soffid.menu.hidden parameter to the system.properties file. The value of this parameter can be the menu options name that you can find in the console.yaml file. 3. Restart the Soffid console. User types Description User type is the way to categorize users and allows configuring different password policies. Those policies can be more or less restrictive depending on the user's risk. For instance, internal users (automatically created) are different from external ones. Therefore, this field is very useful for the following cases: Sort or list the users on the user's page or in the reports Apply different password policies Apply restrictions on the synchronization of Soffid to the target systems Ease configuration in automatic rules or custom scripts Be in mind that a user always must belong to a User Type. Screen overview Related objects Users : each user must be assigned a user type. Accounts : the shared or privileged accounts also require having selected a user type to associate it with a password policy Agents : for agents not based on "Manual account creation", you must select the user types that can be synchronised. Standard attributes Short name : internal code used to identify the user type. Description : brief description of the user type. Managed : (yes|no) if not managed, users belonging to this category will not be propagated to final systems.Ā  You must use it when you are developing a PoC. Actions User type table Add new Allows you to create a new User type. To add a new User type it will be mandatory to fill in the required fields Delete user type Allows you to remove one or more User type by selecting one or more records and next clicking this button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Download CSV file Allows you to download a csv file with the basic information of all user types.Ā  Import Allows you to upload a CSV file with the User type list to add or update User types to Soffid. First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button. View Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. User type detail Apply changes (disk button) Allows you to save the data of a new User type or to update the data of a specific User type. To save the data it will be mandatory to fill in the required fields. Delete Allows you to delete the User type.Ā To delete a host you can click on the hamburger icon and then click the delete button (trash icon). Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation. Undo Allows you to undo any changes made. Apply changes (disk button) Allows you to save the data of a new User type or to update the data of a specific User type. To save the data it will be mandatory to fill in the required fields. Once you apply changes, the details page will be closed. Group types Description Companies are organized in different business units, departments or workgroups. In Soffid, they all are named as groups. These group can be categorized by a group type . Group types can be used in the definition of Holder Groups. Some roles can be assigned to a user only through a group enabled for it. When a user no longer belongs to a group, it is not allow assign that role to the user. A user always belongs to a user type, but groups do not necessarily have to belong a group type. Screen overview Related objects Groups : the group type is an attribute of groups. Users : users belong to a group or secondary group. Metadata : to add atrributes for the holder group relation in the com.soffid.iam.iga.api.UserGroup object. Standard attributes Name : name (or code) of the organizational unit. Description : description of the organizational unit. Role holder : (yes|no), when this attribute is active (yes), all the groups of this type of organizational unit could be assigned to a user as a domain of a role. Actions Group type table Add new Allows you to create a new Group type. To add a new Group type it will be mandatory to fill in the required fields Delete group type Allows you to remove one or more Group types by selecting one or more records and next clicking this button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Download CSV file Allows you to download a csv file with the basic information of all groups types.Ā  Import Allows you to upload a CSV file with the Group type list to add or update Group types to Soffid. First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button. Group type detail Apply changes (disk button) Allows you to save the data of a new Group type or to update the data of a specific Group type. To save the data it will be mandatory to fill in the required fields. Delete group type Allows you to delete the Group type. To delete a host you can click on the "three potins" icon and then click the delete group type button.Ā Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation. Undo Allows you to undo any changes made. Apply changes Allows you to save the data of a new Group type or to update the data of a specific Group type. To save the data it will be mandatory to fill in the required fields. Once you apply changes, the details page will be closed. About role holder (and holder group) In some organizations is necessary to assign roles that affect only a part of the structure, for instance, a department, a division or a country. A Holder Group can be defined as a collection of entities (referred to as "holders") that share similar characteristics, roles, permissions, or access requirements. The concept of a Holder Group simplifies the management of identities by enabling administrators to apply policies, assign roles, and manage permissions at the group level rather than individually. The role holder is the role that requires to be assigned to a group, and the holder group is the group that can be assigned role permission. To configure correctly this functionality you have to apply the next steps: Create at least one organizational unit (Group Type) with the role holder attribute active (yes). Assign groups to the organizational unit (with the attribute type of the group). Also, you can include new custom attributes to this membership relation, go to Metadata page and select the GroupUser to add these attributes. In the soffid parameters page, create a new parameter named soffid.entitlement.group.holder . It can have one of these three values: Set to optional enables the operator to set a group as the group holder for any entitlement assignment. Set to always to enforce that any entitlement assignment must be bound to a holder group. Set to none to disable this feature Now you can start to apply this configuration to the users: In the Users page, select a user. In the Groups tab, add a new group. In the Roles tab, add a new role and select the holder group in the optional scope. If the holder group column is hidden, you can add with the option Add or remove columns. Metadata Description The Metadata functionality allows expanding the Soffid objects, their attributes, and their data types. Also, it allows expanding custom objects. By default, there is a list ofĀ  built-in objects , but it is possible to create newĀ  custom objects Ā and add newĀ  custom attributes Ā to each of them. It is usual to add custom attributes in the User built-in object to hold additional information. Each attribute has aĀ  data type , it may be a basic type as a String (simple text), integer value, date, or something more complex as a reference to a custom object, or a popup to select a manager. In this way, one can build relationships between objects. Built-in objects TheĀ  built-in objects Ā are the objects that are part of theĀ  Soffid core . It can not be removed, but more custom attributes can be added. The following objects are Soffid well-known objects that can be customized by means of this screen. All of them are tagged asĀ  Built-in objects . Account Group Host InformationSystem MailList ProcessInstance Role RoleAccount User UserGroup Custom objects TheĀ  custom objects Ā are the objects created by the administrator to extend the Soffid underlying data model. All of them are marked as Built-in type Ā  No . Each custom object type created by the administrator is displayed at the custom objects menu options. Screen overview Related objects Account : account object Group : group object Host : host object InformationSystem : informationSystem object MailList : mailList object ProcessInstance : workflows: My tasks : pending workflows where the user has to perform an action in order to continue their workflow. My requests : the workflows that the user can initiate are listed here. My requests > Query request status : to search for all processes started by oneself. Process Search : to search for all processes. Role : role object RoleAccount : this is the grant, the relation betweenĀ  user and role User : user object UserGroup : seconday group relation in user page Standard attributes Table attributes Name: Ā name of the custom object. This field is mandatory. Description : a brief description of the custom object. This field is mandatory. Built-in type : yes when is a native object, no when it is a created custom object Write access : allows you to select the proper roles with permissions to write. This field is only displayed when the Public object value is No Read access : allows you to select the proper roles with permissions to read. This field is only displayed when the Public object value is No Public object : if you select the Yes option, the object will be visible to all the users with the proper permissions. If you select the No option, you must indicate what roles can Read and what roles can Write this object. Use textual index : allows you to check the Yes option if you want to use the Textual index for searching data in this object. Object attributes Object type : code/name to identify a built-in type or a custom object. Description : a brief description of the object. Use textual index : allows you to select the Yes option if you want to use the Textual index for searching data in this object. Public object : only for custom objects. If you select the Yes option, the object will be visible to all the users with the proper permissions (role with authorization). If you select the No option, you must indicate what roles can Read and what roles can Write this object. For more information, you can visit the Textual index page. Attribute attributes Code : short name used by scripts and connectors to access the underlying information. It is suggested to use short names without blanks or special characters to make it easier to use. Label : text displayed just beside the attribute value. It is advised to use short descriptions in order to keep the screen cleaner. In Soffid 4, labels are now multilanguage. Once you have saved a new attribute, you can modify it by clicking on the language icon. Image Data type : TheĀ attributesĀ can have differentĀ data types Basics String: a text Number: a number Password: a text that will be stored encrypted in the database. This field will never be displayed to the end user. Binary: raw information, probably images or documents. Boolean: true/fasle, it is displayed as a switch button Photo: an image that is displayed as a small image. Date: a date with a calendar popup. Date and time: a date and time with a calendar popup. E-mail: a text with email format. the mail domain must exist in Soffid to be saved. HTML: rich text. Separator: a separator is a label to group attributes according to some criteria SSO HTML input: used primarily for the web SSO engine includes an input field and a value. Attachment: files starored as files Soffid objects Account User Group Group type Role Information System Host Network User Type Mail domain Mail list Operating system Printer Target system (agent) Custom objects : any other custom object created by the administrator. Letter case : different options for modifying the text once it has been entered Keep as entered by the user Upper case letters Lower case letters User hint : Text used to indicate to the user how the text should be entered. Image Description : text field to write a brief description of the attribute. In SoffidĀ  In Soffid 4, you can now see it in the attribute by hovering over the round information icon. Image Required : enabling this box will enforce the user to enter a value for this attribute at any object. Set no to allow objects without value. If you try to save without a value, an error message is displayed. Image Include in quick search : the system will find any object that contains all the words included in the text search at any of the most relevant attributes. For instance, a quick search of "John Joe" will find users named "Joe Johnson" or "Johnathan Joel" as the first and last marked to be included in the quick search. If you enable the quick search for any new attribute, the same query will find a user named "Joe Williams" whose new attribute value is "John". Prevent duplicated values : mark this field as a unique key for the object type. There is no chance of two objects with the same attribute value. Soffid smart engine will avoid the creation of duplicated objects. Multiple values :Ā some attributes can contain multiple values for the same object. For instance, an attribute containing the languages a user can speak can be multi-valued, as a user can speak multiple languages. Maximum number of rows to display : when an attribute is multivalued, the screen size can grow a lot. To prevent such a big form, the system will only display a maximum number of values, and a scroll bar will appear to browse through the attribute values. Size : primarily for string attributes, specify the maximum length in characters of the attribute value. Values : primarily, for attributes of data type String, you can specify the allowed values for the attribute. Then, the text box to the data type String is replaced by a drop-down list. Also, you can define a "code:label" for the value, the "code" is used internally and the "label" is displayed in the drop-down list, e.g. "ESP:Spain". Administrator visibility : sets the maximum visibility level for administrators. If the visibility level is set to read-only, the administrator will not be allowed to modify it. If the visibility is set to hidden, the administrator will not be able to query it. A user is considered as administrator when has the role SOFFID_ADMIN. This field is only used in the user object built-in attributes. Operator visibility :Ā sets the maximum visibility level for operators. If the visibility level is set to read-only, the operator will not be allowed to modify it. If the visibility is set to hidden, the operator will not be able to query it. A user is considered as an operator when has permission to open the users management page but lacks the role SOFFID_ADMIN. This field is only used in the user object built-in attributes. User visibility :Ā sets the maximum visibility level for end-users. If the visibility level is set to read-only, the user will not be allowed to modify it. If the visibility is set to hidden, the user will not be able to query it. Mind that even an administrator is considered to be a user rather than an administrator or operator when accessing their own identity. This field is only used in the user object built-in attributes. Visibility expression : write an optional BeanShell expression to check if the field should be displayed or not. The expression should return true or false. The following variables are exposed to the expression: ownerObject: current object owning the attribute. value: current attribute value. requestContext: tip about the screen using the attribute. inputField: the ZK input object (ZK Framework).Ā  inputFields: a map to get access to any other ZK input object (ZK Framework). serviceLocator: locator to use any Soffid engine microservice. // Sample to enable company name attribute only when the user is of type E (external) return "E".equals(object{"userType"}); Validation expression : write an optional BeanShell expression to check if the field value is acceptable or not. The expression should return true if the value is acceptable. If the expression returns false or any other object, a warning message will be displayed. When the expression returns a string value, the return value will be considered the warning message to present to the end-user. The following variables are exposed to the expression: ownerObject: current object owning the attribute value: current value to evaluate. requestContext: tip about the screen using the attribute inputField: the ZK input object (ZK Framework). inputFields: a map to get access to any other ZK input object (ZK Framework). serviceLocator: locator to use any Soffid engine microservice. // Sample for checking birthDate is greater than 18 years old c = java.util.Calendar.getInstance(); c.add(-18, c.YEAR); if (birthDate == null || birthDate.before(c.getTime()) return true; else return "Birth date should be before "+ new java.text.SimpleDateFormat().format(c.getTime()); onLoad trigger :Ā  write an optional BeanShell expression that will be executed just after preparing the user interface. The script can modify in any way the inputField object before it is displayed, but cannot modify other input fields. The following variables are exposed to the expression: ownerObject: current object owning the attribute value: current value to evaluate. requestContext: tip about the screen using the attribute inputField: the ZK input object (ZK Framework). inputFields: a map to get access to any other ZK input object (ZK Framework). serviceLocator: locator to use any Soffid engine microservice. // Sample to set contract number attribute to read only if the attribute company is empty // Place as an on-load trigger in the contract number field if (ownerObject.attributes.get("company") == null || ownerObject.attributes.get("company").trim().isEmpty()) inputField.setReadonly(true); else inputField.setReadonly(false); onChange trigger : write an optional BeanShell expression that will be executed just after the user has changed the object value. The script can modify in any way the inputField object or any other input fields. The following variables are exposed to the expression: ownerObject: current object owning the attribute. value: current value to evaluate. requestContext: tip about the screen using the attribute. inputField: the ZK input object (ZK Framework). inputFields: a map to get access to any other ZK input object (ZK Framework). serviceLocator: locator to use any Soffid engine microservice. // Sample trigger to set contract number attribute to read only when the company attribute gets empty // Place as an on-change trigger in the contract field contractField = inputFields.get("contractNumber"); if (value == null || value.trim().isEmpty()) contractField.setReadonly(true); else contractField.setReadonly(false); contractField.invalidate(); // Redraw contract number field ...... inputFields.get("contractNumber").getValue(); You can add a SCIM expression : exclusive for Soffid objects (users, groups, roles...). Write an optional SCIM query using the SCIM standard to filter valid results for a specific field. You can access toĀ  SCIM Chapter Ā for more information Actions Table actions Add new Allows you to add a new custom object in the system.Ā To add a new custom object it is necessary to fill in the required fields. By default, it will have two mandatory attributes, name and description. Delete metadata Allows you to remove one or more custom objects by selecting one or more records and next clicking this button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Download CSV file Allows you to download a CSV file with the basic information of all metadata.Ā  View Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. Metadata detail Refresh Allows you to refresh all the metadata information. Download CSV file Allows you to download a CSV file with the basic information of the metadata object.Ā  Import Allows you to upload a CSV file with the attribute metadata to add or update attribute metadata to Soffid. First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and click the Import button. Delete metadata Allows you to delete the metadata object. To delete a metadata you can click on the "three points" icon and then click the delete metadata button. Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation. Set to default Only for built-in objects. Allows you to set the factory setting. Sometimes, usually after an upgrade, it is advisable to reset the built-in attributes of a built-in object. In that case, the properties of the attribute will be changed to the factory setting ones. Expand all Displays all the attributes of the different blocks. Collapse all Hide all attributes of the different blocks. "Types of views" Change the view type: Classic view, Modern view, Compact design. Add new Allows you to add a new attribute metadata. Delete Allows you to remove one or more attributes by selecting one or more records and next clicking this button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Undo Allows you to quit without applying any changes made. Apply changes Allows you to save the data of a new metadata object or to update the data of a specific metadata object. To save the data it will be mandatory to fill in the required fields. Metadata attributes detail Delete Allows you to delete the metadata object.Ā Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation. Expand all Displays all the attributes of the different blocks. Collapse all Hide all attributes of the different blocks. "Types of views" Change the view type: Classic view, Modern view, Compact design. Undo Allows you to quit without applying any changes made. Apply changes Allows you to save the data of a new metadata object or to update the data of a specific metadata object. To save the data it will be mandatory to fill in the required fields. Network intelligence Description Two extended Soffid features are activated on this page. Network intelliegence On the one hand, we have Network intelligence , which enables the possibility of validating that accounts and passwords have not been compromised in the end systems with which Soffid is integrated. Once this feature is activated, you will be able to use two new functionalities: on the one hand, more detailed geolocation information about the IP address used to access Soffid, and on the other hand, external validation of your account and password to confirm that this data has not been compromised in any previously published security breach. To activate password validation, you must enable it in the password policies. Check breached password Four new issues will also appear that can be configured: breached-account-password breached-email breached-password expired-breached-password A new process has been created to plan for the validation of email domains. Network intelligence verify domains And algo AI in Soffid On the other hand, we have the Chat-bot , which enables our AI to be consulted both on its specific screen and in all components that allow scripts to be written. Once this feature is activated, you will be able to access the chat box page to consult information about Soffid. You will also be able to use the AI assistant that appears in all script-type fields. The token used can be obtained by you yourself by accessing the Gemini page for this purpose, see the Request a token for the AI point. Screen overview Related objects Network intelligence Password policies : to enable the validation accounts Issue policies : for the new issues type Scheduled tasks : a new process can be scheduled to check the current accounts and systems Users : when changing a password. Accounts : when changing a password. Chat-bot Soffid chat-bot :Ā  to chat with our AI. Custom scripts : to use the AI. All pages with script can use the AI to help you with the scripting: Agents : properties, mappings and triggers. Account naming rules : Create account condition and script. Role assignment rules : Expression. Password policies : Password validation script. PAM policies : Expression. BPM editor :Ā  Scritps. Attribute definition : Value. Metadata : attribute value scripts Standard attributes Network Intelligence License Token : token that enables this functionality. This token is provided by Soffid if your licence includes it. Gemini token Token : token that enables this functionality. You can generate this token yourself; we will explain how to do so later on. Actions Expand all Displays all the attributes of the different blocks. Collapse all Hide all attributes of the different blocks. "Types of views" Change the view type: Classic view, Modern view,Ā Compact design. Apply changes Save the tokens in case they are valid. Others Token not allowed The token for network intelligence is only saved if it is valid. Access without a token When attempting to use this feature without having previously enabled it, the console displays the error: No token configured. Please configure it on the network intelligence page . Request a token for the AI To use our AI functionality, you must request a token from the Gemini service. Here's how to do it. Go to the next page: https://ai.google.dev/gemini-api/docs/api-key Go to "Google AI Studio". Login with a Google account. Select "Get API key". "Accept". Click on "Create API key" button. Wait a few seconds. You finally have your key to be used on Soffid. User backup configure & restore (backup addon) Description On the User backup configure & restore page , you could search, check and restore the user's snapshots. Also on this screen, you can also configure the frequency and number of backups to be performed. Screen overview Related objects Users : new Backups tab in the Users page, user object has backups Groups : user assignments to groups have backup Accounts : user's accounts have backup Roles : user's roles (grants) have backup Mail lists : user's mail lists have backup StandardĀ attributes User Name : userName of a user Valid since : date and time when this backup started Valid until : if it is not the last backup, date and time when this backup finished Download : XML file with the user snapshot info. Actions Table actions Query Allows you to query users through different search systems, Basic and Advanced . Restore Allows you to restore one or more user's snapshots. First of all, you need select one or more snapshots. Second, you need to click the "Restore" button. Then Soffid will run the restore process. Ā  Image Ā  Download CSV File Allows you to download a CSV file with the basic information of all backups, with the same columns as displayed in the table. Configure backup Allows you to configure the backup parameters. View Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. Download Allows you to download an XML file with the user. You only need to click on the download icon of one of the records and save the file on your computer. Configure backup button With the "Configure backup" button, you can configure the frequency and number of backups. These are the available parameters: Minimum delay between backups : if the value is 1, when a backup is created, the system will not create a new backup until 1 day later, even if there has been more than one change during that period. Number of backups to keep alive : if the value is 10, when 10 backups are reached, the oldest backup will be deleted when the next one is created. Enable entitlements history : enable the history of roles assigned to users. Image Others Backup tab on user's page On the users screen, when you select a user, this addon enables the Backups tab . Image This tab displays the user's backups . Image There are also several buttons with the rest of the items that can have backup. Image These are the buttons: Groups History : user assignments to groups have backupĀ  Accounts History : user's accounts have backupĀ  Roles History : user's roles (grants) have backupĀ  Mail lists History : user's mail lists have backupĀ  Image In any of the four options, when selecting an old record, the ā€˜ Restore ā€™ button will appear and this object can be restored to the user. Image Ā  Export settings and objects (admin addon) Description Soffid has the functionality that allows you to export configuration , Soffid objects, and objects from target systems in a ZIP file. Every object or configuration will be downloaded into the ZIP in a binary file. This ZIP file could be imported into another Soffid tenant to be used. For more information, you can visit the Import settings and objects page. Once you open the Export settings and objects , you must select the configuration, objects, and target system objects you want to export. Then you only need to click the Generate export file button to download the ZIP that will contain all the previous information selected. It is not allowed to export the basic configuration and configuration parameters of an agent for security reasons. You must create them manually and make sure you put the same names as in the source system if you are going to import accounts. Screen overview Related objects Configuration Metadata Plugins Business process definition Custom scripts User types Group types Account naming rules Password policies Mail domains Authorizations Objects Users Information systems Groups Hosts Networks Mail lists Role assignment rules Segregation of duties Application access tree Custom objects : the custom objects created on the Metadata page Web SSO settings Attributes Policies Target system objects Systems Accounts Roles Granted permissions Attribute mappings Actions Expand all Displays all the attributes of the different blocks. Collapse all Hide all attributes of the different blocks. "Types of views" Change the view type: Classic view, Modern view, Compact design. Generate export file By clicking this button, Soffid will generate a ZIP file with the objects and configuration that you have selected and will download it to your computer. Others Exporting and importing You can export all the components you are using in your Soffid implementation, so you can use them as a backup in case something happens, or to generate a new test environment . Once the zip file has been generated, you can import it on the Import settings and objects page, but do not worry about the exported objects. On the import screen itself, once the zip file has been uploaded, the screen will allow you to choose the objects you want to update in your Soffid instance. Import settings and objects (admin addon) Description Soffid has the functionality that allows you to import configuration , Soffid objects, and objects from target systems from aĀ  ZIP file. This ZIP file must be generated by the export action from another Soffid tenant. For more information, you can visit the Export settings and objects page. Once you pick the file to import , Soffid will display all the objects and configurations that you can load. You must select the proper objects and settings to import or enable the Load everything option. And finally, you must click the Proceed buttons to launch the import process. Once the process is finished, Soffid will display the result and allows you to download the log file. It is not allowed to import the basic configuration and configuration parameters of an agent for security reasons. You must create them manually and make sure you put the same names as in the source system if you are going to import accounts. Screen overview Related objects Configuration Metadata Plugins Business process definition Custom scripts User types Group types Account naming rules Password policies Mail domains Authorizations Objects Users Information systems Groups Hosts Networks Mail lists Role assignment rules Segregation of duties Application access tree Custom objects Ā : the custom objects created on the Metadata page Web SSO settings Attributes Policies Target system objects Systems Accounts Roles Granted permissions Attribute mappings Actions Pick up page Pick a file Select the backup's file Configuration page Load eveything Enable it if you want to load all the backup, disable it if you want to select the object to import Remove objects not present in the export file Remove the Soffid objects not present in the export file, enable it if you want the exact image of the source system, disable it if you want to keep the object that only exist in this Soffid instance Back Go back to "Pick a file" Proceed Allows you to start the import process. Results page Restart Go back to the configuration page Download log Allows you to download a log with the details of the importation Configuration > Integration engine Configuration > Integration engine Smart engine settings Description This page gathers several mechanisms related to soffid's smart engine. Administrator users will be able to configure the engine mechanism for synchronisation tasks; a task limit to prevent unsupervised mass changes; and the language of the scripts. Screen overview Related objects Agents : to test the synchronization of an object Syncserver monitoring : to check if a task is on hold Users : to propagate changes manually Custom scripts Ā : affected by the language script All pages with script type attributes. Standard attributes Task engine mode :Ā  allows you to select the synchronization mode. There are three available options: Read only : it is the option by default in the Soffid installation.Ā  No task is synchronized to external systems. Manual : only selected synchronization tasks are performed. You could synchronize manually a user, check the "Propagates the changes" action on the Users page. Or also synchronize a whole target system, check the Agents page.Ā  Automatic : each change is automatically send to target systems. Tasks limit per transaction : if a single transaction creates more than this number of tasks, tasks will be held until Soffid administrator releases them. The administrator could check them in the " Sync server monitoring" page, "Not scheduled tasks" button. Scripting language : Soffid allows you to create scripts and you can choose the scripting language: Beanshell Javascript (by default) Autodetected Soffid offers a set of sample scripts. You can find examples visiting the Sample scripts page . Additionally, in the initial configuration of the container, we can configure the SOFFID_TRUSTED_SCRIPTS environment variable to allow the use of insecure classes.Ā  You can find this information visitingĀ  the Installing IAM Console page . Actions Confirm changes Allows you to update the engine settings. Undo Allows you to cancel the changes made and not confirmed. Tips Task engine mode Use the task engine mode for these scenarios: Read Only : use this option after theĀ Soffid installation until you have at least one target system configured to test the synchronization. Manual : use this option for testing environments, or at the beginning of a live release. Automatic : use this option for live environments, or also for the testing environments when the platform is mature. Tasks limit per transaction: Use a high task limit when you are comfortable with the configured processes of Soffid, for instance, 1000 or 10000 depending on the number of accounts of these external systems. Agents Description Soffid agents are the tool that allows the connection between Soffid and the target systems. To establish the connection with target systems, Soffid provides a large number of connectors that will be able to set up into the Soffid console. You could see the complete list of Synchronization Server Connectors .Ā  Soffid administrator has the chance to easily customize attribute mappings for some connectors addons, without having to code it using Java. Soffid provides a graphical interface to perform attribute mapping. An agent will appear disabled when this agent won't have a server assigned. Bear in mind to select the ā€œDisabledā€ flag on Server URL criteria when you will query if you want to search for disabled, but defined agents. Soffid has an internal agent called soffid that does not need to be assigned to a sync server in order to function correctly. Screen overview Related objects Synchronization servers : the syncservers availables in the platform, could be primary or proxy type. Smart engine settings : to configure the engine mode of the synchronization tasks User type : to be used in the provisioning policies Groups : Ā to be used in the provisioning policiesĀ  Account naming rules :Ā  to configure the user domain Password policies : to configure the password domain Standard attributes Basics tab Task engine mode : shows the current task engine configuration. For more information visit the Smart engine settings page. Name: Ā agent's identifying name. Description : a brief description of the agent. Usage : identify whether the accounts created are to be used for IAM or PAM. The IAM and PAM tasks will be managed in separate queues. IAM : for standard provisioning PAM : for PAM provisioning The PAM accounts will be managed as a Shared thread internally. The PAM accounts will be shared accounts and never will be single user accounts. Type : Identify the connector type to use. Different implementations of the server plugins are included in the connectors installed into Soffid. Each type has a Java class bound, the name of the Java class implementing the connector is displayed next to the connector name. Class name : class name to identigy the agent type. Server URL : synchronization will be performed with the selected server. It is allowed to select two servers in cases high disponibility will be necessary. If you choose two servers, when one fails, the other will be used. If ā€œ Each main synchronization server ā€ is selected, the agent will be run by every sync server. If "-disabled-" is selected, the agent will be disabled.Ā  If you select a single sync-server, the agent only will be run on that server. Alternative URL: segond syncserver to be used in case that the one in the server url will be not available. Shared Thread : if it is enabled, the same thread will be shared to several synchronization servers.Ā  Dedicated Thread : if "Shared thread" is disabled, it will be available the option to choose the number of threads to dedicate to the synchronization process. Task timeout (ms) : add a timeout to the synchronization server tasks (query, insert, update, delete, update password, etc). If you add a timeout, when the connection gets this timeout, the synchronization server will stop the request and add it to the queue for a new retry later. Long task timeout (ms) : add a timeout to the reconciliation server tasks (user, group, role, account, grants, etc). If you add a timeout, when the connection gets this timeout, the synchronization server will stop the request (no retry is added). Read-only : if it is checked (the selected option is Yes), no change will be applied to the managed system. Only read operations will be allowed. Paused task : if it is checked (the selected option is Yes), the system remains connected, but the tasks in the queue will be retained. It is very useful when conducting tests and ensuring that no tasks propagate, except the ones we are manually triggering (we pause, make the changes, and when everything is fine, we remove the pause). As a rule, you should pause when making configuration changes in production. Manual account creation : If you check NO, Soffid will create the new user accounts applying the defined policies. Check YES if you don't want Soffid to create automatically new accounts for the users. Role-based : when "Manual account creation" is not checked (option selected is No), it will show "Role-based". Check it if only users with any role on this agent should be created. When the identity or account loses its permissions, the account will be disabled. Uncheck to allow users with no role on it. Delta changes: to use delta changes in the synchronization, when it is enabled, Soffid perform a merge between the image of the target system and Soffid Remove roles from disabled accounts : when the agent detects a disabled account all the granted roles are removed in the target system User Type : when "Manual account creation" is not checked (option selected is No), it will show User Type. Only users of the selected types will be created. Any change made in this field involves all accounts to be recalculated. New ones will be added to the repository and managed systems. Some accounts will get disabled if the owner user no longer belongs to any authorized user type. Groups : when "Manual account creation" is not checked (option selected is No), it will show "Groups".Ā Identify the business units that are allowed to have an account on this system. User domain : it is the rule used to determine how to generate account names. Ā If the account name is the same as the user name (as is normally the case), the ā€œDefault user domainā€ should be used. The user domain values are defined on the Account naming rules page. Password domain : determines the password policies that will be used. If the "Default password domain" is selected, Soffid passwords will be shared with the managed systems. The user domain values are defined on the Password policies page. When uploading authoritative data for identities from a managed system, firstly, users will be created in Soffid as indicated in the attribute mapping, and secondly, accounts will be created for the managed systems only if the agent option "Manual account creation" is not checked and only for User Types indicate. Connector parameters The custom attributes depend on the used plugin.Ā  Here you will find all the information needed about the available Soffid connectors to integrate external managed systems. AWS Connector CSV Connector Google Apps Connector JSON REST Web Services Connector LDAP Connector Oracle Connector Oracle EBS Connector SAP Connector SCIM Connector Shell Connector SQL Connector Windows Connector Zarafa Connector SQL Server Connector Integration flows tab Some connector addons have associated integration workflows. On the Integration flows tab you can view the integration flows related to the agent. Image You also can view in detail the workflows. Image Is it posible to If you select any node or component, you will be able to view its configuration and even perform some tests. Image All the configurations shown on this screen are part of the configuration made on the ā€˜Attribute mappingsā€™ screen. On this screen, they are filtered according to your needs, and you can also modify them. Attribute mapping tab The attribute mapping tab only appears when the agent allows such customization. Soffid administrators have the chance to easily customize attribute mappings without having to code them using Java. The administrator users can select system objects and the Soffid objects related, manage their attributes, and make either inbound and outbound attribute mappings. There is an action that creates all the default mapping depending on the agent connector type. That option creates automatically system objects with their attributes and properties, you can select them by clicking on "three points" icon and then the Create default mapping option. Once created the default mapping, those can be customized as required.Ā  Objects On this screen, you must configure the objects to be retrieved or synchronised. The objects to be configured depend on each agent. For each object, you must configure its properties, methods, attributes, or triggers. Their configuration also depends on each agent. The list of possible objects is as follows, with the most important ones indicated in bold user account role grant group grantedRole allGrantedRoles grantedGroup allGrantedGroup authChange mailList custom host network Properties Some agents require to configure some custom attributes in their properties section. These properties are specific for each type of connector. You could see all these properties by visiting each connector type page. Methods This option is only available on some types of connectors. It is used to define methods that can be called using the defined properties. Attributes Each object mapping defines an agent object name and one bound Soffid object type. The left hand side attributes are managed system attributes, so they are agent dependent that is being configured. The right side attributes are Soffid attributes and must be selected from an existing list.Ā  It is allowed to use script expressions in the source, but they can only be used in a one-way mapping. System attributes A configuration agent must define object types that can be created on it. Each object mapping defines an agent object name and needs bound Soffid object type. At this column, the system's attribute name will be displayed. When evaluating any expression, either the system or soffid attributes are available as script variables. Moreover, the following variables are available: Variable Content serverService Server API that enables an easy object query [ Search the link "Public API Module" or "Data & Service model" ] serviceLocator Spring Singleton that gets access to any published service bean. Only available on the main syncserver remoteServiceLocator Singleton that gets access to any remotely published service bean. THIS HashMap that contains any soffid or system managed attribute. It can be used when the attribute name is not a valid java identifier. dispatcherService Service that allows the script to get or update information in the target system. Script Example 1 /*js*/ var name = new javax.naming.ldap.LdapName(distinguishedName); var rdns = name.rdns; var g = null; var rn = null; for (var i = rdns.length - 2; i > 0; i--) { if (rdns[i].type == "DC") break; if (g == null) {g = "", rn = ""} else {g = g + "/"; rn = "," + rn} g += rdns[i].value.toLowerCase(); rn = rdns[i].type+"="+rdns[i].value; } var gi = serviceLocator.groupService.findGroupByGroupName(g); if (gi == null) { var parent = ! rn.contains("/") ? "world": rn.substring(0, rn.lastIndexOf("/")); gi = new com.soffid.iam.api.Group(); gi.name = g; gi.description = rn; gi.parentGroup = parent; serviceLocator.groupService.create(gi); } return g; Directions At the center column, an arrow will show the direction of the information flows. When the information flows from the system (left) to Soffid (right), the left column name can be replaced by a script expression. This expression will be evaluated on the system object prior to uploading it to Soffid. When the information flows from Soffid (right) to the managed system (left), the right column can contain a script expression that will be evaluated prior to provisioning the user. Here are some examples: System attribute Direction Soffid attribute Meaning cn <=> accountName The account name is the CN attribute of the LDAP departmentNumber <= for (group: secondaryGroups) { if (group.get("name").equals(primaryGroup)) { return group.get("description"); } } return null; Assigns the group description of the primary group to the departmentNumber attribute baseDN => "ou="+primaryGroup+",dc=soffid,dc=org" Assigns the base dn of the user to the proper organization unit that is below dc=soffd,dc=org. Soffid attributes The Soffid attributes that can be used can be found at the following links. User Object Account Object Group Object Role Object Grant Object Maillist Object Membership Object When evaluating any expression, either the system or soffid attributes are available as script variables. Moreover, the following variables are available: Variable Content serverService Server API that enables an easy object query [ Search the link "Public API Module" or "Data & Service model" ] serviceLocator Spring Singleton that gets access to any published service bean. Only available on the main syncserver remoteServiceLocator Singleton that gets access to any remotely published service bean. THIS HashMap that contains any soffid or system managed attribute. It can be used when the attribute name is not a valid java identifier. dispatcherService Service that allows the script to get or update information in the target system. Script Example 1 firstName + " " + lastName Script Example 2 attributes = serviceLocator.getUserService().findUserAttributes(userName); return attributes.get("position"); Test With the definition of an object, you can check the system attributes defined, in both the final system and in Soffid. 1.Ā  First of all, you need to click the Test button, then Soffid will display a text field and some buttons to perform new actions. 2. Secondly, the text field must be filled in with the appropriate data. It can be a user, an account, a group or another system object. It depends on the system object you are checking. 3.Ā  Then, you can choose the action to perform. Text expression : allows you to test a system object. Soffid will display a new column with the data already mapped that will be sent during synchronisation to the final system. This data will only be displayed when the address is <= or <=>. Synchronize now : this allows you to synchronize the data object to the target system. This action would be the same as that performed automatically by the task engine; in this case, the agent executes the entire process. Ā  Fetch system raw data : brings the data of an object from a target system. The data is displayed in a pop-up window. The data retrieved may depend on the agent's programming or the configuration settings in the properties. Fetch Soffid object : brings the data of a specific system object with processed data to update into Soffid. As with the previous option, it retrieves data from an object in an end system, but then applies the mappings configured in Soffid (with direction => or <=>), and finally displays the attributes and their exact values that would be saved in Soffid. Triggers It is allowed to define BeanShell or JavaScript scripts that will be triggered when data is loaded into the target system ( outgoing triggers ).Ā  The trigger result will be a boolean value , true to continue or false to stop. A configuration agent can configure triggers related to the operation to be performed. There are different trigger type, that determines the specific moment at which the script will be triggered. Triggers can be used to validate or perform a specific action just before performing an operation or just after performing an operation on target objects. To access Soffid data, you can use source{"attributeName"} , which recovers the value of the attributeName. That object will be Soffid format. Also, you can use newObject{"attributeName"} to create the new value or oldObject{"attributeName"} to get the old value of the target system, those objects will be target system format. The available triggers that can be configured are as follows: Trigger preInsert It will be triggered just before the insert action. It will be used to validate or prevent the insert action, and also to prepare objects or actions when a new object will be inserted preUpdate It will be triggered just before the update action. It will be used to validate or prevent update an object. preDelete It will be triggered just before the delete action. It will be used to validate or prevent delete an object. postInsert It will be triggered just after the insert action. It will be used to trigger or prevent an action. postUpdate It will be triggered just after the update action. It will be used to trigger or prevent an action. postDelete It will be triggered just after the delete action. It will be used to trigger or prevent an action. preSetPassword It will be triggered just after the set password action. It will be used to trigger or prevent an action. postSetPassword It will be triggered just after the set password action. It will be used to trigger or prevent an action. Example 1 Get the attribute company option 1: company = source{"attributes"}{"company"}; Get the attribute company option 2 userName = source{"userName"}; attributes = serviceLocator.getUserService().findUserAttributes(userName); company = attributes.get("company"); Example 2 role = serviceLocator.getAplicacioService ().findRoleByNameAndSystem ( "Domain Users", "AcitveDirectory"); rg = new java.util.HashMap(); rg.put ("grantedRoleId", role.getId ()); list = new java.util.LinkedList (); list.add (rg); newObject{"ownedRoles"} = list; return newObject{"name"} != null Example 3 if (oldObject.get("userPrincipalName") != null)Ā  Ā { newObject.remove("userPrincipalName"); newObject.put("groupType", oldObject{"groupType"}); } For more examples, you can visit the Incoming Triggers examples page . Incoming data tab On the Incoming data tab, it is allowed to set up a specific configuration for the agent and define BeanShell or JavaScript scripts that will be triggered when data is loaded into Soffid ( incoming triggers ). Incoming data Trust passwords : check if you can trust it to propagate their passwords to Soffid. Trusted password agents differ from the non-trusted ones in: Temporary passwords generated from the console only propagate to agents that have trusted passwords checked. In the other case, the agents only receive definitive passwords. When a password has reached its expiry date, it will automatically be disabled on agents where the trusted password is not checked, so the user can no longer access it. When the managed system detects a change in the user request password, the password will be propagated to Soffid only if the agent associated trusted password is checked. If you want to forward the authentication requests to trusted target systems, you must enable the Trust passwords option and the proper feature on the Authentication page . Authoritative identity source : check if the agent will be used as the source for users' information. It is usually checked for the first load of users into Soffid, and then it is unchecked, being Soffid that manages users. Optionally, you can select a custom workflow to process incoming changes.Ā  Full reconciliation : switch off to enable incremental load process and disable Soffid object removal. Propagate changes : switch off to prevent sync-server to create synchronization tasks after loading incoming changes. Load triggers To add a new trigger, it is mandatory first of all, to select a Soffid object on which the action will be performed. Then to select the trigger, that determines the moment at which the script will be triggered. Finally, define the script that will be executed. The available objects are the following: User Account Group Role Granted role Triggers can be used to validate or perform a specific action just before performing an operation or just after performing an operation into Soffid objects. The trigger result will be a boolean valu e, true to continue or false to stop. In a Load Trigger, it is not possible to access to mapping definitions configured on the attribute mapping tab. It will be necessary to use newObject{"attributeName"} to get the new value, or oldObject{"attributeName"} to get the old value. Those objects will be in Soffid format. For more info about the Soffid format, you can visit the Soffid Objects page. Trigger preInsert It will be triggered just before the insert action. It will be used to validate or prevent the insert action. preUpdate It will be triggered just before the update action. It will be used to validate or prevent update an object. preDelete It will be triggered just before the delete action. It will be used to validate or prevent delete an object. postInsert It will be triggered just after the insert action. It will be used to trigger or prevent an action. postUpdate It will be triggered just after the update action. It will be used to trigger or prevent an action. postDelete It will be triggered just after the delete action. It will be used to trigger or prevent an action. Example 1 userName = newObject {"userName"}; system = "ActiveDirectory"; accounts = serviceLocator.getAccountService() .findAccountByJsonQuery("(system eq \"" + system + "\") AND name eq \"" + userName + "\" AND (type eq \"I\")"); ..... user = serviceLocator.getUserService().findUserByUserName(userName); ....... Example 2 ........... if (isFound) { newObject{"id-indicator"} = "1"; } else { if (contFalse > 0) { newObject{"id-indicator"} = "0"; } else if (contNull > 0) { newObject{"id-indicator"} = null; } } For more examples, you can visit the Outgoing Triggers examples page . Massive actions Massive Actions refer to bulk or large-scale operations that can be performed across multiple identities, accounts, or resources managed by an agent within the Soffid platform. Agents in Soffid are components responsible for interacting with external systems (like directories, databases, or applications) to manage and synchronize identity-related data. Massive actions allow administrators to execute operations on a large number of items simultaneously, making it easier to manage and maintain the system efficiently. Provisioning all users on to managed systems One of the main features of identity and access management (IAM) is automated user provisioning.Ā  User provisioning is the process that ensures the users are created, with proper permissions, updated, disabled, or deleted on to managed systems. All managed systems must have an agent configuration, which will determine the way to perform the provisioning. Soffid shows information about the last time that the option was run and a report with the details. You can access the report by clicking the verification icon (āœ“). Provisioning groups to agent This proces process that ensures the groups are created, updated, disabled, or deleted on to managed systems. Soffid shows information about the last time that the option was run and a report with the details. You can access the report by clicking the verification icon (āœ“). Provisioning roles to agent This proces process that ensures the roles are created, updated, disabled, or deleted on to managed systems. Soffid shows information about the last time that the option was run and a report with the details. You can access the report by clicking the verification icon (āœ“). Propagate groups to agent This option allows pushing to the managed system all the defined groups in Soffid.Ā  Soffid shows information about the last time that option was run and a report with the details. You can access the report by clicking the verification icon (āœ“). Reconcile (load target system objects) The main purpose of reconciling process is to provide a mechanism to ensure that all users are aligned on the specific roles and responsibilities.Ā Reconcile process discovers new, changed, deleted, or orphaned accounts to determine user access privileges. Not every system connector has the capabilities needed to execute the reconcile process. When "Read only" property, in Basic parameters, is checked (selected value is Yes), the reconcile process only considers unmanaged accounts.Ā  Soffid shows information about the last time that the option was run and a report with the details. You can access the report by clicking the verification icon (āœ“). Generate target system potential impact That option allows you to generate a report with all the potential changes that would be performed on the managed system with the current agent configuration If that option was performed previously, Soffid will show information about the last time that the option was run and the report with the potential impact. You can access the report by clicking the verification icon (āœ“). Load authoritative data for identities and groups Identities use to live on authoritative identity sources and they do in Soffid as well. Each identity may have any number of accounts on each managed system. When "Authoritative identity source" is checked (option selected is Yes) Soffid will show the option that allows the load authoritative data for identities and groups.Ā  That option performs the operations to load data of groups and data of identities from the managed system into Soffid,Ā  following the rules configured in the agent. Soffid shows information about the last time that the option was run and a report with the details. You can access to the report by clicking the verification icon (āœ“). Also, Soffid creates a parameter on the Soffid parameters page, with information about the version of the data. If you need to perform the load authoritative action, it will be mandatory to delete this parameter before perform the action. Apply system policies This task retrieves all agent accounts and checks that they have the correct status according to the rules configured in the agent itself. Account metadata tab Agents allow you to create additional data on the "Account metadata" tab, to customize the accounts created for that agent. This additional information will be loaded with the agent's information, or calculated as defined in the mappings.Ā The additional data can be used in both mappings and triggers. To get the Account Metadata value, or to put value, you need to useĀ  accountAttributes{"ATT_NAME"} Basics attributes Code : short name used by scripts and connectors to access the underlying information. It is suggested to use short names without blanks or special characters to make it easier to use. Label : text displayed just beside the attribute value. It is advised to use short descriptions in order to keep the screen cleaner. Data type : TheĀ attributesĀ can have differentĀ data types User hint : user hint displayed in the screens Description : description for theĀ  Metadata attributes Required : If the attribute is required, it must have a value in order to save; otherwise, an error message will be displayed.Ā  Prevent duplicated values : mark this field as a unique key for the object type. There is no chance of two objects with the same attribute value. Soffid smart engine will avoid the creation of duplicated objects. Multiple values :Ā some attributes can contain multiple values for the same object. For instance, an attribute containing the languages a user can speak can be multi-valued, as a user can speak multiple languages. Maximum number of rows to display : when an attribute is multivalued, the screen size can grow a lot. To prevent such a big form, the system will only display a maximum number of values, and a scroll bar will appear to browse through the attribute values. Size : primarily for string attributes, specify the maximum length in characters of the attribute value. Values : primarily for string attributes, you can specify the allowed values for the attribute. Then, the text box that the user has to fill in the data will be replaced by a drop-down list. Dynamic attributes Visibility expression : write an optional BeanShell expression to check if the field should be displayed or not. The expression should return true or false. The following variables are exposed to the expression: ownerObject: current object owning the attribute. value: current attribute value. requentContext: tip about the screen using the attribute. inputField: the ZK input object (ZK Framework). inputFields: a map to get access to any other ZK input object (ZK Framework). serviceLocator: locator to use any Soffid engine microservice. Validation expression : write an optional BeanShell expression to check if the field value is acceptable or not. The expression should return true if the value is acceptable. If the expression returns false or any other object, a warning message will be displayed. When the expression returns a string value, the return value will be considered the warning message to present to the end-user. The following variables are exposed to the expression: ownerObject: current object owning the attribute value: current value to evaluate. requentContext: tip about the screen using the attribute inputField: the ZK input object (ZK Framework). inputFields: a map to get access to any other ZK input object (ZK Framework). serviceLocator: locator to use any Soffid engine microservice. onLoad trigger :Ā  write an optional BeanShell expression that will be executed just after preparing the user interface. The script can modify in any way the inputField object before it is displayed, but cannot modify other input fields. The following variables are exposed to the expression: ownerObject: current object owning the attribute value: current value to evaluate. requentContext: tip about the screen using the attribute inputField: the ZK input object (ZK Framework). inputFields: a map to get access to any other ZK input object (ZK Framework). serviceLocator: locator to use any Soffid engine microservice. onChange trigger : write an optional BeanShell expression that will be executed just after the user has changed the object value. The script can modify in any way the inputField object or any other input fields. The following variables are exposed to the expression: ownerObject: current object owning the attribute. value: current value to evaluate. requentContext: tip about the screen using the attribute. inputField: the ZK input object (ZK Framework). inputFields: a map to get access to any other ZK input object (ZK Framework). serviceLocator: locator to use any Soffid engine microservice. Example 1 Into the attribute mappings save the value of account metadata: varX <= accountAttributes{"att_name"} Example 2 Get the value from the attribute account metadata to use it into a trigger strValue = source.get("attributes").get("att_name"); if (strValue != null) { ..... ..... } else { ..... ..... } Actions Agents query actions "Query" Allows you to query roles through different search systems, Basic and Advanced . Add new Allows you to add a new agent to the system. To add a new role it will be mandatory to fill in the required fields Delete agent Allows you to remove one or more agents by selecting one or more records and next clicking this button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Download CSV file Allows you to download a CSV file with the basic information of all agents.Ā  Agent detail actions Apply changes (disk button) Allows you to create a new agent or update an existing agent. To save the data it will be mandatory to fill in the required fields Delete agent Allows you to delete the agent. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Import Allows you to upload an XML file with the attribute mapping data. This option deletes previous attribute mappings and creates new attribute mapping. Export Allows you to export an XML file with attribute mappings. Create default mapping Allows you to create automatically default mappings for the specific Type selected. Test Check if there is a connection to the target system. Preview changes When there are some changes to be applied (when the configuration agent is updated), you can check them with this option. If you click this button, Soffid will display a new window with the list of users to be updated. Apply now When the configuration agent is updated, this button will be displayed. If you click this option the update action will be performed. The progress bar will be displayed during the execution of the process.Ā  This action is performed asynchronously. Expand all Displays all the attributes of the different blocks. Collapse all Hide all attributes of the different blocks. "Types of views" Change the view type: Classic view, Modern view, Compact design. Undo Allows you to quit without applying any changes made. Apply changes Allows you to create a new agent or update an existing agent. To save the data it will be mandatory to fill in the required fields. After that the screen will display the agents list. Integration flows Open flow Opens a window with the workflow. Test Allows you to test the workflow. Attribute mapping Apply changesĀ (disk button) Allows you to update the agent with the changes made on Attribute mappings. Add new (object) Allows you to add a new system object based on a Soffid object. Once you click the button, Soffid adds new fields to the form to add new attributes, methods, properties, and/or triggers depending on the agent type. It is mandatory to apply changes by clicking the diskette button to update the agent. Test Allows the test options buttons: text expression, synchronize now, fetch system raw data, fetch Soffid object Expand all Displays all the attributes of the different blocks. Collapse all Hide all attributes of the different blocks. Delete (object) Allows you to delete a system object. It is mandatory to apply changes by clicking the diskette button to update the agent. Test expression Allows you to test a system object. When you click that option, Soffid will show you new fields and operations to test the system attribute config. Synchronize now Allows you to synchronize a specific system object to the target system. Fetch system raw data Brings the data of a specific system object from a target system. Fetch Soffid object Brings the data of a specific system object with processed data to update into Soffid Add new (property) Allows you to add properties to a specific system object. Once you click the button, Soffid adds new fields to the form to add the property. It is mandatory to apply changes by clicking the diskette button to update the agent. Delete icon (property) Allows you to delete properties from a specific system object. It is mandatory to apply changes by clicking the diskette button to update the agent. Add new (system attribute) Allows you to add attribute mappings to a specific system object. Once you click the button, Soffid adds new fields to the form to add the attribute. It is mandatory to apply changes by clicking the diskette button to update the agent. Delete icon (system attribute) Allows you to delete attribute mappings of a specific system object. It is mandatory to apply changes by clicking the diskette button to update the agent. Add new (trigger) Allows you to add a trigger to a specific system object that will be executed when data is loaded into a target system. You need to click the button with the add symbol (+) located at the end of the row of Trigger. Once you click the button, Soffid adds new fields to the form to add the trigger. It is mandatory to apply changes by clicking the diskette button to update the agent. Delete icon (trigger) Allows you to delete a trigger of a specific system object. You need to click the button with the subtraction symbol (-) located at the end of the row Trigger which you want to delete. It is mandatory to apply changes by clicking the diskette button to update the agent. Incoming data Apply changes (disk button) Allows you to update the Load trigger data with the changes made on the Load Trigger Add new (trigger) Allows you to add a trigger that will be executed when data is loaded into Soffid.Ā Once you click the button, Soffid adds new fields to the form to add the trigger. Then you need to select the Object and the type of trigger and write the customized script. Finally, you need to apply changes to update the agent. Delete icon (trigger) Allows you to delete a trigger. It is mandatory to apply changes by clicking the diskette button to update the agent. Massive actions Configuration icon Open the task into the Scheduled tasks page Start To start the task manually from this page, you can query the result here or in the Scheduled tasks page Account metadata Apply changes (disk button) Allows you to update the agent with the changes made on metadata. Add new Allows you to add account metadata. Once you click the button, Soffid shows you an empty form to fill in with the new account metadata. Finally, you need to apply changes. Delete Allows you to delete one account metadata. First, you need to click on the account metadata which you want to delete. Then Soffid shows a form with the detailed account metadata. On the hamburger icon of that form, you can find the delete action.Ā  In this case, Soffid will not ask you for confirmation to delete. More information Scripting In the agent's configuration, it may be possible to use scripting to include logic in the attribute mappings and in the trigger scripts. In the attribute mapping, if you use a script on one side, it will be mandatory to a single direction to the other side: System attribute <= script script => Soffid attribute Below, an easy script to send a full name to the system: system attribute <= return firstName + lastName; Below, a more complex script to create the main domain if it doesn't exist in Soffid: String mailDomain = null; if (email != void && email != null && email.contains("@")) { String[] mailTokens = email.split("@"); mailDomain = mailTokens[1]; } com.soffid.iam.service.MailListsService service = com.soffid.iam.ServiceLocator.instance().getMailListsService(); com.soffid.iam.api.MailDomain domain = service.findMailDomainByName(mailDomain); if (domain==null) { domain = new com.soffid.iam.api.MailDomain(); domain.setCode(mailDomain); domain.setDescription(mailDomain); domain.setObsolete(new Boolean(false)); domain = service.create(domain); } return mailDomain; => mailDomain You could find a set of sample scripts: Sample scripts You could find a link with the SCIM Query Language used in some methods as findUserByJsonQuery("query"). You can visit the SCIM chapter . Below you could find a set of custom utility classes: Utility classes Password synchronization The passwords a user has on an agent will be synchronized with any other "single user" account the user has on this agent. Shared accounts will never get their password synchronized. Password in an agent will be also synchronized with any other account the user has on other agents that are sharing the same password domain. The password change can be produced by an operator using the Soffid console, the user itself using the Soffid Self Service portal, or a timed automatic task. Furthermore, some managed systems can forward their password to Soffid in order to get them synchronized. In order to accept these password changes coming from managed systems, the trusted passwords box must be checked for the source agent. Mind that this is the flow for normal user passwords. Temporary passwords generated by the Soffid console will only be sent to agents marked as trusted. Agents not checked as trusted will have a random new password instead. Later, when the user changes the password on Soffid or any trusted system, the new password will be notified to Soffid by the managed system, and every agent on the same password domain will actually get the new password. Agents account management The agent configuration sets the way accounts are created and disabled. Whenever a user is modified, the following rules will be applied to check if the user should have or not an account on this agent: The user type is checked against valid user types. If there is a business unit or group bound to the agent, the user membership will be assessed. If the role based box is checked, the system will verify if the user has any role or entitlement assigned to this agent. If the user does not apply for any of the conditions, every account the user has at this agent will be changed to Disabled status. If the user verifies every one of the conditions, the user can have an account on this agent. Every account the user has at this agent will be changed to Enabled status. Unless the "Manual account creation" is checked, if the user can have an account on this agent, but it has no one, the account creation method will be invoked. To create it, Soffid will search for the user domain bound to this agent and will follow its configuration. If the user domain is configured with a script, this script will be executed and the result value will be accepted as the new account name. Mind that if the script returns a null value, no account can be created.Ā  If the returning value from the script clashes with an existing account, the existing account will remain unchanged, unless the existing account is marked as an unmanaged account. In such a case, the account will be changed from an unmanaged state to a single user. Monitoring After the agent configuration you could check on the Sync server monitoring page if the service is running in the Synchronization Server. On the same screen you could check is the agent has pending tasks. Authoritative task If you are checked "Authorized identity source", an automatic task to load identities from the managed system to Soffid is available. And you will something like ": Load authoritative data for identities and groups". You can also run the Authoritative load from the Massive actions tab in the Agent Reconcile task If you are configured the "Attribute Mapping" tab with some of our objects: "user, account, role, group or grant", an automatic task to synchronize these objects from the managed system to Soffid is available. And you will do something like ": Reconcile (load target system objects)". You can also run the Reconcile from the Massive actions tab in the Agent Synchronization Regarding the synchronization of the objects, there are two possible options: If the "Read Only" attribute is checked in the "Basics" tab (select Yes option), only the changes in the managed systems will be updated in Soffid. We recommend these options until the global configuration of Soffid will be tested. If the "Read Only" attribute is not checked in the "Basics" tab (select No option), all the changes in Soffid or the managed system will be updated in the other. Note that this synchronization must be configured in the "Basic" tab correctly. Synchronization servers Description Sync server is the engine responsible for connecting Soffid with data sources or managed systems. Soffid allows you to configure different synchronization servers. These synchronization servers are installed and configurated using command line tool. Ā  More information about how to install sync server on the Installation chapter . Here you can find information on how to install a sync server in different environments. There are several types of synchronisation servers, each with its own specific function within the Soffid architecture. You can see them in the Standard attributes section.Ā  About tasks and systems Whenever an action is performed on any Soffid object, a synchronization task is created in Soffid database. Initially, most of the tasks should be forwarded to every managed system connector. The specific system connector will be responsible for applying (or ignoring) the task to the managed system. The normal synchronization server flow for a task is as follows: 1. Engine timely reads pending tasks table (SC_TASQUE). To avoid two sync servers to process the same task, the column TAS_SERVER is updated to reflect the actual server that is processing it. 2. Engine manage tasks priorities and updates the task queue. Engine keeps track of one task queue for each managed system connector. Soffid allows you to configure the parameter soffid.sync.engine.threads with the number of threads available to run the tasks. For more information about this parameter you can visit the Soffid Parameters page. 3. Engine has created some execution threads to forward each task to the specific connector class. During this process, dispatcher can decide to reject (mark as done) the task without forwarding it. 4. The specific connector class gets additional information about the task from core services. 5. Task is removed from database when every dispatcher has done it. This architecture and its optimized engine allow Soffid to achieve great performance. Screen overview Related objects Agents : all agentes are executed on one or more synchronisation servers Tenants : the plugins are managed in the master tenant. Sync server monitoring : where the synchronisation servers are monitored Standard attributes Name : name of the synchronization server (It is the name specified in the configuration; it cannot be changed by the user interface). URL : URL of the synchronization server (https://{name}:{port}/). Type : there are different kinds of synchronization servers: Synchronization server : or also known as the principal sync server. That server connects to the main database and allocates the task to the different agents. If more than one is configured, they balance the workload and assign synchronisation tasks themselves. Synchronization agent proxy : uses a push mechanism. The main Synchronization server will send the tasks to the synchronization agent proxy when it detects tasks for the proxy. That server does not connect to the main database.Ā  Remote synchronization server : uses a pull mechanism. That server is asking for its tasks, when it asks and the Synchronization server has a task for the remote, the Synchronization server will send that tasks. That server does not connect to the main database.Ā  Synchronization agent gateway : this server is the broker between the main synchronization server and the remote servers. Java options : additional parameters to pass to JVM (Java Virtual Machine). Some useful parameters: For a high capacity server are: -Xmx1024M For debugging communication: -Djavax.net.debug=ssl To enable sync server to use old TLS version in client connections (from sync server to a managed system) addĀ  -Djdk.tls.client.protocols=TLSv1,TLSv1.1 (Be in mind TLSv1.2 will be the default version, but some old applications can use TLSv1) To enable sync server to use old TLS version for incoming connections (from a server or desktop to the sync server) addĀ  -Dsoffid.tls.protocols=TLSv1.1,TLSv1,TLSv1.2,TLSv1.3 Ā -Dsoffid.tls.excludedCiphers="^.*_(MD5)$" Mind that the system security can be compromised by using deprecated TLS protocols To define how long Java keeps the DNS (domain name resolution) responses in cache you can add the paramameters -Dsun.net.inetaddr.ttl=1 or the newest -Dsun.net.inetaddr.ttl=1 Ā "time-to-live" (TTL).Ā  If you change the Java Options of an existing Syncserver, you will need to restart the Syncserver.Ā  You can visit the Sync server monitoring page for more information about how to restat the Syncserver. Actions Table actions Download CSV file Allows you to download a CSV file with theĀ  information of all synchronization servers.Ā  Synchronization server detail Apply changes (disk button) Allows you to save the synchronization server data. Delete synchronization server To delete a sync server you can click on the "three points" icon and then click the delete synchronization server button. Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation. Undo Allows you to undo any changes made. Apply changes Allows you to save the synchronization server data. Once you apply changes, the details page will be closed. Account naming rules Definition Account naming rules define how to generate account names for target systems. The normal case is the account name will be the same as the user name, in other cases, here you could define the customized account name rules. When you are configuring an agent, you have to indicate the user domain which will be used to create new accounts, that user domain refers to the Account naming rules defined on the Soffid console. Screen overview Related objects Agents : the account naming rule is selected for each of the agents. Accounts : when creating an account, if no account name is specified, the system uses the naming rule to generate an account name. Users : when we add an account, the naming rules indicate the generated name (which can be modified during the process).Ā  Standard attributes Code : code used to identify the account naming rule. Description : a brief description of the rule. That value will be displayed to select the user domain on the agent's setup. User domain type : use to define the kind of Same as user name : use the main user name. Assigned manually : the user will assign the account name. Generated by script : allows you to configure the script condition and script creation of account naming. Create account condition : defines the conditions to enable or prevent the creation of the account. It is only available when the "Generated by script" option is selected in the "User domain type". Script : computes the name to assign to the user account. If the script returns null, the account is not going to be created. It is only available when the "Generated by script" option is selected in the "User domain type". Actions Table actions Add new Allows you to add a new account naming rule in the system. To add a new account naming rule it is necessary to fill in the required fields. Delete user domain Allows you to remove one or more account naming rules by selecting one or more records on the list. Download CSV file Allows you to download a CSV file with all the information about account naming rules.Ā  Import Allows you to upload a CSV file with the account naming rules configuration to add new rules to the system. First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the contents. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and click the Import button. Account naming rules detail Apply changes (disk button) Allows you to save the account naming rule data. Delete synchronization server To delete a account naming rule you can click on the "three points" icon and then click the delete user domain button. Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation. Undo Allows you to undo any changes made. Apply changes Allows you to save the account naming rule data. Once you apply changes, the details page will be closed. Others Addins a new account Create a new account naming rule. ConfigureĀ it in an agent. In a user, add a new account for that agent. Script examples Condition Only users with mail address in soffid.com can have an account: "soffid.com".equals(user.mailDomain) When the account name depends on other attribute attributes.get("userCode")!=null && !attributes.get("userCode").isEmpty() Script Uses the email address as the account name user.shortName+"@"+user.mailDomain Username in uppercase user.userName.toUpperCase() When the account name depends on other attribute (check that it has a value in the condition) attributes.get("userCode") Attribute translation tables Definition Soffid provides an easy to use mechanism to translate references or external codes into internal codes. For example, the HHRR application could be using a diferent coding scheme for business units. To deal with this data mismatch, users can extend the data model, or can either use translation tables. This screen allows the user to create and maintain such tables. This tables can also be downloaded or uploaded as CSV files, enable the import of data contained into spreadsheets. Usage of translation table is bound, but not restricted to, attribute translation expressions, by using trigger scripts, through the use of serverService interface. Before using the attribute translation tables , bear in mind that Soffid offers attribute expansion for some objects, or directly allows the creation of new custom objects with their own attribute definitions. Analyse which solution best suits your needs. Consult the metadata screen. Screen overview Related objects Metadata : custom objects are an alternative for storing and updating data Custom scripts : page to test or use the attribute translation tables Standard attributes Domain : the domain column represents the translation table name. Column 1 : value Column 2 : value Column 3 : value Column 4 : value Column 5 : value Column 1 to 5 meaning is user defined. Usage of translation table is bound, but not restricted to, attribute translation expressions, through the use of serverService interface. Actions "Query search" Allows to query groups through different search systems,Ā  Quick, Basic and Advanced . Add new Allows you to add a new attribute translation table. That option adds a new row on the table to fill in the data. It will be mandatory to apply changes to save the data. Delete translation Allows you to remove one or more translations by selecting one or more records and next clicking this button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Download CSV file Allows you to download a CSV file with the information of all attribute translation tables. Import Allows you to upload a CSV file with the attribute translation table data to add to the system. First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the contents. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button. Undo Allows you to undo any changes made. Apply changes Allows you to save new attribute translation tables or to save updated attribute translation tables. Examples Example 1 lCentros = serviceLocator.getAttributeTranslationService().findByColumn1("CENTROS", "Madrid"); if (lCentros != null) { for (var i = 0; i < lCentros.length; i++) { if (lCentros[i] != null) { out.println("** Centro - " + lCentros[i].column1 + " - " + lCentros[i].column2 + " - " + lCentros[i].column3 + " - " + lCentros[i].column4); } } } Example 2 lServer = serviceLocator.getAttributeTranslationService().findByExample("SERVER_COPIAS", null, null); if (lServer != null) { out.println("** SERVER_COPIAS - " + lServer); } Example 3 // Rename translation tables void rename(String currentDomain, String newDomain) { lat = serviceLocator.getAttributeTranslationService().findByExample(currentDomain, null, null); for (at : lat) { at.domain = newDomain; serviceLocator.getAttributeTranslationService().update(at); out.println("Renamed: "+at.domain+", "+at.column1+", "+at.column2+", "+at.column3); } } rename("COUNTRY", "COUNTRY_COMPANY"); rename("TEST", "TEST_COMMAND"); Example 4 lt = serviceLocator.getAttributeTranslationService().findByExample("COUNTRY", null, null); for (var i=0; i Workflow settings Configuration > Workflow settings Configure Workflow engine Description This page groups together several features related to the workflow engine. Document manager Soffid can use anyĀ  document repository to store documents generated by workflows, reporting addon, or any other addon. The document repository can be either a local directory or a remote one accessed using FTP, SMB, HTTP protocols. Depending on the protocol selected, additional parameters may be needed. Text index Soffid console maintains a textual index that allows searching for currently active or finished processes using full text search. The textual index for searches can be updated from this page. The textual index is not stored in the database but filesystem. From this page, you can set the directory where this textual index will be stored. Because it is stored in non-transactional storage, it can get occasionally corrupted. In such a case, by pressing the "Rebuild Index" button, the index will be rebuilt from scratch. Task scheduler When we are working with workflows, there are parts of the process that need to be managed in the background, and this requires a process that runs regularly. This process executes logic nodes or timers configured to run at a specific time. Screen overview Related objects Configure Workflow engine : where the workflow engine is configured Business process definition : where workflows are published BPM editor : where to create or modify workflows My tasks : pending workflows where the user has to perform an action in order to continue their workflow. My requests : The workflows that the user can initiate are listed here. My requests > Query request status : to search for all processes started by oneself Process Search : to search for all processes Metadata : to add attributes to display in the search tables Scheduled jobs : shows active workflows pending asynchronous tasks Standard attributes Document strategy : these are the possible configurations Database : (by default) stored in Soffid's own database Local : Temporary local file path:Ā  CIFS : specific implementation of SMB. Its attributes: Server: domain of the server File path: file path of the server Temporary local file path: folder inside the Soffid home directory User name: user Password: password FTP : Server: domain of the server File path: file path of the server Temporary local file path: folder inside the Soffid home directory User name: user Password: password HTTP : Server: URL of the service Temporary local file path: folder inside the Soffid home directory User name: user Password: password Text index settings : If you change the directory indexes will require a re-indexing of all global procedures. Task scheduler : attributes in query mode: Status : Started / Stoped Number of threads : 1 by default Wait interval in seconds : every few seconds the process checks whether it has any pending tasks Actions View actions Expand all Displays all the attributes of the different blocks. Collapse all Hide all attributes of the different blocks. "Types of views" Change the view type: Classic view, Modern view,Ā Compact design. Document manager actions Update Allows you to save the changes. Cancel Allows you to undo any changes made. Backup Allows you to download a zip file containing all the files. Restore Allows you to upload a zip file to restore all the files. Text index actions Rebuild index Regenerate from scratch the text index on which workflows are searched, as well as the attributes that have this type of search configured. Ā  Please note that depending on the volume of data on your system, this process may take quite some time. Task scheduler actions Stop / Start Stop to shut down the service, start to restart it Business process definition Description Soffid includes a BMP (Business Process Management) in its Smart Engine to provide useful workflows integrated with the processes and the policies of the Soffid core.Ā  In order to add extra functionality to the console, you can upload different business processes (a.k.a. Workflows) that can be found in the Soffid download area and enable or disable existing ones. The existing process definition can be updated by uploading a new version. If a workflow is disabled , processes initiated and pending can be finalized, but no longer that workflow could be started. Please note that the workflows managed by this page will be provided by Soffid or generated from an external tool. Soffid has a bpm add-on that allows you to create, update, and publish these workflows directly from its editor . Screen overview Related objects Configure Workflow engine : where the workflow engine is configured Business process definition : where workflows are published BPM editor : where to create or modify workflows My tasks : pending workflows where the user has to perform an action in order to continue their workflow. My requests : The workflows that the user can initiate are listed here. My requests > Query request status : to search for all processes started by oneself Process Search : to search for all processes Metadata : to add attributes to display in the search tables Scheduled jobs : shows active workflows pending asynchronous tasks Standard attributes Process : name of the process. Version : version of the process. Deployed by : user who performed the last workflow upload. Date : date and time of the last workflow upload. Change status : allows you to change the workflow to enable or disable according to the needs. Deployment results : displays the log information when a workflow is upload. Actions Show disabled No by default, If you select Yes, all workflows will be displayed, both enable and disable. Add new Allows you to pick a defined process and upload it for deploying it in Soffid.Ā  Then Soffid will upload and deploy the process. This option allows to add new workflows or update existing workflows. You can upload a process defined with the BPM Editor and previously exported (.pardef) or a process defined by code (.par) Enable / disable Allows you to enable or disable a workflow. When a workflows is enabled all users with proper permission could launch the process. When a workflow is disabled no user could start a new instance of this process. Download Allows you to download the workflow. Workflows generated with the bpm add-on must be exported from there. BPM editor (addon bpm) Description BPM is a technology that allows modeling, implementing, and executing processes automatically to enhance efficiency and productivity in support of enterprise goals. Soffid includes a BMP (Business Process Management) in its Smart Engine to provide useful workflows integrated with the processes and the policies. The BPM Editor Addon allows you to create, configure and publish business processes very easily for the Soffid administrators. The BPM Editor addon provides some templates to create new workflows, these templates depend on the process type selected when you are adding a new business process. Nowadays there are the following templates available: User management Permissions management Account reservation Permissions request Delegate roles You can find additional information by visiting Process types chapter . Once a workflow is published with the proper configuration, the users with the correct permissions could start, approve or observe the workflow from the "My Request" option. You can find more informaciĆ³n on My Requests Ā  page. When a workflow is deleted in the BPM editor, that workflow continues to be available to be executed. If you do not want that a workflow will be executed, you must disable that process on the "Business process definition" page. If you disable a workflow, processes initiated and pending can be finalized, but no longer than workflow could be started. A workflow could be updated with a new version. Processes started with the previous version, will be performed with the previous definition (previous version). And the processes those start with the new version will be performed with the new version. We will use two concepts to explain the process: identity, and end-user. Identity will be the identity or user that will be created, updated, or deleted in Soffid Console. The end-user is referred to an user of Soffid that will request processes using the self-service portal. Screen overview Related objects Configure Workflow engine : where the workflow engine is configured Business process definition : where workflows are published BPM editor : where to create or modify workflows My tasks : pending workflows where the user has to perform an action in order to continue their workflow. My requests : The workflows that the user can initiate are listed here. My requests > Query request status : to search for all processes started by oneself Process Search : to search for all processes Metadata : to add attributes to display in the search tables Scheduled jobs : shows active workflows pending asynchronous tasks Standard attributes Processes list The list of the processes already created or imported. Process : identifier name of the workflow Summary tab That area of the form displays the general information about the business workflow and the main operations to perform. The actions to perform are defined by flowing that link Process editor actions Process name : identifier name of the workflow. This name will be used to label the workflow for the end-user. BPM editor allows you to manage the process into folders, you can type the folder name following by "/" . Image Configuration: folder/name Ā  My request with the Users folder Users folder with the workflow Process type : allows categorizing the process. There are three different types of processes, each one with its own template. Use management : used to create and update identities and their attributes. Permissions management : used to create, update and remove permissions and account to identities. Permissions request : used to request permissions. Account reservation : to use privileges account. In this case, initiators must be -nobody-, that is nobody can start the process directly. Delegate roles : used to delegate permissions to other user. Description : a brief description of the workflow. When an end-user starts a workflow, this text will be displayed in the Actions log tab. Initiators : here you could configure the roles or the identities that could start a new workflow from the Console and Selfservice. E.g. "admin" identity, "SOFFID_ADMIN" role, both separated by comma ',' as "admin,SOFFID_ADMIN" or if you want to publish the workflow to everyone, you can use the text "tothom" or the character '*' . When you are configuring an Account reservation process, that value must be -nobody-, that is nobody can start the process directly. Managers : here you could configure the roles or the identities that could perform tasks in the workflow as approve permissions or cancel the workflow. Observers : here you could configure the roles or the identities that could open the workflows in read-only mode. Diagram tab This tab displays the workflow diagram. The editor allows you to perform many actions as edit a node, edit a transition, add nodes and transitions, or redistribute the diagram. Steps There are some available step types to define the properties and behavior of the process. Depending on the selected type, there are common properties to all types and specific properties for each one of them. The workflows have default steps defined, those steps can be deleted or updated, and other steps can be added. Each step has detail to set up its properties and its behavior. The default steps are below: Start This step is used to define the beginning of the workflow. šŸ’» Image Screen This step is used to define a form that must be filled in by the end-user. šŸ’» Image Ā  Apply changes This step is used to show the manager a form with the changes that must be approved. šŸ’» Image End This step is used to define the finish of the workflow. šŸ’» Image Other available steps to custom your business process: Detect duplicated user This step is used to detect duplicated users. šŸ’» Image Grant approval This step is used to show the manager a form with the changes that must be approved. šŸ’» Image Script action This step allows you to define a script to be executed at this point. This process can be configured as asynchronous. šŸ’» Image Mail This step is used to configure sending mail. šŸ’» Image Fork The process is splited into two or more paths that are run in parallel, allowing multiple activities to run simultaneously. šŸ’» Image Join Two or more parallel sequence flow paths are combined into one sequence Flow path. šŸ’» Image Decision This step allows you to define a script to decide which will be the next step. You must configure the next step by typing the transition name as part of the return command (e.g. return "transitionName"). Ā  šŸ’» Image Timer This option can be an independent node or as a part of an existing node. This allows you to determine the time to run the action. For Time to trigger field, the availabe options are hours, minutes, seconds, days, or a date #{fecha} šŸ’» Image System call This step allows you to set up a call to a specific system.Ā  You can find more information about the Invoker for Shell connector and the Invoker for Active directory Ā connector. šŸ’» Image Step details All steps have some detailed data:Ā  Step name : identifier name of the step.Ā  Step type : step to be configured. Description : a brief description of the step. Step tabs All steps have some tabs for more detailed configuration, the tabs depend on the step type:Ā  Task details : tab with more custom attributes that depend on the step type Fields : objects attributes to be managed in the workflow form Triggers : scripts to be executed depending the trigger selected User querys : user querys Incoming transitions : tab to manage the incomming transitions and algo manage actions Outgoing transitions : tab to manage the outcoming transitions and algo manage actions Attributes tab The Attributes tab is allowed for creating custom attributes to be used to configure the workflow. The defined attributes will be used in the Steps tab to be mapped with the Soffid data. There are customized templates depending on the Process Type selected, those give you default attributes that you can customize. Code : code is used internally as an identifier by the system. Try to create a short one without spaces and with uppercase to separate words. Label : label displayed on the web page. This may be a name or a short description. Data type : data type of the value of the metadata attribute. The data type includes: Basic data types as String or Boolean. Extended data types as Photo or E-mail. Default Soffid objects as User or Group. Your own custom objects are created in Soffid.Ā  Multiple values : (Optional) If this flag is enabled, the metadata may contain more than one value. Size : (Optional) Set the maximum length of the value. Values :Ā  (Optional) Allows creating a set of values to provide to the user as a list. šŸ’» Image Actions Process list actions Add new Allows you to add a new workflow to Soffid. You need to set a name and select the process type and accept. Then Soffid opens the Process editor, which allows you to configure the process. And finally, save the process configuration, or save and publish.Ā If you cancel that operation, Soffid will not save the process definition. šŸ’» Image Import Allows you to import a workflow from a .pardef file. That functionality is very useful for next scenarios: To restore a workflow from a backup (a workflow previously exported). To deploy a workflow from one environment to another (for instance from Test to Live). To start a new workflow from a template. Click the button, pick up a .pardef file, and save the process or save and publish. Soffid will ask you for confirmation, If you confirm, finally,Ā  Soffid will import the process definition. If you cancel that operation, Soffid will not upload and save the process definition. Note that with this option you only can load workflows defined by the BPM editor. "Edit process" Allows you to edit a workflow to update it by clicking the process row. Then you can update the process definition and save, or save and publish the updates. Delete process definition Allows you to delete a workflow. Select a process row to enable the delete button. When a process is deleted, that process continues to be available to be executed. If you want that process is not available, you must disable that process on theĀ  Business process definition page. Summary tab actions The action that can be performed in the process are detailed below Save Allows you to save all changes included in the workflow. That workflow can be a new or an updated workflow. Save and Publish Allows you to save the changes performed in the workflow setup and also publish the workflow to be used in Soffid. Ā  After this action, the last version of the workflow will be available for the end-user (with the proper permissions) in the Soffid Console and Self-service portal on the My requests page. Ā  This latest version has been saved internally on the Business process definition screen. Cancel Allows you to quit the process editor without saving changes. Soffid will ask you for confirmation to exit without saving updates Export process Allows you to export a workflow to a .pardef file. You can choose that option clicking the "three points" icon. Automatically Soffid will download a .pardef file with the process definition. Diagram tab actions "Transition icons" Allws you to add or update transitions. Select Pan Connect Connect Image "Edit icons" Allows you to delete an existing step. To delete a step you must click "trash" icon, the last of the edit icons. Undo Redo Cut Copy Paste Delete šŸ’» Image "Step icons" Allows you to add a new step to the workflow by selecting the action from the tool bar. When a new step is added, it will be mandatory to configure it.Ā  Start state End state Fork Join Decision System Node Task Mail TimerĀ  šŸ’» Image "Size icons" Allows you to change the size view of the diagram. Zoom out Zoom in Fit Actual sizeĀ  Image Diagram tab > step node > fields tab actions Add new Allows you to add a new attribute on the Attribute tab. You need to click the "New field" button and Soffid will show a new row to fill in. For each new field you may define: Label : allows you to give a name to that field. That label will be shown on the process form to final users. Name : allows you to select an identity attribute or specific attribute defined for that process. That will be the field type (e.g. selector, input field, date field...) ReadOnly : allows you to determine if this field could be updated. Required : allows to enable an attribute as a mandatory Validation : this allows you to add a custom script with validation rules. Visibility : this allows you to add a custom script to determine the visibility of that field. SCIM Filter : allows you to define a SCIM filter to get the data (e.g. userType eq "E") šŸ’» Image Delete Allows you to delete a field. To delete a field you must click on the subtract icon (-) that is at the end of the same line. Order (icon) Allows you to sort the fields using drag and drop. Validation (icon) Allows you to add a new customized script with validation rules Visibility (icon) Allows you to add a new customized script to determine the visibility of that field. SCIM query (icon) Allows you to define a SCIM filter to get the data Triggers Add new Allows you to add a new trigger to perform actions. šŸ’» Image Delete Allows you to delete a trigger. Action (icon) Allows you to add a new customized script. Incoming transition New transition Allows you to add a new incoming transition. You need to click the "New transitions" button, then Soffid will show a new row to fill in. For each new incoming transition you may define: From: this allows you to select where the workflow comes from. Incoming transition: brief name to identify the transition. To: current step. Action: allows creating a custom script to perform specific actions. šŸ’» Image Delete transition Allows you to delete an incoming transition. To delete an incoming transition you must click on the subtract icon (-) that is at the end of the same line. Action Allows you to add a new customized script by clicking the pencil icon. Outgoing transition New transition Allows you to add a new outgoing transition. šŸ’» Image Delete transition Allows you to delete an outgoing transition. To delete an outgoing transition you must click on the subtract icon (-) that is at the end of the same line. Action Allows you to add a new customized script by clicking the pencil icon. Attributes tab actions Add new Allows you to add a new attribute to use to configure the step. View Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. Delete Allows you to delete an attribute. To enable the delete button you must select one attribute. Add value Allows you to add a new value to the attribute. Delete value Allows you to delete a value. To delete a value you must click on the subtract icon (-) that is at the end of the same line. Resources tab actions Upload resources Allows you to add files in a zip file as externals resources to be used in the scripts Others Workflow to import as examples User management --> User.pardef Permissions management --> Permissions+request.pardef Account reservation --> Account+reservation.pardef Permissions request Delegate roles Configuration > Security settings Configuration > Security settings Authorizations Definition Soffid console provides a granular access control system. That granular control system allows the administrator user to assign granular permissions to roles. Be in mind that some permissions may inherit some other permissions. You cannot assign permissions directly to users. Instead, permissions are assigned to roles and roles are assign to users, either directly or through grant inheritance. The roles may be created into Soffid application system, but could also be included in any other application system. Permissions are grouped into permission scopes. Most scopes are Soffid object types, but there are one special scope named Soffid, that applies to Soffid console web pages. Addons can create their own authorizations that automatically will appear at this screen. When a new addon has been installed and applied, the first thing to do use to be assign permissions for this new addon. In fact, administrators won't be able to manage the addon unless the log out and log in to get the newly created permissions. The permissions given to roles and the roles given to users are cached by Soffid. In order to reapply permissions, the user should close its session and log-in again Screen overview Related objects Users : authorisations are given to users through the roles that have been granted to them. Roles : authorisations are granted to roles Information systems : roles are gathered into information systems Standard attributes Table attributes Scope : scope of application. Name : name of the granular permission. Description : brief description of the granular permission. Roles : role list assigned to that granular permission. Authorization attributes Role : role name. System : target system name. Description : role description. Information system : asset or application, from a functional point of view. Domain : the role is limited to that scope. Actions Table actions Download CSV file Allows you to download a CSV file with the authorization data. Import Allows you to upload a CSV file with the authorization data to add or to update the granular control system. If they exist, the values of the CSV file will prevail. First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the contents. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button. Authorization actions Add new Allows you to add a new role to the authorization. First, you need to search a role writing the role name on the field, and Soffid will show the values related. Second, you can select one or more roles and accept. And finally, you need to apply changes to save the roles added. If you cancel that action, no role will be assigned. Delete Allows you to delete one or more roles from an authorization. To delete one role, you need to click the subtraction symbol (-), located at the end of the row, of the role which you want to delete and then apply changes. To delete more than one role, you can select the roles which you want to delete and there click the subtraction symbol (-) and then apply changes. It is mandatory apply changes to save the roles deleted. Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation. Undo Allows you to quit without applying any changes. Apply changes Allows you to update the changes made on the authorization. Select role actions Undo Allows you to quit without applying any changes. Apply now Allows you to add the role or roles to the authorization. Examples End user for identity self service. A Soffid role is created for this functionality. This role is assigned to the authorisations we require. The role is assigned to a user. The user will only be able to access the pages and actions permitted by their authorisations. Ā  Ā  Authentication Definition This page gathers different types of settings that may affect user authentication in the Soffid Console. Soffid could use different kinds of external authentication sources. These mechanisms could be selectively enabled or disabled. Screen overview Related objects Users : users must have a enabled Soffid account. Identity provider : users could log in with the Soffid idp or another external idp. Console log : to check the console logs Account naming rules :Ā  to configure the LinOTP service Standard attributes Global status Soffid server host name : URL generated in the installation configuration. Enforce TLS connections to Soffid console:Ā  If you check this option, it will be is mandatory to restart the Soffid Console. Once you check the Enforce TLS connections to Soffid Console option, there are no easy way to come back. You should use this option only en Production environments. Maintenance mode (only administrators can log in) : if this option is checked (value is Yes), only the administrators could connect to Soffid Console. šŸ’» Image Message to display before logging in : administrators can configure a banner that will be displayed before the user logging in.Ā This banner will display security advice. šŸ’» Image Session timeout in minutes :Ā  time in minutes it takes for the console to display the message indicating that the session is being closed. If nothing is indicated, the session does not expire. šŸ’» Image Username and password Enabled : the only attribute enabled by default in the installation of Soffid. It is the internal username and password authentication mechanism. Therefore, the authentication is made with the username and password of the soffid account. Forward authentication requests to trusted target systems : to use external username and password sources. Therefore, the authentication is made with the username and password of an account of an external system. This authentication is applies only to agents that have checked "Trust password" in the agent. For more information about agents please visit the Agents page. If the password entered by the user does not match with the Soffid account (if the attribute "Enabled" is checked), the Soffid core will issue a "ValidatePassword" task for each trusted target system (with checked "Trust password"). If any of the trusted target systems accepts the password, it will be hashed and stored in Soffid tables and login will be accepted. Be aware that this password change in Soffid will affect all systems that share the same password domain (defined in the password policies). External SAML identity providerĀ  It should be noted this feature does not depend on the federation addon. That is a feature included by default in the Soffid smart engine to allow you to include in the authentication flow a mechanism to use a third-party SAML system. Soffid's own identity provider can also be used. Enable : check it (select value Yes) to use an external SAML Identity Provider. Soffid Server host name : the URL that will be used by external IdP. This URL will be resolved by end user's browser in order to send the SAML assertion. SAML federation metadata URL : the URL where federation information can be found. If the Soffid console can fetch federation metadata, the Identity provider drop-down will be filled in with any identity provider found in the federation metadata URL. Cache limit (seconds) : how often the federation information will be refreshed. By default, 10 minutes will be taken. Identity provider : Identity Provider to use for authentication. Enable SAML debug log : it displays more trace in the Console log files Finally, download the Soffid Console and load it into your SAML Identity Provider federation. If SAML Identity Provider is enabled, as well as username and password, the user will have the chance to select the preferred authentication method. Otherwise, if only SAML is enabled, the user will be automatically redirected to SAML Identity Provider. šŸ’» Image šŸ’» Office 365 as External SAML identity provider Introduction Steps to configure Office 365 as External SAML identity provider. Step-by-Step 1. Open a https://portal.azure.com 2. Open Microsoft Entra ID and then select Enterprise applications option Ā  3. Select All applications and click New Application 4. Select Create your own application 5. Type the name of your app and select the "Integrate any other application you don't find in the gallery (Non-gallery)" option 6. Click on Set up single sign on 7. Click the SAML option 8. Enter the Basic SAML Configuration and Save: Identifier : https:///soffid-iam-console Reply URL : https:///soffid/saml/log/post Sign on URL : https:///soffid/ Logout URL : https:///soffid/saml/slo/post 9. Configure Attributes & Claims and change the attributes and claims to send the mailnickname as the user identifier (nameid) 10. Copy the App Federation Metadata Url 11. Configure the External SAML identity Provider in the Soffid Console Authentication page 12. Optional, enable any user to login API webservice authentication Soffid allows you to configure the way to verify the identity of a user or system accesing to the Soffid Web Service, to ensure that only authorized entities can interact with the service. This webservice is included in the addon SCIM, it must be installed previously. User name and password : allows you to use user and password to access to the Soffid Web Service. JWT token : allows you to use JWT token to access to the Soffid Web Service. JWT configuration URL : URL where the jwks.json are available to download.Ā  JWT issuer : identifies the principal that issued the JWT. JWT audience : identifies the recipients that the JWT is intended for. Maximum requests per user and minute : maximum requests per user and minute. Maximum global requests per minute : maximum global requests per minute. Maximum request size : maximum request size. Bear in mind that the Identity Provider needs to have enabled the OpenID profile. Also, the Identity Provider cert must be in the Console cacerts. Enable LinOTP integration Soffid allows you to use an external OTP, LinOTP in this case. If you decide to use LinOTP, Soffid could be configured to request the user to authenticate using a second factor authentication to perform certain actions. In another case, you can use the Soffid OTP. Enabled: check it (select value Yes) to use an external SAML Identity Provider. LinOTP server URL :Ā  URL of your LINOTP service. LinOTP admin username: username of the admin account used by Soffid. LinOTP admin password : password of the admin account used by Soffid. LinOTP users domain : the user's domain for LinOTP authentication. The selected user domain will guess the LinOTP username for any Soffid identity. It is extremely important when LinOTP users do not match Soffid usernames. Please visit the Account naming rules page for more information If you want to configure the Soffid OTP you could visit Two factor authentication (2FA) chapter. Second Factor Authentication configuration Pages that optionally require OTP authentication for users with an enabled token : (Optional) If a URL optionally requires OTP authentication, and the user does not have any OTP token, access will be granted. Otherwise, if the user has an OTP token, the OTP value will be required, and no access will be allowed until the user provides the right token value. You can include the list of pages to include the two factors only for the users with the token. šŸ’» Example Request only the OTP for these pages: You can add a regular expression to determine the list of pages to always include the second factor to the users with the token šŸ’» Example Request OTP for all pages except those containing menu.zul or otp.zul: Pages that require OTP authentication to any user : (Mandatory) You should include the list of pages to always include the second factor to the users with the token. Therefore, if a URL strictly requires OTP authentication, users with no token won't be allowed to use them. šŸ’» Example Second factor authentication period : number of seconds after that, a new OTP value will be required. In both configurations, if OTP is required by the user, a popup requesting the token value is raised to write the OTP value. Actions Expand all Displays all the attributes of the different blocks. Collapse all Hide all attributes of the different blocks. "Types of views" Change the view type: Classic view, Modern view,Ā Compact design. Download metada Allows you to download an XML file with metadata to load it into your SAML Identity Provider federation when you use an External SAML identity provider Confirm changes Allows you to save the changes made in the Authentication setup. Password policies Definition On this page, you can configure the password policies that will be applied when assigning a new password, always depending on the password domain selected by that system and the type of user selected. Therefore, the two main components of this page are password management and password policies. Password domain Is a logical way of grouping managed systems that are sharing the same password for each account. If the administrator chooses to have the same password for every system, only one password domain should exist. If the administrator chooses to assign a different password for each system, then a password domain should be created for each managed system. Password policies Password policies allow you to define custom rules that passwords must comply with to enhance system security. For eachĀ  password domain , Soffid allows you to create different password policies related to user type . It is only possible to define a single password policy for one password domain and one user type.Ā  There are two kinds of password policies. The first one is for user selected passwords. That is the default behavior. The second one is system generated passwords. These policies are useful for shared accounts when using Enterprise Single Sign-on. A password policy will also define how often the password needs to be changed and how many days are allowed to change it. Regarding password complexity, you can specify the minimum and the maximum number of lowercase letters, uppercase letters, numbers, and symbols, as well as password length. The administrator users can define a regular expression that must match each password. This can be used, for instance, to ensure that the first password is not numeric. It is allowed to create a list of forbidden words that cannot be used as passwords. Screen overview Related objects User type : can be a user type for password policy and password domain Agents : where the password domain is selected Users : where a new password can be set Accounts : where a new password can be set My accounts : where a new password can be set or to query the password already set Network intelligence : to enable the "Check breached password" a valid token must be applied Standard attributes Password domain attributes Code : password domain identifier code. Description : a brief description of the password domain. Password policies attributes Password domain : the password policy belongs to that password domain. User type : specific user type for which the password policy is created. Description : a brief description of the password policy. Password type : the king of policies password: Entered by the user : that is the default behavior. Automatically generated : these policies are useful for shared accounts when using Enterprise Single Sign-on. Change allowed : if it is checked, the user could change automatically generated passwords. Query allowed : if is checked, the user can view the current password. Valid period (days) : the change of the password will be asked in that number of days. That option is available when you select the "Entered by the user" option. Minimum days for next change : number of days during which you are not permitted to change your password again Grace period (days) : additional days allowed to the valid period, for changing the password. That option is available when you select the "Entered by the user" option.Ā  Renewal Time : added number of days to change the password. That option is available when you select the "Automatically generated" option. Length (min & max) : added the number of days to change the password. Uppercase letters (min & max) : min and max number of uppercase letters that be included on the password. Lowercase letters (min & max) : min and max number of lowercase letters that be included on the password. Numbers (min & max) : min and max number of numbers that be included on the password. Symbols (min & max) : min and max number of symbols that are included on the password.Ā  Regular expression : the password must comply with that regular expression. Complexity : Similar operation to the same option in Active Directory. It is mandatory to use three different types of characters (uppercase, lowercase, numbers, and symbols), it is not allowed to use the user code, name, or surname. Password validation script : script to validate additional password conditions. The result must be true or false. Condition description : description of the validation script. This condition will be displayed in the Password policy field when the user try to change the password from My Profile. Passwords remembered : the number of passwords the system will remember. Forbidden words : list of forbidden words that may not be used to create a password if they are selected. It will be case insensitive. Ā For instance, there will be no distinction between "Soffid", "SOFFID", or "soffid". Lock after failures : the number of login attempts before blocking an account. Unlock after seconds : the number of seconds an account is blocked. Check breached password : If you have a valid token in the network intelligence, Soffid will verify that the password is valid and that there have been no security breaches. Actions Table actions Add new Allows you to create a new password domain . To add a new password domain it will be mandatory to fill in the required fields Add password policy Allows you to create a new password policy on a specific password domain. Below the father password domain, you can find the button [+] to perform that action. To add a new password policy it will be mandatory to fill in the required fields. Password domain detail actions Apply changes (dick button) Allows you to save a new password domain or to update the password domain changes. To save the data it will be mandatory to fill in the required fields. Delete Allows you to delete a password domain. To delete a password domain you can click on the "three points" icon and then click the delete button. Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation. Undo Allows you to quit without applying any changes. Password policies detail actions Apply changes (dick button) Allows you to create a new password policy or to update password policy changes. To save the data it will be mandatory to fill in the required fields. Delete Allows you to delete a password policy. To delete a password policy you can click on the "three points" icon and then click the delete button. Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation. Undo Allows you to quit without applying any changes. Others Examples Password validation script example: codi3 = user.userName.substring(0, 3); codi3 = codi3.toLowerCase(); if (passwordT != null) if(codi3.equals(passwordT.substring(0,3))) return false; return true; Configure PAM session servers Definition Soffid provides the functionality that allows you to configure the Jump servers. To configure that functionality is mandatory to install PAM following the instructions of theĀ  PAM installation page . A Jump server is the control point that forces users to log into that system first, then, they could traverse to other servers without having to log in again. The purpose of a jump server is to be the only gateway for access to your infrastructure reducing the size of any potential attack surface. For correct configuration, you must first create a PAM server group and then publish the store service and any available jump servers within it. Screen overview Related objects Network discovery Ā : when the servers are discovered and created in Soffid Agents Ā : each server will have its own agent Password vault Ā :Ā  account published in PAM PAM policies Ā :Ā  the PAM policies contains and configure the PAM rules PAM rules Ā : PAM rules used in the PAM policies Search in PAM recordings : to search and watch recorded sessions Access logs : to search and watch recorded sessions Configure PAM session servers : where the PAM servers are configured Standard attributes Table attributes Group name : name to identify the configuration.Ā  Description : a brief description. Storage data : URL of the storage service. Details atributes Group name : name to identify the configuration.Ā  Description : a brief description. User name : user name given at installation of PAM. Password : password given at installation of PAM. URL : URL of the storage service. Jump servers : list of URL jump servers. Actions Table actions Add new Allows you to add a new configuration PAM server group. You must fill in all the attributes to save a new configuration.Ā  Detail actions Apply changes (disk button) Allows you to create a new configuration PAM or to update an existing one. You must fill in all the attributes to save a new configuration. Delete PAM server group Allows you to delete the PAM server group. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Undo Allows you to quit without applying any changes made. Apply changes Allows you to create a new configuration PAM or to update an existing one. To save the data it will be mandatory to fill in the required fields. PAM policies Definition Privileged Access Management (PAM) policies are a set of guidelines and controls that dictate how privileged access is granted, managed, and audited within an organization. Soffid allows you to define policies, those policies can be made up of several rules . For each rule, you could select the action to perform when Soffid detects that rule is accomplished. To use those policies you need to define how policies will be used by each folder in the password vault. For more information, you can visit the Password Vault page .Ā  Screen overview Related objects PAM policies :Ā  the PAM policies contains and configure the PAM rules PAM rules : PAM rules used in the PAM policies Password vault : to configure PAM policies in vault folders. Issue policies : Ā to configure the pam-violation issue policy Standard attributes Table attributes Name : name to identify the policy.Ā  Description : a brief description of the policy. Priority : priority between the different PAM policies configured. Modified by : user who modified that rule. Modified on : the date and time of the update. Policy attributes Name : name to identify the policy.Ā  Description : a brief description of the policy. Days to keep recordings : number of days that recordings will be kept. Priority : allows you to set the priority between the different PAM policies configured. When there are several policies, the policy to be applied is evaluated according to priority and expression. Expression : this expression is evaluated to determine the priority of the policy to be applied. When there are several policies, the policy to be applied is evaluated according to priority and expression. Temporary permissions : these permissions will be assigned to the user's account on the target system. The permissions will be maintained for the duration of the session. Once the session is over, the permissions will be revoked. The account must be a managed account.Ā  Modified by : user who modified that rule. Modified on : the date and time of the update. When you save the standard attributes of a PAM policy and edit the policy again, the rule list will be shown. Here you can customize the policy depending on the existing rules. Rules attributes Show a list of the PAM rules defined. You can check/uncheck the available options. You can choose zero, one, or several: Rule : name of the rule Close session : when the rule is met, Soffid will close the session. Lock account : when the rule is met, Soffid will lock the account. Open issue : when the rule is met, Soffid will open a newĀ  issue (*). Notify : when the rule is met, Soffid will send a notification about the action. šŸ’» Image Actions Table actions "Query search" Allows you to query PAM policies through different search systems, Quick, Basic and Advanced . Add new Allows you to create a new PAM policy. To add a new PAM policy it will be mandatory to fill in the required fields. Delete PAM policy Allows you to remove one or more PAM policies by selecting one or more records and next clicking this button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Download CSV file Allows you to download a CSV file with the PAM policies information. Import Allows you to upload a CSV file with the PAM policies list to add or update PAM policies to Soffid. First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. Finally, you need to select the mappings for each column of the CSV file to import the data correctly and click the Import button. View Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. Policy actions Apply changes (dick button) Allows you to create a new configuration PAM policy or to update an existing one. To save the data it will be mandatory to fill in the required fields. Delete Allows you to delete a PAM policy. To delete a PAM policy you can click on the "three points" icon and then click the delete button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Undo Allows you to quit without applying any changes made. Apply changes Allows you to create a new configuration PAM policy or to update an existing one. To save the data it will be mandatory to fill in the required fields. Once the change has been applied, you will return to the main screen. PAM rules Definition Soffid allows you to define rules to detect commands executed on a server. When a user launches a command defined on a rule, Soffid will detect it. To use those rules you need to define the PAM policies. For more information, you can visit the PAM policies page. Screen overview Screen example Keyboard example Keyboard example Related objects PAM policies :Ā  the PAM policies contains and configure the PAM rules PAM rules : PAM rules used in the PAM policies Password vault : to configure PAM policies in vault folders. Issue policies : Ā to configure the pam-violation issue policy Standard attributes Table attributes & rule attributes Name : name to identify the rule.Ā  Description : a brief description of the rule. Type : rule type. Keyboard : Indicate the command typed in the terminal that you want to control. Screen : Indicate the text displayed in the screen that you want to control. Content : the content of the rule that Soffid will detect. Be in mind, that Soffid will consider blanks, returns, and all characters you type. For keyboard type, text that the user cannot enter. For screen type, text that must be found anywhere on the screen. Modified by : user who modified that rule. Modified on : the date and time of the update. Actions Table actions "Query search" Allows you to query PAM rules through different search systems, Quick, Basic and Advanced . Add new Allows you to create a new PAM rule. You can choose that option on the hamburger menu or click the add button (+). To add a new PAM rule it will be mandatory to fill in the required fields. Delete PAM rule Allows you to remove one or more PAM rules by selecting one or more records and next clicking this button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Download CSV file Allows you to download a CSV file with the PAM rules information. Import Allows you to upload a CSV file with the PAM rules list to add or update PAM rules to Soffid. First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and click the Import button. View Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. Rule actions Apply changes (disk button) Allows you to create a new configuration PAM rule or to update an existing one. To save the data it will be mandatory to fill in the required fields. Delete Allows you to delete a PAM rule. To delete a PAM rule you can click on the "three points" icon and then click the delete button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Undo Allows you to quit without applying any changes made. Apply changes Allows you to create a new configuration PAM rule or to update an existing one. To save the data it will be mandatory to fill in the required fields. Once the change has been applied, you will return to the main screen. Issue policies Definition Soffid has defined automatic events by default. For each of these events, it is possible to define the tasks to be performed and configure them. Once the necessary issues have been configured, there are other screens for viewing and managing them. Issue types Below is a list of the issue types available in Soffid. Issue Type Description account-created This issue is created when the Sync Server detects when a new account is created. This may occur after the Reconciliation process has been executed. breached-account-password This issue is created when a password change for an account has been rejected because the password has been detected as breached. Be aware you must have enabled the "Network intelligence" feature with a valid token. breached-email This issue is created when the "Network intelligence verify domains" process is launched and it is detected that a user's email has been breached. An issue is created for each system in which that email is found. Be aware that to enable the process, you must have enabled the "Network intelligence" feature with a valid token. breached-password This issue is created when a password change for a user has been rejected because the password has been detected as breached. Be aware you must have enabled the "Network intelligence" feature with a valid token. disconnected-system This issue is created when the Sync Server detects that some target system is offline.Ā  discovered-host This issue is created when the Sync Server detects a new host in the network. This only occurs after the Network Discovery process has been executed. discovered-system This issue is created when the Sync Server detects a new system in a host. This only occurs after the Network Discovery process has been executed. duplicated-user This issue is created the system detects that there are duplicate users, or when the task is generated manually from the user management. enabled-account-on-disabled-user This issue is created when an enabled account is detected on a disabled user. This may occur after the reconciliation process has been executed. expired-breached-password During login, when everything has gone well, the system also checks whether a password has been compromised. This is checked asynchronously, allowing the user to log in to Soffid without affecting performance. If the password has been compromised, the password and account are marked as expired and an issue is created. The next time the user logs in, they will be asked to create a new password. failed-job This issue is created when the system detects job failures. This may occur by running any scheduled task. global-failed-login This issue is created when the number of session start failures exceeds the threshold of 0.8. integration-errors This issue is created when the Sync Server detects an integration error between Soffid and an end system. You can check the task in the Monitoring & Reporting. locked-account This issue is created when an account has been blocked for exceeding the maximum number of login attempts. You can configure the property Lock after failures in the Password policies settings. Even if it is temporarily locked, the incident will be generated. login-different-country This issue is created when Soffid detects a new login from a different country. It only works with the Identity Provider and it is necessary to have the geolocation database updated. login-from-new-device This issue is created when Soffid detects a new login from a new device. It only works with the Identity Provider. login-not-recognized This issue is created when Soffid detects a login not recognized (disabled user or user does not exist) in the Soffid Console or in Soffid as an Identity Provider. otp-failures This issue is created when an OTP is blocked for exceeding the number of attempts. Currently blocked with 10 unsuccessful attempts. pam-violation This issue is created when any of the rules of the PAM are violated. You can define the PAM rules and the PAM policies. Be in mind, that you must check the "Open issue" option in the PAM policies you wish to control. password-changed This issue is created when a Password change is detected. These changes come from the end system (Active Directory or Soffid OpenLDAP) and Soffid has been notified. The issue is not created if it is the operator or a script that changes the password in Soffid. permissions-granted This issue is created when it is detected that permissions have been given to a user on the end system. This may occur after the reconciliation process has been executed. risk-increase This issue is created when it is detected the risk level of a user is increased. You can configure the risks in the Segregation of Duties option. robot-login This issue is created when it is detected is detected that someone who has not passed the CAPTCHA is trying to log in to the Identity Provider. security-exception This issue is created when unauthorized access to the console via WebService or admin console occurs. Screen overview Related Objects Issue policies Ā : where the issues are configured Issues Ā : list all issues My issues Ā : issues started by a user or the user has pending an acction Pages related to the different issues: User Ā  Accounts Ā  Network intelligence Ā  Agents Ā  Sync server monitoring Ā  Hosts Ā  Scheduled jobs Ā  My OTP devices Ā  PAM rules Ā  Roles Ā  Segregation of duties Ā  Standard attributes Issue type : by default, some issues type are defined in Soffid Console.Ā  Description : a brief description of the issue. Action : Ignore : the action will be ignored, and no additional actions will be run. Record : the action will be recorded and an issue with the status Acknowledged will be created. The actions configured for theĀ Acknowledged status will be run. Manage : a new issue will be created in the New status and the action configured for this status will be run. Assigned role : the role who will be the owner of the created issues. Actions list : list of actions to be taken when this issue occurs. You can choose one or more actions from the list and configure them: Issue status : it is used to determine the point when the action will be launched. New. Acknowledged. Solved. Solved - Not a duplicate. Actions : Notify affected user : this allows you to configure an email that will be sent to the affected users. Send custom email: this allows you to configure a custom email that will be sent to specific users. Run script : allows you to type a script that will be performed Look affected accounts : allows you to configure an email that will be sent to the owner user. Look affected host . Notify issue owner by email . Acknowledge . Start new process .: allows you to configure the workflow that will be run. Description : a brief description of the action you are defining. Note that it will be necessary to restart the Sync Server when changing the action of an issue. Actions Table actions "Query search" Allows you to query issue types through different search systems, Quick, Basic and Advanced . Download CSV file Allows you to download a CSV file with the issue policies data. Issue actions Apply changes (dick button) Allows you save a issue policy. To save the data it will be mandatory to fill in the required fields. Download CSV file Allows you to download a CSV file with the issue policies data. Expand all Displays all the attributes of the different blocks. Collapse all Hide all attributes of the different blocks. "Types of views" Change the view type: Classic view, Modern view, Compact design. Add new Allows you to add a new action to the issue policy. You can choose the action from the action list. Depending on the selected action, you must fill in different information. Once the information will be filled in, you need to close the window and Apply the changes. Delete Allows you to delete one or more actions from the actions list. Undo Allows you to quit without applying any changes. Apply changes Allows you to update the changes made to the issue policy. Digital certificates (addon federation) Definition Soffid includes Digital certificate functionality as a security enhancement. You could add new Digital certificates, internal or external. If you select the external certificate, you could add a valid certificate to Soffid; If you select the internal certificate, Soffidl will generate a valid certificate. Screen overview Related objects Identity providers : certificates can be used as two-factor authentication Standard attributes Internal Organization name : organization name Expiration date : referring to the root certificate. Device certificate : Indicates if the certificate is for a device Certificate duration (months) : Referring to users' certificates. Image External Certificate: root of the certification authority (pem file). Organization name : organization name (retrieved from the certificate). Device certificate : indicates if the certificate is for a device. Script to guess the certificate owner : script to compute the user name. Can use the certificate and subject variables. Should return a valid user name. Image Actions Table actions Add new Allows you to add a new certificate. To add a new certificate it will be mandatory to fill in the required fields.Ā  Delete Allows you to remove one or more certificates by selecting one or more records and next clicking this button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Download CSV file Allows you to download a CSV file with the digital certificates data. New token Undo Allows you to quit without applying any changes. Next Allows you to browse the wizard to create a new certificate. Back Go to theprevious step. Apply changes Allows you to save the data of a new certificate or to update the data of a specific certificate. To save the data it will be mandatory to fill in the required fields OTP settings (addon otp) Definition The OTP settings allow the administrator users to configure the available OTP options. Soffid provides six different OTP implementations. This page is available if you have previously installed the Soffid OTP add-on . Configure these options as a second authentication factor in the Soffid identity provider . Remember that this functionality is found in the federation add-on . Screen overview Related objects My certificates and FIDO tokens : to autoconfigure certificates and FIDO tokens My OTP devices : to autoconfigure certificates and FIDO tokens Authentication : OTP settings for Console Identity providers : to enable OTP options as second factors of authentication Standard attributes Email Enabled : allows you to enable or disable a PIN sent by the Email implementation. Number of digits : number of digits of the PIN code that will be generated. Subject : subject of the email Body : body of the email Number of failures to lock the token : upon reaching the configured number of failures, the token will no longer be usable. To send an email , you must register a mail server . To this purpose, Soffid has a set of parameters that you can find on the Soffid parameters page. SMS Enabled : allows you to enable or disable a PIN sent by the SMS implementation. Number of digits : number of digits of the PIN code that will be generated. URL to send the SMS : enter the URL of your SMS provider rest service https://www.xxxxxxx.com/cgi-bin/sms/http2sms.cgi?account=sms-bg490971-1&password=XXXXXXt&login=user&from=SOFFID&to=${PHONE}&message=This is your access PIN: ${PIN}&noStop&contentType=application/json&class=0 HTTP Method : enter POST or GET depending on your provider documentation HTTP Header : optionally, you can add any HTTY header, including Basic or Bearer authentication tokens. The header must include the header name and header value. For instance: Authorization: Basic dXNlcjpwYXNzd29yZA== POST data to sendĀ  Enter the body of the HTTP request Text to be present in the HTTP response : Soffid will check the response from your SMS Provider contains this text "status":100 Number of failures to lock the token : upon reaching the configured number of failures, the token will no longer be usable. The URL and POST data to be sent, the administrator can use some tags that will be replaced by some target user attributes: ${PHONE}: The target phone number ${PIN}: The one-time password to be entered by the user ${userAttribute}: Any of the standard or custom user attributes, like ${fullName} or ${userName} Soffid does not offer any SMS services, this service must be provided by the customer. Voice (alternative to SMS) Enabled : allows you to enable or disable a PIN sent by the voice implementation. URL to send the SMS : enter the URL of your voice call provider rest service HTTP Method : enter POST or GET depending on your provider's documentation HTTP Header : optionally, you can add any HTTY header, including Basic or Bearer authentication tokens. The header must include the header name and header value. For instance: Authorization: Basic xxxxxxxxxxxxxxOUVCRS1DMzE0LTI3MzAtQkY0Qy05RDgwRTMyQUQ4OUY= Content-Type: application/json Accept: application/json POST data to sendĀ  Enter the body of the HTTP request. Text to be present in the HTTP response: Soffid will check the response from your SMS Provider contains this text Text to be present in the HTTP response : Soffid will check the response from your SMS Provider contains this text "status":100 The POST data to be sent, the administrator can use some tags that will be replaced by some target user attributes: ${PHONE}: The target phone number ${PIN}: The one-time password to be entered by the user Soffid does not offer any voice service, this service must be provided by the customer. Time based HMAC Token Enabled : allows you to enable or disable an OTP Time based HMAC Token implementation. Number of digits : number of digits of the PIN code that will be generated. Algorithm : allows you to select an HMAC algorithm. Issuer : name of the issuer of the PIN. Number of failures to lock the token An additional application is required to load the OTP generation settings. You may use any of the following: Google Authenticator, Microsoft Authenticator, FreeOTP Authenticator. Event based HMAC Token Enabled : allows you to enable or disable an OTP Event based HMAC Token implementation. Number of digits : number of digits of the PIN code that will be generated. Algorithm : allows you to select an HMAC algorithm. Issuer : name of the issuer of the PIN. Number of failures to lock the token : upon reaching the configured number of failures, the token will no longer be usable. An additional application is required to load the OTP generation settings. You may use any of the following: Google Authenticator, Microsoft Authenticator, FreeOTP Authenticator.Ā  Security PIN Enabled : allows you to enable or disable the Security PIN implementation. Minimum PIN length : minimum number of digits that the PIN has to have. Number of digits from the PIN to ask : number of digits that Soffil will ask to verify the identity. Number of failures to lock the token : upon reaching the configured number of failures, the token will no longer be usable. Actions Expand all Displays all the attributes of the different blocks. Collapse all Hide all attributes of the different blocks. "Types of views" Change the view type: Classic view, Modern view,Ā Compact design. Confirm changes Allows you to save the updates and quit the page. Password recovery configuration (addon recovery) Description Soffid provides you the functionality that allows to the users recover their passwords. To do this, the administrator user, or a user with the proper roles/authorizations, must first config the password recovery settings. This setting can be used in the Console login and in the Federation login if enabled in the Identity Provider. There are several sending method configuration options, use the one that best suits your organization. Screen Overview Related objects Soffid parameters :Ā  must provide a mail server to use mails Identity providers : to enable this opcion in federation Standard attributes Password recovery questions tab Enabled methods Enable email recovery : if Yes is selected, it will allow password recovery through an e-mail sent to an authorized mailbox. Enable question&answer recovery : if Yes is selected, a question and control response will be requested. Enable OTP : if Yes is selected, an OTP will be required to recover the password. That OTP depends on the OTP settings configured into the Soffid Console and the OTP devices configured for the end-user. Enable SMS : if Yes is selected, an SMS will be send to recover the password. Preferred method : in case you select two or more previous options, this drop-drown will allow you to priorize one option over the others. Email Questions SMS OTP Allow to unlock account and keep the same password : Allows the user to unlock his account using the last stored password. Recovery questions Minimum number of filled-in questions : indicates the minimum number of user questions that must be have answered in the end-user's profile to can use this recover password method. Questions to answer to unlock : indicates the number of questions that must be formulated to the end-user to reset his password. Numer to answer to unlock : indicates the number of answers that must be answered by the end-user to reset his password. Enforce fill-in questions: allow on each access Soffid to check if the questions are answered. In case the questions have not been not answered, Soffid will display a window with the questions to answer or to config to the end-user depending on that value. Disabled : allows you to disable that functionality. Required : if this option is selected, the system will check if the user questions are answered correctly. If the user have not a required number of questions defined or he have not answered all his questions, the system will show the retrieve password questions page. Optional : when this option is selected, the system will check the user questions but it will not show the retrieve password questions page if the user questions does not meet the configuration parameters. Recovery email Email subject : the text of the subject sent in the email, you can use variables Email body : the text of the body sent in the email, this could be HTML stylel, you can use variables Tip : Use the ${variable} syntax to customize SMS and e-mails. Use ${PIN} for the secret pin, or ${attributeName} for any user attributes like ${fullName}. Recovery SMS URL for SMS service : URL for SMS service HTTP method for SMS : HTTP method for SMS, for example GET HTTP body for SMS : the text of the boy sent in the SMS, you can use variables HTTP headers for SMS : headers used in the HTTP request Response must contain : a text in the response to confirm the successful sending User attribute to store phone number: user object attribute defined on the Metadata page to save the phone number. Tip : Use the ${variable} syntax to customize SMS and e-mails. Use ${PIN} for the secret pin, or ${attributeName} for any user attributes like ${fullName}. Default questions tab This Default questions tab is where you enter the questions that the end user will have to answer in order to recover their password. Table: Question : questions for the end user Actions: Add new Add a new row to the table to allow the administrator to write the question. Delete After selecting one or more questions, the "Delete" will be displayed and you could delete the question/s. For more information on how to activate and configure the question and answer feature, please review the page How to configure questions ? Actions Password recovery questions tab Confirm changes Allows you to save the data of password recovery configuration.Ā To save the data it will be mandatory to fill in the required fields. Default questions tab Add new Allows you to add a new question to the questions list Others Login in console First, activate one of the available methods, in this case email. Sedond, when you log in to the console, you will see the option ā€˜Recover passwordā€™. Image Login in federation First, enable "Allow user to recover password" in the "Advanced authentication" section. Second, when you log in to the federation, after entering the user, you will see the option "Forgot your password?". Image Ā  Configuration Configuration Configuration wizard For more information, you can visit the Configuration wizard book Ā  Introduction Soffid provides you a 360Ā° perspective of the identities of your organization employees, providers and customers: Identity governance to manage the identities life-cycle Access management identifies your users accessing applications, including multi-factor authentication Privileged access management tracks usage and access of service and system management accounts Identity risk and compliance Screen overview For more information, you can visit the Configuration wizard book Ā  Custom scripts (addon admin) Description The Custom Scrips page provides the capacity to launch custom scripts to perform any functionality or process that the Soffid APIĀ  has available. Remember that you can consult the Soffid API at the following linkS:Ā  Soffid 4 public API and Data & Service model . Screen overview Related objects Console log : for more details in case an error has been returned if the script type is "On demand". Syncserver monitoring : for more details in case an error has been returned if the script type is "Shceduled. Scheduled tasks : to manage and execute custom script when the type is "Scheduled". Users : After a user change, the "On user change" is executed. After a grant permission, the "On grant permission" is executed. After a revoke permission, the "On revoke permission" is executed. Standard attributes Name : name of the custom script. Type : type of the custom sccript. Scheduled : the script is executed in a Sync server and can be scheduled as a task to manage it from the Scheduled tasks page. On demand : the script is executed in the Console. On user change : the script is executed after any user change (except for granting and revoking roles). On grant permission : the script is executed after a grant permission. On revoke permission : the script is executed after a revoke permission. Actions Table actions Add new Allows you to add a new custom script. To add a new custom script it will be mandatory to fill in the required fields. Delete script Allows you to remove one or more custom scripts by selecting one or more records and next clicking the button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Download CSV file Allows you to download a csv file with the data included in the table. Detail action AI assistant Ask our AI for help to generate scripts more quickly and efficiently.Ā  Delete script Allows you to remove the custom script. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Undo Allows you to quit without applying any changes. Execute now Run the script. If it is of the ā€˜On demandā€™ type, it runs immediately in the Console. If it is of the ā€˜Scheduledā€™ type, it must be run from the ā€˜Scheduled tasksā€™ screen. Others Soffid APIs Below you could find a list of helpful links related to the building of custom scripts. Pubic API for of the classes of Soffid: https://download.soffid.com/doc/console/latest/iam-common/apidocs/allclasses.html API for the internal classes of Soffid:Ā  https://download.soffid.com/doc/console/latest/uml/ Custom utility classes:Ā  https://bookstack.soffid.com/books/soffid-3-reference-guide/page/utility-classes Script examples Below you will find examples of scripts that will help you understand programming and the possibilities it offers. Script examples . Configuration > Web SSO (addon federation) Configuration > Web SSO (addon federation) Attribute definition (addon federation) Description The attribute definition page displays all the auto-generated user attributes . Those attributes will be the attributes to deliver from the identity providers to the service providers depending on the defined rules. Soffid has a default implementation for common attributes like FullName or uid, but you can modify it by creating a custom script. Please note that this screen is available in the federation addon. Screen overview Related objects Attribute definition : where the list of possible attributes to be returned in the IdP response is defined Attribute sharing policies : where policies are defined with the attributes to be sent according to the authenticated service provider Identity providers : configuration of the identity providers Service providers : configuration of the service providers Metadata : where user attributes are defined Standard attributes Name : a descriptive name. ShortName : short name to be used by SAML 2 service providers (without blanks). Oid : OID to be used by SAML 1 and SAML 2 service providers. OpenID name : OpenID name to be used by OAuth and OpenID connect service provider. Radius identifier : Radius ID name. Value : an attribute value. Allows you to define a script to determine the value of the attribute. Actions Table actions Download CSV file Allows you to download a csv file with the data included in the table. Import Allows you to upload a CSV file with the attribute list to add or update them. First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button. Add new Allows you to add a new attribute. To add a new attribute it will be mandatory to fill in the required fields. Delete attribute Allows you to delete one or more attributes by selecting one or more records and next clicking this button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Detail actions Apply changes (disk button) Allows you to save the data of a new attribute or to update the data of a specific attribute. To save the data it will be mandatory to fill in the required fields. Delete parameter Allows you to delete a specific Soffid parameter. To delete a parameter you can click on the "three points" icon and then click the delete parameter button. Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation. Undo Allows you to quit without applying any changes. Apply changes Allows you to save the data of a new attribute or to update the data of a specific attribute. Once you apply changes, the plugin details page will be closed. Examples Scripts Soffid IdP has a default implementation for common attributes like FullName or uid, but you can modify it by creating a custom script. You can use the custom script to define the value of an attribute. Examples to define the value of an attribute. Example 1 Return full name in upper case: return fullName.toUpperCase(); Example 2 Send one value if an attribute is blank. Otherwise, its value: return attributes{"company"} == null || attributes{"company"}.isEmpty() ? "Soffid" : attributes{"company"} Example 3 Use serverService to fech the OU attribute of the account owned by the user in the Active Directory (AD) system: for (account: serverService.getUserAccounts(id, "ad")) { return account{"attributes"}{"ou"}; } return null; Example 4 Return the secondary groups of the user. var groups = serviceLocator.getGroupService().findUsersGroupByUserName(userName); var list = ""; for (var i=0; i1) list = list+","; list = list+group.group; } return list; Example 5 Retrive custom attributes of a holdergroup if (holderGroup!=null) { ug = serviceLocator.getGroupService().findUserGroupByUserNameAndGroupName(userName, holderGroup); if (ug!=null && ug.attributes!=null && ug.attributes{"customAttribute"}!=null) return ug.attributes{"customAttribute"}; } return null; Ā  Ā  Attribute sharing policies (addon federation) Description Soffid allows you to define security rules as policies that apply to any attribute that should be delivered from identity providers to service providers. Please note that at least one policy must be created to return attributes to service providers. If there is no policy, or none is met, no attributes will be sent. When logging in with a service provider, all policies are validated and more than one may be applied. In this case, the sum of all attributes contained in those policies will be returned. Please note that this screen is available in the federation addon. Screen overview Related objects Attribute definition : where the list of possible attributes to be returned in the IdP response is defined Attribute sharing policies : where policies are defined with the attributes to be sent according to the authenticated service provider Identity providers : configuration of the identity providers Service providers : configuration of the service providers Metadata : where user attributes are defined Standard Ā attributes Table attributes Policy : policy name. Policy attributes Policy : policy name. Condition (policy): a boolean expression that will be evaluated first. If this expression evaluates to false, the rule is completely ignored. It is used to evaluate to which applies the policy. Attributes : allows you to add attributes with the proper condition for each one. Attribute : allows you to select an attribute from the attribute list. Those attributes are defined at the Attribute definition page. Allow : if selected value is Yes, the attribute will be shared when the condition was true. If selected value is No, the attribute will no be shared. Condition (shared attributes): a boolean expression to be evaluated. Allows you to customize a condition to evaluated and decide if the attribute should or not be delivered Condition attributes It is a boolean expression to be evaluated. The condition will be evaluatuated when the Allow value was yes.Ā You can use the conditions to configure the conditions policy and to configure the shared attributes . Type: the boolean operator are the follow: Not : yes or not Type : the boolean operator are the follow ANY : the result will always be true. OR : the result will be true if any of its subexpressions are true AND :Ā  the result will be true if all of its subexpressions are true. Attribute requester : the result will be true if the service provider public id equals the specified value. Optionally, the ignore case checkbox will ignore upper and lower case differences. Attribute Issuer : the result will be true if the identity provider public id equals the specified value. Optionally, the ignore case checkbox will ignore upper and lower case differences. PrincipalName : the result will be true if the principal name equals the specified value. Optionally, the ignore case checkbox will ignore upper and lower case differences. Mind that some service providers want to use the email address as PrincipalName. Some others use the account name or X.509 subject name. Authentication Method : the result will be true if the used authentication method equals the specified value. Optionally, the ignore case checkbox will ignore upper and lower case differences. Some useful values are: When using SAML, it contains the standard SAML identifier corresponding to the used authentication method. When multifactor authentication is used, it contains the strongest one: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport password authentication (using SSL) urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession already authenticated using previous session urn:oasis:names:tc:SAML:2.0:ac:classes:X509 user has a X.509 certificate urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient X.509's public key has been verified using TLS protocol urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken time synchronized token. urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified unspecified protocol. This tag is used when Soffid IDP relies on third party identity providers that don't give information about the authentication method used, such as oAuth or OpenId. When using OpenID connect, the value can be any of: P : Password PO : Password + OneTimePassword PC : Password + Certificate PE : Password + External identity provider K : Kerberos token KO : Kerberos token + OneTimePassword KC : Kerberos token + Certificate KE : Kerberos token + External identity provider E : External identity providers EO : External identity provider + One time password EC : External identity provider + Certificate O : One time password OC : One time password + Certificate C : CertificateĀ  Attribute value : the result will be true if the related attribute has a specific value. Attribute requester (regex) : the result will be true if the service provider public id matches the specified regular expression. Attribute issuer (regex) : the result will be true if the identity provider public id matches the specified regular expression. Principal name (regex) : the result will be true if the principal name matches the specified regular expression. Mind that some service providers want to use the email address as PrincipalName. Some others use the account name or X.509 subject name. Authentication method (regex) : the result will be true if the used authentication method matches the specified regular expression.Ā  Attribute value (regex) : the result will be true if the related attribute has a specific value. Attribute requester in entity group : the result will be true if the service provider belongs to the specified group. Attribute issuer in entity group : the result will be true if the identity provider belongs to the specified group. Attribute issuer nameID format : the result will be true if the identity provider supports a specified identifier format. Issuer entity attribute : the result will be true if the identity provider metadata contains a specified attribute name and value. Issuer entity attribute (regex) : the result will be true if the identity provider metadata contains an attribute name and value that matches the specified regular expression. Requester entity attribute :the result will be true if the service provider metadata contains a specified attribute name and value. Requester entity attribute (regex) :the result will be true if the service provider metadata contains an attribute name and value that matches the specified regular expression. Attribute requester nameID format : the result will be true if the service provider supports a specified identifier format. Actions Table actions Add new Allows you to add a new policy in the system. To add a new it is necessary to fill in the required fields. Delete policy Allows you to remove one or more policies by selecting one or more records and next clicking this button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Policy actions Delete policy Allows you to save the data of a new Attribute sharing policy or to update the data of a specific Attribute sharing policy. To save the data it will be mandatory to fill in the required fields. Add new Allows you to add a new shared attribute in the policy. To add a new it is necessary to fill in the required fields. Delete attribute Allows you to remove one or more shared attribute by selecting one or more records and next clicking this button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Undo Allows you to quit without applying any changes made. Apply changes Allows you to save the data of a new Metada object or to update the data of a specific Metadata object. To save the data it will be mandatory to fill in the required fields. Attributes actions Close Allows you to close the popup window. Please note that the changes have not been saved, you must click Apply changes button. Examples Examples for defining conditions in an attribute sharing policy. Example 1 Return a list of attributes for any trusted service provider. Example 2 Rule that applies to all the service providers belonging to the "SOFFID" entity group. Example 3 Rule that only applies to the service provider ā€˜TestSPā€™. Identity providers (addon federation) Description This screen allows you to define the most important components of a federation, which are none other than the identity providers. An identity provider is responsible for performing the appropriate authentication for each service provider and user type according to their accounts, permissions, authorisations, and attributes. The main supported standard is SAML . SAML allows to completely detach the identification process from web applications,Ā  known as Service Providers. With SAML, identification is performed by specialized servers known as Identity Providers.Ā  Additionaly, some other, less secure, but some times convenient protocols like OAuth Ā (Open Authorization) andĀ  OpenID-Connect protocols are supported. Elder protocols like Openid (do not confuse with OpenID-Connect) are deprecated and noĀ  longer supported. Remember that after validating the user's login, the identity provider will send a set of attributes to the service provider that will have been previously defined in Soffid in the attribute definition page and shared attribute policy screens. You can visit the Introduction page to find more information about the federation . Please note that this screen is available in the federation addon. Entity group An entity group is just like a folder that allows you to manage different kinds of federation members. One of the most common ways to group federation members is by trust level. When you create an entity group, identity provider records will be displayed. Entity groups can be created on this screen or on the service provider screen, and they will be displayed on both screens. Identity provider An identity provider (abbreviated IdP or IDP) is a system entity that creates, maintains, and manages identity information for principals and also provides authentication services to relying applications within a federation or distributed network. An Identity Provider is responsible for identifying users. Also, it is responsible for giving service providers information regarding the identified user. Soffid allows you to configure different identity providers, you can choose the best option for you by selecting the IdP type: Soffid IdP : Ā identifies the identity provider implemented by Soffid. Soffid IdP implements both OpenID-Connect and SAML. External SAML IdP : is used to identify providers not implemented by Soffid. For instance, it could be an ADFS (Active Directory Federation Services) or Shibboleth identity provider. OpenID-Connect : is used for third-party identity providers, like ADFS. Facebook : if you select that option, oAuth2 will be used to identify Facebook users. You will need to register Soffid as a Facebook application to use it. Google : if you select that option OpenID-Connect will be used to identify Google users. You will need to register Soffid as a Google application to use it. LinkedIn : if you select that option, oAuth2 will be used to identify LinkedIn users. You will need to register Soffid as a LinkedIn application to use it. To create an identity provider, it is advisable to install a dedicated sync server. It can be configured as a proxy sync server as it does not need direct access to the Soffid database. Instead, it will connect to the main sync server to get users and federation information. For more information about how to configure a dedicated sync server, you can visit theĀ  Install Sync server page . Virtual identity provider A single identity provider usually offers different profiles or service levels to diffeferent service provider. To be able to define this behavior, any Identity Provider can be split into many virtual identity providers. Those identity providers will be served by the same actual identity provider, but they will have different profile configurations. When creating a new virtual identity provider, you will need to specify the service providers for which you will be responsible. Screen overview Related objects Attribute definition : where the list of possible attributes to be returned in the IdP response is defined Attribute sharing policies : where policies are defined with the attributes to be sent according to the authenticated service provider Identity providers : configuration of the identity providers Service providers : configuration of the service providers Metadata : where user attributes are defined Standard attributes Entity group Entity Group : name of the group. Providers : display the identity providers under the entigy group Identity provider Soffid IdP Identification Idp type : Soffid Idp (this one has to be selected) Identifier : unique name to identify the identity provider. The name has to be the same as the Public ID of the Soffid Identity Provider agent.Ā  Name : friendly user name. Organization : company name of the external IdP. Contact : email address of the external IdP. It will be mandatory to create an Agent (Soffid Identity Provider) linking the idP with the identifier attribute. Service Configuration Metadata : the Metadata for an Identity Provider defines how this Identity Provider delivers its service: Which security algorithms does it support. The public portion of it's signing and encrypting keys. The SAML protocols do it support. The URL of each SAML protocol endpoint. Contact information. Metadata (file) : from this field, you can directly download a file with the metadata. The Metadata is the information that any application needs to use the IdP. That is an XML file that contains the public encryption keys and the services provided Leave it blank as Soffid IdP will fulfill it for you. The metadata will be created when the network data and SAML Security data are specified. Restarting the sync server will be necessary to fill in the Metadata. Network Host name : public hostname that will be used by users and service providers. The full qualified name should be used. Allow IdP to be included inside an IFRAME : Soffid allows you to configure the Identity Provider to be incluided within a IFRAME. If this option is updated, the Sync Server must be restarted. Network ports : Behind a reverse proxy : enable this option when the idp is behind a reverse proxy. Reverse proxy port number : (displayed when reverse proxy enabled) port where the reverse proxy is listening. Reverse proxy incoming address : (displayed when reverse proxy enabled) IP addresses allowed to make calls to the reverse proxy. Port : TCP port number used by the identity provider. By default, TLS will be used (default 1443).Ā  Encryption : encryption type is only allowed behind a reverse proxy. TLSv1.2 TLSv1.3 No encryption Support PROXY protocol v2 : (displayed when reverse proxy enabled) protocol between the reverse proxy and the Identity Provider. Accept client certificate : to accept always the client certificate. Certificate header : (displayed when reverse proxy enabled) certificate data header. Excluded protocols : encryption protocols to be excluded. šŸ’» Image TLS PublicKey :Ā  there are three available options Leave in blank and Soffid IdP will generate a self-signed certificate. Clicking on the Generates public/private key button, a new private key pair will be generated. Once the private key pair is generated, you could generate a certificate request file, also known as PKCS#10 or CSR file. The certificate authority will be able to create a certificate for you using this certificate request. Once you have created the public/private key, you could run other new functions: Change public/private key : allows you to change the public/private key generated previously. Delete public/private key : allows you to delete the public/private key generated previously. Generate PKCS10 : generates a PKCS10 file (Certification request standard). Clicking on the Upload PKCS12 file button it will be able to upload a PKCS#12 file. That file must contain the private and public keys and the server certificate as well. Mind that PKCS#12 file use to be protected by a PIN. TLS Certificate chain : text certificate chain created with one of the previous options. Server certificate management: there are two options for certificate management. You can visit the Server certificate management page for more information. SAML Security PublicKey :Ā  Clicking on the Generates public / private key button, a new private key pair will be generated. Once the private key pair is generated, you could generate a certificate request file, also known as PKC#10 or CSR file. The certificate authority will be able to create a certificate for you using this certificate request. Once you have created the public/private key, you could run other new functions: Change public/private key : allows you to change the public/private key generated previously. Delete public/private key : allows you to delete the public/private key generated previously. Generate PKCS10 : generates a PKCS10 file (Certification request standard). Clicking on the Upload PKCS12 file button it will be able to upload a PKCS#12 file. That file must to contain the private an public keys and the server certificate as well. Mind that PKCS#12 file use to be protected by a PIN. Certificate chain : text certificate chain created with one of the previous options. Session management Session timeout (secs) : time in seconds that will take the session. If the user has been authenticated, and later is requested to authenticate again, the user will be authenticated without any intervention as long as the timeout has not been elapsed. oAuth Session timeout (secs) : time in seconds that will take the oAuth session. The oAuth has its own life cycle, regardless the session timeout. Maximum session duration (secs) : maximum time during which session can be renewed SSO Cookie name : name of the cookie that will keep the session id, you can change the name. This SSO cookie is not really needed, as the identity provider will store a session cookie to track the SSO session. This SSO cookie is needed in two circumstances: When the identity provider is restarted, the session cookie is lost. This SSO Cookie allows the identity provider to restart the lost session. When you have more than one identity provider instance, this cookie allows all the identity providers to handle the session as if only was one identity provider. The SSO cookie can be allocated by any identity provider, and it will be accepted by any other one. SSO Cookie domain : is needed when you have more than one identity provider instance and they are using different host names. If all the identity providers are serving the same virtual host name, the SSO Cookie domain will be needed. Authentication Default authentication methods : the button open a popup. Always ask for credentials : if checked (the selected value is Yes), the IdP will always request credentials from users who meet the condition defined in this rule. "Matrix of authentication methods" : matrix to define the authentication methods that will be required to successfully authenticate the user. Each row indicates the first authentication method, and each column indicates the second factor to use. Password Kerberos External IdP OTP Email SMS PIN Certificate FIDO Push Image Adaptive authentication : the button open a popup. "Table of adaptive authentication" Description : description of the adaptive authentication. Authentication methods : displays the authentication methods seleccted. "Adaptive authentication popup" : that option allows you to add an additional authentication matrix which will be run when the condition defined was complied with . That is the way to change the authentication method depending on the environment. Description : rule description to identify it. Condition : script to enable that rule. The result of the rule must be true or false. There are some available vars to create the condition. You can visit the Condition for Adaptive authentication page for more information and some examples.Ā  Always ask for credentials : if checked (the selected value is Yes), the IdP will always request credentials from users who meet the condition defined in this rule. Matrix : to define the authentication methods that will be required to successfully authenticate the user. Each row indicates the first authentication method, and each column indicates the second factor to use. Image Kerberos domain : allows you to pick up a file to configure the Kerberos authentication method. For more information, you can visit the How to enable Kerberos authentication page . Advanced Authentication Allow user to recover password : if it is checked (selected value is Yes), and the password recovery addon is installed, the user will be allowed to execute the password recovery mechanism. Register OTP when required: if it is checked (selected value is Yes), Soffid will allow to register the new OTP to the user during the login process. Allow user to self-register : if it is checked (selected value is Yes), the user will be allowed to register itself. This option sends an email to the user to verify the email address is correct, and then lets the user to enter a new password. Registration process: workflow selected to create the new identity. User Type : (displayed when Allow users to self-service enabled) identifies the password policy that is to be applied. More information on this link User Type. Primary Group : (displayed when Allow users to self-service enabled)select which organization unit this user belongs to. Register identities identified by external IdPs : allows Soffid IdP to automatically register a new identity when a user authenticates with a third-party IdP, and this identity does not exist yet in Soffid database. Furthermore, at the third party IdP configuration page, one can tune how this identity is going to be created. Store last user name in browser : allows the browser to save the last user name when Yes is selected. Enable reCaptcha v3 service : (*) helps to keep save your website. You can enable it by selecting the Yes option. When you select the Yes option, you must fill in the following fields:Ā  Captcha site key : this key is used to invoke the reCAPTCHA service Captcha site secret : the secret key to communicate your web site with reCAPTCHA service. This secret key authorizes the communication. Captcha threshold (1 for highest confidence, 0 for low confidence) : Profiles A profile is a protocol or subset of protocols implemented by the Identity Provider. There are some accepted protocols, those allows a custom config dependent on the selected profile. You can visit the Profiles chapter for more information about each one. Look and feel Soffid allows you to personalize your login page by adding some style elements, as well as header and footer elements. Logo : this logo will be displayed for users in Windows desktop. CSS Style : allows you to add a CSS style for your login page. Html header : allows you to add an Html header. Html footer : allows you to add an Html footer. Language (2 characters code) : language used by default in the first access Restarting the syncserver will be necessary to apply the look and feel changes. Image External SAML IdP Identification Idp type : External SAML IdP (this one has to be selected) Identifier : unique name to identify the identity provider. Name : friendly user name. Organization : company name of the external IdP. Contact : email address of the external IdP. Service Configuration Metadata : the Metadata for an Identity Provider defines how this Identity Provider delivers its service: Which security algorithms does it support. The public portion of it's signing and encrypting keys. The SAML protocols does it support. The URL of each SAML protocol endpoint. Contact information. Metadata (file) : from this field, you can directly download a file with the metadata. The Metadata is the information that any application need to use the IdP. That is an XML file that contains the public encryption keys and the services provided Login Rules User regular expression : regular expression to detect users of this identity provider. Login hint script : script to help to login. Return the text to help. Identity provisioning script : script to bind or register a new identity. Return the user name of the owner identity for the authenticated account. SAML Security PublicKey :Ā  Clicking on the Generates public / private key button, a new private key pair will be generated. Once the private key pair is generated, you could generate a certificate request file, also known as PKC#10 or CSR file. The certificate authority will be able to create a certificate for you using this certificate request. Once you have created the public/private key, you could run other new functions: Change public/private key : allows you to change the public/private key generated previously. Delete public/private key : allows you to delete the public/private key generated previously. Generate PKCS10 : generates a PKCS10 file (Certification request standard). Clicking on the Upload PKCS12 file button it will be able to upload a PKCS#12 file. That file must to contain the private an public keys and the server certificate as well. Mind that PKCS#12 file use to be protected by a PIN. Certificate chain : text certificate chain created with one of the previous options. OpenID-Connect Identification Idp type : OpenID Connect (this one has to be selected) Identifier : unique name to identify the identity provider. Name : friendly user name. Organization : company name of the external IdP. Contact : email address of the external IdP. Service Configuration Metadata : there are some required parameters: authorization_endpoint : contains the oAuth endpoint to forward the user to get the authorization token. token_endpoint : contains the oAuth endpoint to get the access token, based on the authorization token got at previous step. userinfo_endpoint : if remote IdP is OpenID-connect compliant, the token endpoint should have sent an access token along a JWT OpenID token containing user claims. If this is not the case, Soffid will use this user_info endpoint to fetch user claims. This mechanism is needed for oAuth2 servers. scopes_sopported : The list of scopes specified here will be used at first step, when redirecting the user to the authorization endpoint. { "authorization_endpoint": "https://server/oauth2/auth", "token_endpoint": "https://server/oauth2/token", "userinfo_endpoint": "https://server/oauth2/userinfo", "scopes_supported": [ "openid","email","profile"] } oAuth key : is the identificator token generated by the oAuth server. oAuth secret : is the secret generated by the oAuth server. The Metadata is the information that any application need to use the IdP. That is an XML file that contains the public encryption keys and the services provided. Login rules User regular expression : regular expression to detect users of this identity provider. Login hint script : script to help to login. Return the text to help. Identity provisioning script : script to bind or register a new identity. Return the user name of the owner identity for the authenticated account. sn = attributes{"screen_name"}; i = sn.indexOf(" "); if (i> 0) { user.firstName = sn.substring(0, i); user.lastName = sn.substring(i+1); } else { user.firstName = "?"; user.lastName = sn; } return attributes{"name"}; Facebook Identification Idp type : Facebook (this one has to be selected) Identifier : unique name to identify the identity provider. Name : friendly user name. Organization : company name of the external IdP. Contact : email address of the external IdP. Service Configuration Click here to obtain a client id and client secret : allows you to get the oAuth key and secret. oAuth key : is the identificator token generated by the oAuth server. oAuth secret : is the secret generated by the oAuth server. Login rules User regular expression : regular expression to detect users of this identity provider. Login hint script : script to help to login. Return the text to help. Identity provisioning script : script to bind or register a new identity. Return the user name of the owner identity for the authenticated account. Google Identification Idp type : Google (this one has to be selected). Identifier : unique name to identify the identity provider. Soffid will fulfill wint the Google URL. Name : friendly user name. Organization : company name of the external IdP. Contact : email address of the external IdP. Service Configuration Click here to obtain a client id and client secret : allows you to get the oAuth key and secret. oAuth key : is the identificator token generated by the oAuth server. oAuth secret : is the secret generated by the oAuth server. Login rules User regular expression : regular expression to detect users of this identity provider. Login hint script : script to help to login. Return the text to help. Identity provisioning script : script to bind or register a new identity. Return the user name of the owner identity for the authenticated account. Linkedin Identification Idp type : Linkedin (this one has to be selected) Identifier : unique name to identify the identity provider. Soffid will fulfill wint the Linkedin URL. Name : friendly user name. Organization : company name of the external IdP. Contact : email address of the external IdP. Service Configuration Click here to obtain a client id and client secret : allows you to get the oAuth key and secret. oAuth key : is the identificator token generated by the oAuth server. oAuth secret : is the secret generated by the oAuth server. Login rules User regular expression : regular expression to detect users of this identity provider. Login hint script : script to help to login. Return the text to help. Identity provisioning script : script to bind or register a new identity. Return the user name of the owner identity for the authenticated account. Virtual identity provider Identification Identifier : unique name to identify the identity provider. Name : user friendly name to identify the identity provider. Organization : company name of the external IdP. Contact : email address of the external IdP. Service configuration Metadata : the Metadata for an Identity Provider defines how this Identity Provider delivers its service: Which security algorithms does it support. The public portion of it's signing and encrypting keys. The SAML protocols does it support. The URL of each SAML protocol endpoint. Contact information. Metadata (file) : from this field, you can directly download a file with the metadata. Leave it blank as Soffid IdP will fulfill it for you. SAML Security Public key : Generate public/private key : Delete public/private key : allows you to delete the public/private key generated previously. Generate PKCS10 : generates a PKCS10 file (Certification request standard) Upload PKCS12 file : allows you to upload a PKCS#12 file. That file must contain the private and public kesus and the server certificate as weel. Mind that PKCS#12 file use to be protected by a PIN. Certificate chain : text certificate chain created with one of the previous options. Authentication Default authentication methods : the button open a popup. Always ask for credentials : if checked (the selected value is Yes), the IdP will always request credentials from users who meet the condition defined in this rule. "Matrix of authentication methods" : matrix to define the authentication methods that will be required to successfully authenticate the user. Each row indicates the first authentication method, and each column indicates the second factor to use. Password Kerberos External IdP OTP Email SMS PIN Certificate FIDO Push Image Adaptive authentication : the button open a popup. "Table of adaptive authentication" Description : description of the adaptive authentication. Authentication methods : displays the authentication methods seleccted. "Adaptive authentication popup" : that option allows you to add an additional authentication matrix which will be run when the condition defined was complied with . That is the way to change the authentication method depending on the environment. Description : rule description to identify it. Condition : script to enable that rule. The result of the rule must be true or false. There are some available vars to create the condition. You can visit the Condition for Adaptive authentication page for more information and some examples.Ā  Always ask for credentials : if checked (the selected value is Yes), the IdP will always request credentials from users who meet the condition defined in this rule. Matrix : to define the authentication methods that will be required to successfully authenticate the user. Each row indicates the first authentication method, and each column indicates the second factor to use. Image Kerberos domain : allows you to pick up a file to configure the Kerberos authentication method. For more information, you can visit the How to enable Kerberos authentication page . Advanced Authentication Allow user to recover password : if it is checked (selected value is Yes), and the password recovery addon is installed, the user will be allowed to execute the password recovery mechanism. Register OTP when required: if it is checked (selected value is Yes), Soffid will allow to register the new OTP to the user during the login process. Allow user to self-register : if it is checked (selected value is Yes), the user will be allowed to register itself. This option sends an email to the user to verify the email address is correct, and then lets the user to enter a new password. Registration process: workflow selected to create the new identity. User Type : (displayed when Allow users to self-service enabled) identifies the password policy that is to be applied. More information on this link User Type. Primary Group : (displayed when Allow users to self-service enabled)select which organization unit this user belongs to. Register identities identified by external IdPs : allows Soffid IdP to automatically register a new identity when a user authenticates with a third-party IdP, and this identity does not exist yet in Soffid database. Furthermore, at the third party IdP configuration page, one can tune how this identity is going to be created. Store last user name in browser : allows the browser to save the last user name when Yes is selected. Enable reCaptcha v3 service : (*) helps to keep save your website. You can enable it by selecting the Yes option. When you select the Yes option, you must fill in the following fields:Ā  Captcha site key : this key is used to invoke the reCAPTCHA service Captcha site secret : the secret key to communicate your web site with reCAPTCHA service. This secret key authorizes the communication. Captcha threshold (1 for highest confidence, 0 for low confidence) : Profiles A profile is a protocol implemented by the Identity Provider. There are some accepted protocols, those allows a custom config dependent on the selected profile OpenIDProfile SAML1ArtifactResolutionProfile SAML1AttributeQueryProfile SAML2ArtifactResolutionProfile SAML2AttributeQueryProfile SAML2ECPProfile SAML2SSOProfile You can visit the Profiles chapter Ā for more information about each one. Look and feel Soffid allows you to personalize your login page by adding some style elements, as well as header and footer elements. Logo : this logo will be displayed for users in Windows desktop. CSS Style : allows you to add a CSS style for your login page. Html header : allows you to add an Html header. Html footer : allows you to add an Html footer. Language (2 characters code) : language used by default in the first access Restarting the syncserver will be necessary to apply the look and feel changes. Image Service Providers It will be necessary to bind any service provider to the virtual identity provider. When no such bind exists for a service provider, the actual identity provider profile configuration applies.Ā  Name : name of the service provider Actions Federation tree Add group Allows you to create a new entity group. You can choose that option by clicking on the "Add group" button in the tree, then Soffid will display a new window with the fields to fullfil. To add a new entity group it will be mandatory to fill in the required fields and save or apply changes. Add identity provider Allows you to add a new identity Provider. You must click the "Add identity provider" button, under the proper entity group, then Soffid will display a new window with the data to fulfill for the new identity provider. To add a new identity provider it will be mandatory to fill in the required fields and save or apply changes. Add virtual identity provider Allows you to add a virtual identity provider. You must click the "Add virtual identity provider" button, under the proper identity provider, which has to be a Soffid IdP, then Soffid will display a new window with the data to fulfill for the new virtual identity provider. To add a new virtual identity provider it will be mandatory to fill in the required fields and save or apply changes. Entity group detail Apply changes (disk button) Allows you to save the data of a new entity group or to update the data of a specific entity group. To save the data it will be mandatory to fill in the required fields. Delete Allows you to remove the entity group. You can find this option in the "three points" menu by clicking on the "Delete" button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Undo Allows you to quit without applying any changes. Apply changes Allows you to save the data of a new entity group or to update the data of a specific entity group. Once you apply changes, the plugin details page will be closed. Identity provider detail Save Ā  Allows you to save the data of a new identity provider or to update the data of a specific identity provider. To save the data it will be mandatory to fill in the required fields. Delete identity provider Allows you to delete the identity provider. To delete an identity provider you can click on the "three points" icon and then click the delete button. Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation. Undo Allows you to quit without applying any changes made. Apply changes Allows you to save the data of a new identity provider or to update the data of a specific identity provider and quit. To save the data it will be mandatory to fill in the required fields. Virtual identity provider detail Save Allows you to save the data of a new virtual identity provider or to update the data of a specific virtual identity provider. To save the data it will be mandatory to fill in the required fields. Delete identity provider Allows you to delete the virtual identity provider. To delete a virtual identity provider you can click on the "three points" icon and then click the delete button. Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation. Undo Allows you to quit without applying any changes made. Apply changes Allows you to save the data of a new virtual identity provider or to update the data of a specific virtual identity provider and quit. To save the data it will be mandatory to fill in the required fields. Examples Look and feel customisation In this example, we are going to use all styles except the header, so we can take advantage of the language change and use the manually uploaded logo. This is the result. This is the configuration. CSS Style: body { color: white; background-image: url("https://www.soffid.com/wp-content/uploads/2025/05/Depositphotos_795124038_XL-1-scaled.jpg"); } #language a { text-decoration: none; font-weight: bold; color: #0B4768; } p.biglogo img{ margin-top: 50px; width: 150px; } p.header { color: #0B4768; padding-bottom: 10px; font-size: larger; } .logintype { background-color: #F95D38; border: 1px solid #0B4768; color: white; font-size: large; padding: 20px; } .nologintype { color: #0B4768; font-size: large; padding: 20px; } input { padding: 4px 8px 4px 8px; border-radius: 4px; border-color: #0B4768; border-width: 1px; cursor: pointer; } input[type=submit] { background-color: #0B4768; color: white; } Html footer:

demo@soffid.com

If you use the header, the language change options disappear and the logo is not displayed either. You can add the logo yourself using HTML/CSS.
Service Providers (addon federation) Description This screen allows you to define the applications that will belong to the federation. These applications are named service providers and must be configured correctly to delegate the user authentication to the identity provider that is responsible for them by configuration. The main supported standard is SAML . SAML allows to completely detach the identification process from web applications,Ā  known as Service Providers. With SAML, identification is performed by specialized servers known as Identity Providers.Ā  Additionaly, some other, less secure, but some times convenient protocols like OAuth Ā (Open Authorization) andĀ  OpenID-Connect protocols are supported. Elder protocols like Openid (do not confuse with OpenID-Connect) are deprecated and noĀ  longer supported. Remember that after validating the user's login, the identity provider will send a set of attributes to the service provider that will have been previously defined in Soffid in theĀ  attribute definition Ā page andĀ  shared attribute policy screens. You can visit the Introduction page to find more information about theĀ  federation . Please note that this screen is available in the federation addon. Screen overview Related objects Attribute definition : where the list of possible attributes to be returned in the IdP response is defined Attribute sharing policies : where policies are defined with the attributes to be sent according to the authenticated service provider Identity providers : configuration of the identity providers Service providers : configuration of the service providers Metadata : where user attributes are defined Standard attributes SAML Identification Type : SAML (this option must be selected) Identifier : public name of the service provider. It must be uniqueĀ  Name : friendly user name or brief description. Service configuration Metadata : you must provide the identity provider metadata. You can either copy it from the Soffid Identity Provider page, or instruct the service provider to download the federation metadata by itself. NameID format : Persistent Email Unspecified Transient To publish the federation members' metadata, the main sync server exports the member's metadata at the path /SAML/metadata.xml . Thus, if your sync server is listening at soffid1.your.domain , you can get the whole federation metadata document from: https://soffid1.your.domain:760/SAML/metadata.xml After some seconds, up to five minutes, every federation member will notice any change. Login rules Allow impersonations : Soffid allows a service provider to connect to another service provider in a controlled manner. Here you can write the target application URL.Ā  UID Script : script to compute the user name to pass to the target application Ask for consent : enable a new screen for the user to consent to their data being shared in the service provider login. Ask for group membership after authentication: enables a new screen for selecting the user's holder group after authentication. To learn how to configure it, check the holder groups configuration book. Roles required to login : roles that the user must have to be able to connect to the system System where an enabled account is required : System where it will be necessary for the user to have an account in order to log in. You can visit theĀ  Openid-connect to SAML interoperability page for more detailed information. SAML API client Identification Type : SAML API client (this option must be selected) Identifier : public name of the service provider. It must be uniqueĀ  Name : friendly user name or brief description. Organization : company name of the external IdP. Contact : email address of the external IdP. Service configuration Metadata NameID format : Persistent Email Unspecified Transient Leave it blank as Soffid IdP will fulfill it for you. The metadata will be created when the network data and SAML Security data. Login rules Allow impersonations : Soffid allows a service provider to connect to another service provider in a controlled manner. Here you can write the target application URL.Ā  UID Script : script to compute the user name to pass to the target application. Ask for consent : enable a new screen for the user to consent to their data being shared in the service provider login. Ask for group membership after authentication: enables a new screen for selecting the user's holder group after authentication. To learn how to configure it, check the holder groups configuration book. Roles required to login : roles that the user must have to be able to connect to the system System where an enabled account is required : System where it will be necessary for the user to have an account in order to log in. You can visit the Openid-connect to SAML interoperability page for more detailed information. Network Host name : public application host name that wants to be a service provider. A fully qualified name should be used. Standard port : public application port number.Ā  Disable SSL : check it, selected value Yes, if you want to use plain TCP connections. In another case, it will be needed to comply with additional fields: Assertion path : URL to receive the response. SAML Security PublicKey :Ā  Ā  Clicking on theĀ  Generates public / private keyĀ  button, a new private key pair will be generated. Once the private key pair is generated, you could generate a certificate request file, also known as PKC#10 or CSR file. The certificate authority will be able to create a certificate for you using this certificate request. Once you have created the public/private key, you could run other new functions: Change public/private key : this allows you to change the public/private key generated previously. Delete public/private key : this allows you to delete the public/private key generated previously. Generate PKCS10 : generates a PKCS10 file (Certification request standard). Clicking on theĀ  Upload PKCS12 file button it will be able to upload a PKCS#12 file. That file must contain the private and public keys and the server certificate as well. Mind that PKCS#12 file use to be protected by a PIN. Certificate chain : text certificate chain created with one of the previous options. OpenID Connect Identification Type : OpenID Connect (this option must be selected) Identifier : public name of the service provider. It must be unique. Name : friendly user name or brief description. Login rules Allow impersonations : Soffid allows a service provider to connect to another service provider in a controlled manner. Here you can write the target application URL.Ā  UID Script : script to compute the user name to pass to the target application. Ask for consent : enable a new screen for the user to consent to their data being shared in the service provider login. Image Ask for group membership after authentication: enables a new screen for selecting the user's holder group after authentication. To learn how to configure it, check the holder groups configuration book. Roles required to login : roles that the user must have to be able to connect to the system System where an enabled account is required : System where it will be necessary for the user to have an account in order to log in. You can visit the Openid-connect to SAML interoperability page for more detailed information. OpenID authorization flow Implicit : application server redirects the end user to the IdP, that in turn, returns the oAuth token along with the OpenID token. Authorization code : application server redirects the user to the IdP, which in turn, returns an authorization code that can be used to retrieve the token and the OpenID token from the token endpoint. User's password : the server access directly to the token endpoint, sending the username and password, to retrieve the oAuth and OpenID token. This mechanism is highly insecure, as allows unauthenticated clients to impersonate end users User's password + Client credential : it is a secure version of the previous one, requiring the client to use its client secret. Client id : the identifier used by the application server. Client secret : password used by the application server. It is used in the Authorization code flow as well as ā€œUserā€™s password + Client credentialsā€ flow. Sector identifier URI : sector identifier URI Response URL : set the URL to return the control after authenticating a user.ā€‹ RP-Initiated logout response URL's Front-channel logout endpoint Back-channel logout endpoint oAuth Session timeout (secs) :Ā  time in seconds that will take the oAuth session. The oAuth has its own life cycle, regardless of the session timeout. Allowed scopes : you can define a scope list with the proper scopes that users will need to interact with the final system. openid : default scope. custom scopes : you can add the custom scopes that can be requested by the service provider. * : the scope * means that any scope requested by the service provider will be granted. OpenID Dynamic Register Identification Type : OpenID Dynamic Register (this option must be selected) Identifier : public name of the service provider. It must be uniqueĀ  Name : friendly user name or brief description. Login rules UID Script : script to compute the user name to pass to the target application. Ask for consent : enable a new screen for the user to consent to their data being shared in the service provider login. Roles required to login : roles that the user must have to be able to connect to the system. System where an enabled account is required : System where it will be necessary for the user to have an account in order to log in. OpenID authorization flow Implicit : application server redirects the end user to the IdP, that in turn, returns the oAuth token along with the OpenID token. Authorization code : application server redirects the user to the IdP, which in turn, returns an authorization code that can be used to retrieve the token and the OpenID token from the token endpoint. User's password : the server access directly to the token endpoint, sending the username and password, to retrieve the oAuth and OpenID token. This mechanism is highly insecure, as allows unauthenticated clients to impersonate end users User's password + Client credential : it is a secure version of the previous one, requiring the client to use its client secret. Sector identifier URI Allowed scopes : you can define a scope list with the proper scopes that users will need to interact with the final system. openid : default scope. custom scopes : you can add the custom scopes that can be requested by the service provider. * : the scope * means that any scope requested by the service provider will be granted. Registration token Token : unique identifier Valid until : maximum validity date Allowed servers : maximum number of servers that can be registered Radius client Identification Type : Radius client (this option must be selected) Identifier : public name of the service provider. It must be unique. Name : friendly user name or brief description. Login rules Roles required to login : roles that the user must have to be able to connect to the system. System where an enabled account is required : System where it will be necessary for the user to have an account in order to log in. Radius configuration Source IPs : origin IP or origin IP range. Radius secret : password. Client certificate : client certificate. Free radius agent : enable this option when Soffid allows anonymous users to access from different locations. CAS client Identification Type : CAS client (this option must be selected) Identifier : public name of the service provider. It must be unique. Name : friendly user name or brief description. Login rules Allow impersonations : Soffid allows a service provider to connect to another service provider in a controlled manner. Here you can write the target application URL.Ā  UID Script : script to compute the user name to pass to the target application. Ask for consent : enable a new screen for the user to consent to their data being shared in the service provider login. Ask for group membership after authentication: enables a new screen for selecting the user's holder group after authentication. To learn how to configure it, check the holder groups configuration book. Roles required to login : roles that the user must have to be able to connect to the system System where an enabled account is required : System where it will be necessary for the user to have an account in order to log in. CAS configuration Response URL : set the URL to return the control after authenticating a user.ā€‹ Logout response URL : set the URL to return the control after logout a user.ā€‹ Tacacs+ Identification Type : Tacacs+ (this option must be selected) Identifier : public name of the service provider. It must be unique. Name : friendly user name or brief description. Login rules Roles required to login : roles that the user must have to be able to connect to the system System where an enabled account is required : System where it will be necessary for the user to have an account in order to log in. Tacacs+ configuration Source IPs : Ā origin IP or origin IP range. Tacacs+ secret : password. Authorization rules : allows you to add additional authorization rules to elevate privileges. Available context variables: user : remote user name priv_level : privilege level remote_address : remote address port : port optionalArguments : modifiable map of optional attributes. mandatoryArguments : modifiable map of mandatory attributes. return true if the action is authorized. WS-Federation Identification Type : WSW-Federation (this option must be selected) Identifier : public name of the service provider. It must be unique. Name : friendly user name or brief description. Login rules Allow impersonations : Soffid allows a service provider to connect to another service provider in a controlled manner. Here you can write the target application URL.Ā  UID Script : script to compute the user name to pass to the target application. Ask for consent : enable a new screen for the user to consent to their data being shared in the service provider login. Ask for group membership after authentication: enables a new screen for selecting the user's holder group after authentication. To learn how to configure it, check the holder groups configuration book. Roles required to login : roles that the user must have to be able to connect to the system System where an enabled account is required : System where it will be necessary for the user to have an account in order to log in. WS-Federation Response URL : set the URL to return the control after authenticating a user.ā€‹ Actions Federation tree Add group Allows you to create a new entity group. You can choose that option by clicking on the "Add group" button in the tree, then Soffid will display a new window with the fields to fullfil. To add a new entity group it will be mandatory to fill in the required fields and save or apply changes. Add service provider Allows you to add a new service provider. You must click the "Add service provider" button, under the proper Entity Group and "Identity Provider" label, then Soffid will display a new window with the data to fulfill for new service Provider. To add a new service provider it will be mandatory to fill in the required fields and save or apply changes. Entity group detail Apply changes (disk button) Allows you to save the data of a new entity group or to update the data of a specific entity group. To save the data it will be mandatory to fill in the required fields. Delete Allows you to remove the entity group. You can find this option in the "three points" menu by clicking on the "Delete" button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Undo Allows you to quit without applying any changes. Apply changes Allows you to save the data of a new entity group or to update the data of a specific entity group. Once you apply changes, the plugin details page will be closed. Service provider detail Save Allows you to save the data of a new service provider or to update the data of a specific service provider. To save the data it will be mandatory to fill in the required fields. Delete service provider Allows you to delete the service provider. To delete a service provider you can click on the "three points" icon and then click the delete button. Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation. Undo Allows you to quit without applying any changes made. Apply changes Allows you to save the data of a new service provider or to update the data of a specific service provider and quit. To save the data it will be mandatory to fill in the required fields. Shared signals & events members (addon federation) Description Shared signals framework is a standard that enables the communication between applications.Ā Soffid allows you to register applications that can subscribe to this service. For more information, please refer to our section on the Shared signals framework . Please note that this screen is available in the federation addon. Screen overview Related objects Identity providers : available identity providers Service providers : available service providers Metadata Ā : where user attributes are defined Users : user's data Agents :Ā  systems to be observed StandardĀ  attributes General attributes Name : application name. Description : a brief description of the application. Identity Provider : the IdP on which it depends. Service Provider : (optional) applies only to the token change event. Security attributes Token : allows to you to generate a new bearer token. This token will be used in all the requests you make. Expiration : expiration date for this token. Source IPs : to enable source IPs to use this service. TLS certificate chain : to add a certificate chain if comucation requires it Subject naming Subject type : format of the attributes. Accounts : accounts Email address : email address Issuer and subject : issuer and subject Opaque : opaque Phone number : phone number Descentralized identifier : descentralized identifier Subject source : where we are going to take the attributes from. User's account : if you select this option, then you must select the system. oAuth attribute : if you select this option, then you must select the attribute. Expression : if you select this option, then you must write a script to calculate the subject. Subject expression : script to compute the subject name to pass to the event subscriber Subject oAuth attribute : list of all attributes with a value in the "OpenID name" field on the "Attribute definition" screen User's account system : systems to be observed Stream attributes Paused : if you choose the Yes option, the events will be registered but not yet sent. Reason for status change : reason for status change Notify events about all identities : if you select the Yes option, the events of all identities will be sent. Events queue size : maximum queue size. To limit and contain the number of events. URL : (read-only) push URL if configured. Stream attributes : (read-only) delivery mechanism. Events : (read-only) event list. Actions Table actions Add new Allows you to add a new shared signals framework members object in the system. To add a new one it is necessary to fill in the required fields. Delete shared signals & events members Allows you to delete one or more shared signals framework members object by selecting one or more records and next clicking this button. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation. Download CSV file Allows you to download a CSV file with the basic information of all shared signals & events members.Ā  View Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. Detail actions Apply changes (disk button) Allows you to save the data of a new shared signals framework members object or to update the data of a specific shared signals framework members object. To save the data it will be mandatory to fill in the required fields. Delete Ā  Collapse all Hide all attributes of the different blocks. "Types of views" Change the view type: Classic view, Modern view, Compact design. Undo Allows you to quit without applying any changes. Apply changes Allows you to save the data of a new shared signals framework members object or to update the data of a specific shared signals framework members object. Once you apply changes, the plugin details page will be closed. Monitoring and reporting Monitoring and reporting Sync server monitoring Description Soffid provides a monitoring functionality to consult all the information of the different agents and the status of each one of them and the amount of tasks assigned. Consequently, it allows diagnosing possible incidents in a quick and easy way. This option allows you to manage all the options related to the tasks created according to the configuration of each of the agents. Screen overview Related objects Agents : where the agents that manage the end systems are configured Synchronization servers : where the registered syncservers are displayed Standard attributes Synchronization servers Shows a list with the URL of all the sync servers that you have configured and the options to perform for every sync server. šŸ’» Image Sync server status The graph of agent status shows the number of agents connected (green light) and the number of agents disconnected (red light). Attributes: "Name ": syncserver name in bold type URL : URL of the syncserver "Circle of agents" : graph that visually indicates how many agents are enabled. The colours indicate which agents are active and which ones could not be started due to an error. šŸ’» Image View agents Allows you to access a new window with the information of every single agent. That page shows a list with the information about Agent, Number of the pending tasks, the Status, and the URL of the agent. If you click one of the agents, Soffid will display all the pending tasks for that agent. If you click on one pending task, you can view the details of that task and you could perform the actions available for that depending on your permissions. Agent list attributes: Agent : Name of the agent Tasks : Number of tasks not finished (peding, ongoing and tasks with error) Status : Connected or disconnected URL agent : local (internal syncsever synchronization) or the URL of the syncserver confgured Task list attributes (also task attributes): URL agent : local (internal syncsever synchronization) or the URL of the syncserver confgured Error : message description when the agent has an error and it is disconnected Task : name of the task to be executed, there are many types, the most common being the following UpdateUser UpdateUserAlias UpdateUserPassword UpdateGroup UpdateRole UpdateHost UpdateNetworks Priority : priority of the task 1: high priority 2: low priority Executions : number of executions not finished due to any error Executions time : last execution Message : error message from the last execution Scheduled : next scheduled execution šŸ’» Image Restart server Allows you to restart the synchronization server that hosts any agent. Soffis will ask for your confirmation before performing that action. If you confirm, the server will be restarted. Image View details Display the details of the sync server. Here you can check the version of the sync server. Attributes: Version : version of the syncserver Jetty : status of the jetty process SSO Daemon : status of the SSO daemon process Task Generator : status of the task generator process Certificate expiration : expiration date of the certificate Server time : time of the server DB Connections : number of the threads used to connect to the database šŸ’» Image View tasks Displays a matrix with all the agents configured (columns), all the tasks (rows), and the status of the task for each agent (cells). You can reload the matrix with the updated tasks. The available status for a task are:Ā  DONE (green light). PENDING (yellow light). ERROR (red light). If you click on one error task, Soffid will display the details of that task, the basic data, and the specific data about execution time, error message, sscheduled and log detail, and Soffid will allow you to perform the available actions. If you click on one pending task, you can perform the available actions. List attributes: Task : name of the task to be executed, there are many types "List of agents" : there is column for each active agent šŸ’» Image Get log In version 4, Soffid allows users to review the logs of the sync server or each of the active agents. In addition, debugging can be enabled/disabled for each log, and users can decide whether to view the log in real time or pause it. Page attributes: Log file : name of the log to review, there are several posibilities main : generic log of the syncserver, agent logs now are not included master/agent/AGENTNAME : each agent has its own log to impruve the data searches Debug : [Yes/No] to enable or disable the debug Live|pause : to enable to see the log in real time or not View :Ā  to show and hide columns in the table. Table attributes: Timestamp : Time of the log (the date is always the current date) Level : level of debug (DEBUG, INFO, WARNING, SEVERE) Message : the log Thread : name of the thread that has managed the log Source : name of the class that has generated the log Image Stats Displays the performance (tasks per minute) graph of the synchronization servers. To use this functionality, you must first schedule the " Feed statistic tables " process on the Scheduled tasks screen. šŸ’» Image Not scheduled tasks Displays a view with a list not scheduled tasks. At that view, you can cancel and release the held tasks Attributes: Task : name of the task to be executed, there are many types Status : status of the task (at this point HELD) šŸ’» Image Ā  Tasks Tasks Displays a graph with information about the tasks pending to be performed on the different systems. Tasks by server Displays a graph with information about the tasks for each server. Actions Page actions Not scheduled tasks Displays a view with a list not scheduled tasks. At that view, you can cancel and release the held tasks Syncserver actions View agents Allows you to access a new window with the information of every single agent. That page shows a list with the information about Agent, Number of the pending tasks, the Status, and the URL of the agent. Restart server Allows you to restart the synchronization server. Soffis will ask for your confirmation before performing that action. View details Display the details of the sync server. View tasks Displays a matrix with all the agents configured, all the tasks, and the status of the task for each agent. You can reload the matrix with the updated tasks. Get log Allows you to display the log trace of the syncserver and agents Stats Displays the performance (tasks per minute) graph of the synchronization servers. Agents list actions Refresh (icon) Allow you to refresh the data of the table Tasks list actions Refresh (icon) Allow you to refresh the data of the table Download CVS file Allows you to download a CSV file with task list Cancel task Allows you to cancel all the tasks. Soffid will ask for your confirmation, if you confirm, that task will be canceled. Prioritize Allows you to release all the tasks. Soffid will ask for your confirmation, if you confirm, that task will be executed.Ā  Get log Open the log page with the specific log of the agent Close Close the popup Task actions Refresh (icon) Allow you to refresh the data of the table Cancel task Allows you to cancel a specific task. Soffid will ask for your confirmation, if you confirm, that task will be canceled. Prioritize Allows you to release a specific task. Soffid will ask for your confirmation, if you confirm, that task will be executed.Ā  Close Close the popup View tasks actions Refresh (icon) Allow you to refresh the data of the table Not scheduled tasks actions Refresh (icon) Allow you to refresh the data of the table Cancel task Allows you to cancel a specific task. Soffid will ask for your confirmation, if you confirm, that task will be canceled. Release task Allows you to release a task so that it goes to the syncservers task synchronizer and can be executed. Scheduled tasks Description Scheduled tasks display all the automatic tasks defined on Soffid, the scheduling of each task, and information about the last executions. Also, allows administrator users to update the execution of that tasks using a cron pattern and init the execution. By default, only scheduled tasks are displayed, which should be those configured to support the lifecycle of the tool's objects.Ā Unscheduled tasks can be searched for to be executed manually or to configure their planning. Screen overview Related objects Agents : source of agent processes Sync server monitoring : to review the logs Users : there are some processes related to the user lifecycle Standard attributes Table attributes / task attributes (schedule) Enabled : if it is selected (value is Yes), the task will be perform on scheduled defined.Ā  Task description : brief description of the task Server : where the agent is running. Start date : start date and time of the last execution. End date : end date and time of the last execution. Status : The available status for a task are: Done (green light): finished tasks. Pending (yellow light). Error (red light). Month : number of the month (1-12) when the task will be performed.Ā  Day :Ā  number of the day (1-31) when the task will be performed. Hour : hour (0-23) when the task will be performed.Ā  Minute : minute (0-59) when the task will be performed. Day of week : number of the day (0-7 where 0 means Sunday) of the week when the task will be performed. For each value of month, day, hour, minute, or day of the week: * means any month, day, hour, minute, or day of week. e.g. */5 to schedule every five minutes. A single number specifies that unit value: 3 Some comma separated numbers: 1,3,5,7 A range of values: 1-5 Image Current execution Start now : this allows you to launch the task execution. Last execution Status : The available status for a task are: Done (green light): task finished. Pending (yellow light): task has been started but it has not finished yet. Error (red light): task could not be executed. Start date : start date and time of the last execution. End date : end date and time of the last execution. Execution log : log trace. Allows you to download the log file. Previous executions List with the information about the previous executions: Start date : start date and time of the execution. End date : end date and time of the last execution. Status : status of the execution.Ā  Execution log : log of the execution. Allows you to download the log file. Actions Table actions Enabled / Show disabled Displays only enabled tasks, or also disabled ones Refresh (icon) Allow you to refresh the data of the table Download CSV file Allows you to download a CSV file with the scheduled tasks. View Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. Detail actions Expand all Displays all the attributes of the different blocks. Collapse all Hide all attributes of the different blocks. "Types of views" Change the view type: Classic view, Modern view,Ā Compact design. Start now Allows you to launch the task execution. Logs Allows you to download the log file. Undo Allows you to undo any changes made. Apply changes Allows you to save the data of scheduled tasks. To save the data it will be mandatory to fill in the required fields. Others Tasks created by default These tasks can be run manually when you need them or scheduled if necessary. Apply date restrictions on roles If a role has an end date prior to the revision date, all grants of that role to Soffid users will be deleted. Disable expired passwords Disable all accounts whose password has expired. Expire untrusted passwords Disable all accounts whose password has expired. Feed statistic tables To retrieve the information needed for the dashboards on the syncserver monitoring screen Network intelligence verify domains To use this task, you must first activate the network intelligence service. This task generates email-breached security incidents, so you must activate it beforehand. The process queries email accounts and checks whether they appear in any security breaches. If so, an email-breached issue is created. Release privileged accounts This task analyses privileged accounts and if they have an assigned user but their assignment has an end date today, or does not have an end date, the user is unassigned. Tasks created from agents By default, these tasks only appear if the agent is active (has a sync server selected). AGENT: Load authoritative data for identities and groups This task only appears when the agent has selected the option "Incoming data > Authoritative data source". This task retrieves information from the end system to update groups, custom objects, and users (identities) in Soffid. AGENT: Reconcile (load target system objects) This task retrieves information from the end system to update roles, accounts, and grants is Soffid. AGENT: Generate target system potential impact This task is the same as reconciliation but does not make any changes in Soffid. In this case, a report is displayed showing the changes that would have been applied in Soffid. AGENT: Apply system policies This task retrieves all agent accounts and checks that they have the correct status according to the rules configured in the agent itself. AGENT: Provision all users on to managed systems. This task provisions all users with accounts in that system to the final system. The objective is to have the same data in the final system as in Soffid, and to overwrite any values that someone has changed outside of Soffid. AGENT: Propagate groups to agent This task provisions all groups to the final system. The objective is to have the same data in the final system as in Soffid, and to overwrite any values that someone has changed outside of Soffid. AGENT: Propagate roles to agent This task provisions all roles in that system to the final system. The objective is to have the same data in the final system as in Soffid, and to overwrite any values that someone has changed outside of Soffid. Tasks created from custom scripts Please note that scripts can only be scheduled from the custom scripts screen. Run NAME OF THE CUSTOM SCRIPT script Script created in the custom scripts page and marked as "Scheduled" Scheduled jobs Description Schedule jobs display all the asynchronous tasks generated for the workflows engine. When a job is finished, it will disappear from that list. Screen overview Related objects Configure Workflow engine : where the workflow engine is configured Business process definition : where workflows are published BPM editor : where to create or modify workflows My tasks : pending workflows where the user has to perform an action in order to continue their workflow. My requests : The workflows that the user can initiate are listed here. My requests > Query request status : to search for all processes started by oneself Process Search : to search for all processes Metadata : to add attributes to display in the search tables Scheduled jobs : shows active workflows pending asynchronous tasks Standard attributes ID : job identifier. Name : job name. Process : process identifier and description. Next rerun : date and time scheduled for next execution. Failed attempts : number of failed attempts. Status : status of the last execution Message : message of the last execution Actions Table actions Refresh (icon) Allow you to refresh the data of the table. Download CSV file Allows you to download a CSV file with the scheduled tasks. View Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. Detail actions Resume Allows you to resume the task Hold Allows you to retain the task. Close Allows you to close the window without perform any action. Audit Description The audit trail page allows you to query for audit records for the different components of Soffid. Each action done at the Soffid console and in the Syncserver will be reported. Screen overview Related objects Almost all Soffid components are audited in some way, so we could reference all the pages in the documentation. Standard attributes Date/Time : date on which the action was performed. Author : user who launched the task. When the author is empty, the Syncserver launched this task. Source IP :Ā  IP or host where the action has been performed. Action : the task performed is specified. Purpose : is the name of the internal object (also the table of the database) which the action was performed. User : identity to which the action was performed. Information system: Ā details on which information system the action was performed (if a role is involved in the action). Role : details the role with which the action was performed. Account : if the action has taken place on an account, it will be indicated on which one in this section. DB : name of the final system (agent) Group : group involved in the action Network : network involved in the action Machine : host involved in the action Printer : printer involved in the action Domain : domain of the role involved in the action Domain value : domain value of the domain of the role involved in the action Mail domain : mail domain involved in the action Mail list : mail list involved in the action Mail list belongs : mail list belongs involved in the action Parameter : parameter involved in the action File : flle involved in the action Authorization : authorization involved in the action Federation : federation involved in the action Users domain : users domain of the account involved in the action Passwords domain : password domain of the account involved in the action Jump servers group : jump servers group involved in the action PAM session id : PAM session id involved in the action Action code : action code of the action message involved in the action Actions "Query buttons" Allows you to query accounts through different search systems, Quick and Advanced . "Table filter" It allows you to filter a column in the table based on the results loaded in it. Download CS V file Allows you to download a csv file with the information of audit records.Ā  View Allows you to add or remove columns to the table. It is also possible to change the order of the columns. Examples Common querys Here you have a list of common Advanced searches, you only have to copy, paste and search, e.g. // User changes trace calendar ge "2020-01-01T00:00:00.000+01:00" AND user co "admin" // User actions trace calendar ge "2020-01-01T00:00:00.000+01:00" AND author co "admin" // Soffid accounts calendar ge "2020-01-01T00:00:00.000+01:00" AND user co "admin" AND database co "soffid" // Created accounts calendar ge "2020-01-01T00:00:00.000+01:00" AND action co "C" AND object co "SC_ACCOUN" // Removed objects calendar ge "2020-01-01T00:00:00.000+01:00" AND action co "D" AND object co "SC_ACCOUN" Access logs Description The access log page allows querying all the information about the opened sessions.Ā  Note that any session that was active during the specified date will be shown, even when it started before of finished after that date. Screen overview Related objects Sessions : session object Users : for the user and full name data Agents : agent object Jump server group : jump server configuration Standard attributes ` Type : access log type, values: logon Protocol : access protocolva, values: CONSOLE HTTP wsso esso PAM PAMRDP PAMSSH Start date : date and time when access started. End date : date and time when access ended. Session : session identifier. Server : server where the authentication has been applied Client : server where the user started the session IP Address : IP of the server where the user started the session Information : additional connection information. When the information is about the Authentication method, there are the following options: P : Password K : Kerberos E : Broker O : OTP M : Email S : SMS I : PIN C : Certificate F : Finger print Z : Push Account : account used to apply the login User : user who perform the access. The object is linked to the user screen. Full name : full name of the user who perform the access. The object is linked to the user screen. Agent : when the authentication is applied throught an agent. Jump server group : when the authentication is applied inside a jumpserver group. Target application : application where the authentication has been applied Actions "Query buttons" Allows you to query accounts through different search systems,Ā  Quick and Advanced . "Table filter" It allows you to filter a column in the table based on the results loaded in it. Download CS V file Allows you to download a csv file with the information of audit records.Ā  View Allows you to add or remove columns to the table. It is also possible to change the order of the columns. Sessions Description The sessions page displays the current open sessions made with the Console, ESSO, WSSO or PAM for which the user is the owner.Ā  This functionality allows the owner users, with appropriate privileges, to open and view online a session opened by another user. It also allows them to interact if necessary. When a session is finished it can be found on the access logs page. Screen oveview Related objects Access logs : to view open sessions and those that have already ended Users Ā : for the user and full name data Agents Ā : agent object Jump server group Ā : jump server configuration Standard attributes User : name of the user who opened the session. Device:Ā  IP from which the connection was executed. Client : server where the user started the session. Start Date : date and time when access started. Type : CONSOLE WebSSO ESSO PAM PAM RDP PAM SSH Port : port of the server where the user started the session. Service URL: connection URL Account name : user account name to connect Service provider : final application or service provider where the authentication has been applied Actions Download CS V file Allows you to download a csv file with the information of audit records.Ā  View Allows you to add or remove columns to the table. It is also possible to change the order of the columns. Privileged accounts dashboard Description Soffid provides a monitoring functionality to consult all the information about the different jump servers installed and configured. To activate this view you will need to enable the Feed statistic tables task on the Ā  Scheduled tasks page. Screen overview Related objects Accounts : for the high-privileged accounts Jump servers : for the jump servers configuration Standard attributes The displayed info is the following: Jump server enabled accounts High-privileged accounts Jump server sessions Used storage by PAM storage server (MB) Free storage by PAM storage server (MB) Users with access to PAM jump servers Ā  Search in PAM recordings Description Soffid provides the functionality that allows searching for information about the PAM recording sessions. First of all, to query the PAM recording, you could apply some filters to refine your search. Then, when you click the Search button, Soffid will show you all the recording sessions that comply with the criteria specified. If you click on one record, Soffid will show you a new page with all the data about the session and the recorded video. If you query with a typed keys filter, a bookmark with the minute and second will show, and it will allow you to go directly to that point and view the action. Screen overview Related objects Network discovery : when the servers are discovered and created in Soffid Agents : each server will have its own agent Password vault :Ā  account published in PAM PAM policies Ā :Ā  the PAM policies contains and configure the PAM rules PAM rules Ā : PAM rules used in the PAM policies Search in PAM recordings Ā : to search and watch recorded sessions Access logs Ā : to search and watch recorded sessions Configure PAM session servers : where the PAM servers are configured Standard attributes Filter attributes Jum server group : used to connect to the system. URL: service URL. Typed keys: allows you to search in PAM recording. Other information: violation of rule Ctrl "[ctrl]+l" "[ctrl]+d" ... Screenshot contents by screen content User name : user who created the session. Start date : start date of the recording EndĀ  date : end date of the recording Table attributes Jump server group : used to connect to the system. User name: user who created the session. Account name : account name of the user used to access to the system. URL:Ā  service URL Start date : start date on which the results are filtered End date : final day on which the results are filtered Actions Download CSV file Allows you to download a CSV file with the PAM recording information. Search Allows you to query the PAM recording by applying some filters. View recording Allows you to view the recording. You need to click on the record of the PAM recording that you want to view, then Soffid will show you a new page with all the information about the session and the recording video. Console log Description The Console log screen displays an extract of the console logs for the current day. The log file is located in the Console directory, but in docker or kubernetes installations it is faster to perform initial queries on this screen. If you have more than one console in your environment, each console only displays its own logs.Ā  The log rotates every day and only logs from the same day can be viewed. To view previous days, access the system folder (/opt/soffid/iam-console-4/logs/). Screen overview Related objects Sync server monitoring : to view the syncserver logs Audit : to view the audit information of the Soffid objects Actions Download CSV file Allows you to download the log file . Issues Definition The Issues screen provides a tool to manage all issues and allows you to perform the operations available for each type of task. The actions to be performed will depend on each kind of task. Screen overview Related objects Issue policies : where the issues are configured Issues : list all issues My issues : issues started by a user or the user has pending an acction Pages related to the different issues: User Ā  Accounts Ā  Network intelligence Ā  Agents Ā  Sync server monitoring Ā  Hosts Ā  Scheduled jobs Ā  My OTP devices Ā  PAM rules Ā  Roles Ā  Segregation of duties Ā  Standard attributes Header: Issue number :Ā  an incremental number to identify the issue. Requester : owner of this issue. Issue type : issue type defined by Soffid. Description : a brief description of the issue. Times : number of times the issue has been repeated. Status : Ā possible task status. There are three available statuses: New Acknowledged Solved Details Account : account affected by the issue Actor : owner of this issue. Users : users involved in the issue. Created on : date of creation. Aknowledged on : date on which it was marked as acknowledged Solved on : date on which it was marked as solved Actions. Actions log : each of the actions that have been carried out on the issue Modified on : date of last modification. Modified by : last user that modified the issue. Other attributes depending on the issue type. Percentage of failed login Human confidence metric System OTP divice Exception Risk Role grant PAM Rule jobName Country loginName Hosts Breached email Data breach Breah description Created by Actions Table actions "Query buttons" Allows you to query accounts through different search systems,Ā  Quick and Advanced . "Table filter" It allows you to filter a column in the table based on the results loaded in it. Download CS V file Allows you to download a CSV file with the issues data. Bulk actions When selecting multiple issues, this option allows you to perform one of the following actions: Send custom email Add comment Acknowledge Solve issue View Allows you to add or remove columns to the table. It is also possible to change the order of the columns. Detail actions Expand all Displays all the attributes of the different blocks. Collapse all Hide all attributes of the different blocks. "Types of views" Change the view type: Classic view, Modern view,Ā Compact design. Close Allows you to quit without applying any changes. Acknowledge Allows you to check as acknowledged. Solve issue Allows you to mark as solved the issue. Send custom email Allows you to send a custom email to one recipient. Add comments Allows you to append a new comment to the Action logs. account-created šŸ’» Image Unlock account If you click this option, Soffil will unlock the account. Look affected accounts If you click this option, Soffil will lock affected accounts.Ā  Disable user If you click this option, Soffid will disable the user. disconnected-system šŸ’» Image discovered-host šŸ’» Image discovered-system šŸ’» Image duplicated-user šŸ’» Image Ā  Acknowledge To confirm that the issue is being handled Send custom email To send a custom mail Merge users If you click this option, Soffid will allow you to merge the identities by selecting the data of each of them. šŸ’» Image Add comment To add a comment in the Actions log failed-job šŸ’» Image enabled-account-on-disabled-user šŸ’» Image Unlock account If you click this option, Soffil will unlock the account. Look affected accounts If you click this option, Soffil will lock affected accounts.Ā  global-failed-login šŸ’» Image integration-errors šŸ’» Image locked-account šŸ’» Image Unlock account If you click this option, Soffil will unlock the account. Look affected accounts If you click this option, Soffil will lock affected accounts.Ā  Disable user If you click this option, Soffid will disable the user. Lock affected host If you click this option, Soffid will lock the affected host. Unlock host If you click this option, Soffid will unlock the host. login-different-country šŸ’» Image Unlock account If you click this option, Soffil will unlock the account. Look affected accounts If you click this option, Soffil will lock affected accounts.Ā  Disable user If you click this option, Soffid will disable the user. Lock affected host If you click this option, Soffid will lock the affected host. Unlock host If you click this option, Soffid will unlock the host. login-from-new-device šŸ’» Image Unlock account If you click this option, Soffil will unlock the account. Look affected accounts If you click this option, Soffil will lock affected accounts.Ā  Disable user If you click this option, Soffid will disable the user. Lock affected host If you click this option, Soffid will lock the affected host. Unlock host If you click this option, Soffid will unlock the host. login-not-recognized šŸ’» Image Unlock account If you click this option, Soffil will unlock the account. Look affected accounts If you click this option, Soffil will lock affected accounts.Ā  Disable user If you click this option, Soffid will disable the user. Lock affected host If you click this option, Soffid will lock the affected host. Unlock host If you click this option, Soffid will unlock the host. otp-failures šŸ’» Image Unlock account If you click this option, Soffil will unlock the account. Look affected accounts If you click this option, Soffil will lock affected accounts.Ā  Disable user If you click this option, Soffid will disable the user. Lock affected host If you click this option, Soffid will lock the affected host. Unlock host If you click this option, Soffid will unlock the host. pam-violation šŸ’» Image Unlock account If you click this option, Soffil will unlock the account. Look affected accounts If you click this option, Soffil will lock affected accounts.Ā  Disable user If you click this option, Soffid will disable the user. Lock affected host If you click this option, Soffid will lock the affected host. Unlock host If you click this option, Soffid will unlock the host. password-changed šŸ’» Image permissions-granted šŸ’» Image Unlock account If you click this option, Soffil will unlock the account. Look affected accounts If you click this option, Soffil will lock affected accounts.Ā  Disable user If you click this option, Soffid will disable the user. risk-increase šŸ’» Image Unlock account If you click this option, Soffil will unlock the account. Look affected accounts If you click this option, Soffil will lock affected accounts.Ā  Disable user If you click this option, Soffid will disable the user. robot-login šŸ’» Image Unlock account If you click this option, Soffil will unlock the account. Look affected accounts If you click this option, Soffil will lock affected accounts.Ā  Disable user If you click this option, Soffid will disable the user. Lock affected host If you click this option, Soffid will lock the affected host. Unlock host If you click this option, Soffid will unlock the host. security-exception šŸ’» Image Disable user If you click this option, Soffid will disable the user. Reports (addon-reports) Description The Reports page allows you to run the reports defined in the system. Reports can be executed immediately or scheduled for later. Soffid comes with a set of predefined reports by default , but you can modify them and add new reports as needed for your organisation. List of default reports Accounts list Accounts summary Business units detail Identities list Orphan accounts v2 Overview_Report Password Policies v2 Risk report Types Accounts Workflow metrics businessRolesDetailed Explanation of the tabs Executed reports : where reports are manually started, executed or scheduled, also you can query the last executions. Image Scheduled reports : wheresheduled reports are listed. Image Ā  Report definitions : where you can update the configuration of a report, upload a new definition version or upload a new report. Image Screen overview Related objects Reports : where jasper reports are managed Dashboard editor Ā : to create and manage dashboards Chart editor Ā : to manage charts to be used in the dashboard editor Dataset editor Ā : to manage datasets to be used in the chart editor Dashboards Ā : where the dashboards created in the dashboard editor are displayed Standard attributes Report : report. Date : date of execution of the report. Actions Executed reports Table actions Add new Allows you to start a new report execution Delete report Allows you to delete all reports selected with the checkbox in the first column [PDF] [XML] [HTML] [CSV] [XLS] By clicking on one of these options, you can download the file in the format you have selected. Popup actions Undo Allows you to cancel the execution Next Allows you to continue to the next step "Execute now" Allows you to execute the reports at the moment "Schedule execution" Allows you to schedule the execution of the report Finish Finish the execution process popup Scheduled reports Table actions Add new Allows you to start a new report execution Delete report Allows you to delete all reports selected with the checkbox in the first column "Edit scheduled report" When you select a report, a pop-up window will open with the planning information so that you can view or modify it. Ā  The "Schedule execution" section is the same as that used in the Scheduled tasks screen. Ā  With the "Access control list", you can specify which users can view this report. Ā  Image Popup actions Undo Allows you to cancel the execution Next Allows you to continue to the next step "Execute now" Allows you to execute the reports at the moment "Schedule execution" Allows you to schedule the execution of the report Finish Finish the execution process popup Report definitions Table actions Download iReport component Allows you to download the ireport-addon.jar. Ā  That add-on will be customized and added to the iReport designer to design your owns reports. You can visit theĀ  How to start Reporting in Soffid page . Upload Allows you to upload a designed report with iReport tool. You can upload defautl jasper files or customized jasper files as well. Ā  First of all, you need to click the Upload option by clicking in the "Three points" icon. Then Soffid will display a window to pick up the new report (a .jasper file). "Edit report definition" When you select a report, a pop-up window will open with the report definition so that you can view or modify it. You can download theĀ  iReport Ā designer from sourceforge . Configure dashboards > Dashboard editor (addon-reports) Description On this dashboard editor screen, you can create dashboards for different users/roles/groups that will contain the charts we have available. You can create as many dashboards as you need. Each dashboard will have a different access list. For example, you can create one dashboard for administrator users, another for managers, and another for end users. Screen overview Related objects Dashboard editor : to create and manage dashboards Chart editor : to manage charts to be used in the dashboard editor Dataset editor : to manage datasets to be used in the chart editor Dashboards : where the dashboards created in the dashboard editor are displayed Standard attributes Definition: Name : name of the dashboard Description : description of the dashboard Usable by : who will be able to view the dashboard, can be selected users, roles and groups. Number of columns : number of columns to display in the dashboard page, 1 is the whole page, 2 are two columns Charts: Chars : chart to be displayed Columns : columns needed to be displayed Rows : rows needed to be displayed How to configure columns Chart Number of columns (dashboard) Columns (chart) Rows (chart) One single chart 1 1 1 Two charts square 2 1/1 1/1 Two rectangular charts one above the other 2 2/2 1/1 A double chart with two small ones on its right 3 2/1/1 2/1/1 Actions Table actions Add new Allows you to create a new dashboard. Delete Allows you to delete all dashboards selected with the checkbox in the first column. Download CS V file Allows you to download a CSV file with the dashboard data. Dataset actions Apply changes (disk icon) Allows you to save the updates of the dashboard. Delete Allows you to delete the dashboard Expand all Displays all the attributes of the different blocks. Collapse all Hide all attributes of the different blocks. "Types of views" Change the view type: Classic view, Modern view, Compact design. Refresh Allows you to display the selected charts. Delete Allows you to delete all charts selected with the checkbox in the first column. Add new Allows you to add a new chart to the chart. Undo Allows you to quit without applying any changes.Ā  Apply changes Allows you to save the updates of the group. Configure dashboards > Chart editor (addon-reports) Description On this Chart editor screen, you can create charts from the datasets created on the Datasets edtior screen. This chats will be used in the Dashboard editor screen. Screen overview Related objects Dashboard editor : to create and manage dashboards Chart editor : to manage charts to be used in the dashboard editor Dataset editor : to manage datasets to be used in the chart editor Dashboards : where the dashboards created in the dashboard editor are displayed Standard attributes Name : name of the chart Description : description of the chart Type : type of the chart Line Stacked area Bar Area Pie Doughnut World map Custom : to configure it Definition (only when type custom is selected): to configure a custom dashboard SQL sentence : SQL sentence to retrieve the dataset from the Soffid database Refresh interval in seconds : refresh interval in seconds to refresh the database Updated on : date of the last update Updated by : user or the last update Actions Table actions Add new Allows you to create a new chart. Delete Allows you to delete all charts selected with the checkbox in the first column. Download CS V file Allows you to download a CSV file with the chart data. Dataset actions Apply changes (disk icon) Allows you to save the updates of the chart. Delete Allows you to delete the chart Expand all Displays all the attributes of the different blocks. Collapse all Hide all attributes of the different blocks. "Types of views" Change the view type: Classic view, Modern view, Compact design. Delete Allows you to delete all datasets selected with the checkbox in the first column. Add new Allows you to add a new dataset to the chart. Undo Allows you to quit without applying any changes.Ā  Apply changes Allows you to save the updates of the group. Configure dashboards > Dataset editor (addon-reports) Description The datasets used to generate the charts, which in turn generate the dashboards, will be registered on the " Dataset editor " screen. SQL queries will be used directly on the Soffid database to retrieve the data sets. If you wish to consult the structure of the Soffid database, you can consult the internal Soffid API (Entities section) . Screen overview Related objects Dashboard editor : to create and manage dashboards Chart editor : to manage charts to be used in the dashboard editor Dataset editor : to manage datasets to be used in the chart editor Dashboards : where the dashboards created in the dashboard editor are displayed Standard attributes Name : name of the dataset Description : description of the dataset Target system : use this field when the SQL query needs to be executed from an agent SQL sentence : SQL sentence to retrieve the dataset from the Soffid database Refresh interval in seconds : refresh interval in seconds to refresh the database Updated on : date of the last update Updated by : user or the last update Actions Table actions Add new Allows you to create a new dataset. Delete Allows you to delete all datasets selected with the checkbox in the first column. Download CS V file Allows you to download a CSV file with the dataset data. Dataset actions Apply changes (disk icon) Allows you to save the updates of the dataset. Delete Allows you to delete the dataset. Expand all Displays all the attributes of the different blocks. Collapse all Hide all attributes of the different blocks. "Types of views" Change the view type: Classic view, Modern view, Compact design. Refresh Allows you to display a table with the result of the SQL sentence. Undo Allows you to quit without applying any changes.Ā  Apply changes Allows you to save the updates of the group. Dashboards (addon-reports) Description TheĀ  Dashboards screen displays as many options as there are dashboards created. When you select one, the dashboard will be displayed on a new screen. If you want to modify a dashboard, you must go to the edit pages for theĀ  Dataset editor , Chart editor , and Dashboard editor . Screen overview Related objects Dashboard editor : to create and manage dashboards Chart editor : to manage charts to be used in the dashboard editor Dataset editor : to manage datasets to be used in the chart editor Dashboards : where the dashboards created in the dashboard editor are displayed Others Permissions Please note that dashboards will only be displayed to users if they have permission to view them. In the Dashboard editor page, the user must be included in the "Usable by" field, as a user, a granted role or a primary/secondary group. Dashboard editor In the Authorizations page, the users needs to be granted to a role with the next authorizations: seu:dashboard:show : to display the option in the menu dashboard:query : to display the dashboard itselt Authorizations Further information Further information My Profile Description My Profile is a part of a the Identity self service that allows to end users config their own profile, update the user info and preferences, change their password, and recover questions. To view My Profile, you must select the My Profile option that will be displayed when you click on the drop-down menu at the top right. Then Soffid displays a new window that will allow end users to configure their profiles. Screen overview Related objects Users : to display the roles granted to a user Roles : to display the roles Information systems : to display the roles throught the information systems Authorizations : to review the authorizations and manage the roles assigned Standard attributes Basic User Info Last login:Ā  date and time of the user's last login. Last IP connection: IP of the user's last login. Change password : allows end-users to change their password. Password recovery questions : (only when addon retrieve passwords is configured) allows end-users to config their own questions to recover their passwords. For more info about password recovery, you can visit the Password recovery questions page . Preferences Language:Ā  allows end-users to select their preferred language. Time zone: allows end-users to select their time zone. Date format:Ā  allows end-users to select the format date. Sample: displays how the date will be displayed in Soffid Console Time format: allows end-users to select the format time Sample: displays how the time will be displayed in Soffid Console Enable desktop notifications in this browser : enable desktop notifications in this browser Display : Light (backgroud in white), dark (background in dark) Authorizations Display a list with the user authorizations.Ā  Role : role granted Authorization [domain value] : authrization description ITS Scope : authorization scope Ā Domain value : domain where the role granted is assigned (* when there is no domain) Application consents Displays a list of all the user's consents given, and the user can see all of them. Users can remove the consent at any time as well. When the user connects to a new application, the IdP will indicate which data will be shared with this application. That information is defined in the Attribute sharing policies page of the Federation. For more info about password recovery, you can visit the Attribute sharing policies page. Actions Change pasword Allows the user to change their current password. Ā  The pop-up will display the restrictions applied according to your password policy. Ā  You must enter your current password. If you cannot remember it, it is best to use the password recovery option when logging in to the Console. This option is included in the password recovery add-on. Undo Allows you to undo any changes made. Apply changes Allows you to save the data. Once you apply changes, the details page will be closed. Soffid Objects (for agent mappings) You can consult the list of Soffid attributes: User Object Account Object Group Object Role Object Grant Object Maillist Object Membership Object dispatcherService Authoritative change object User object A user objects are maps that hold the information belonging to a single user account. Attribute Type Description id Long user id accountId Long account id accountName String account name system String managed system (agent) name accountDescription String account description active Boolean true if user is active accountDisabled Boolean true if account is diabled mailAlias String blank separated mails userName String user name primaryGroup String user's primary group name comments String user's comments createdOn Date user creation date modifiedOn Date user last modification date mailDomain Date user mail domain ( email right side of @) fullName String user full name shortName String user mail name (email left side of @) firstName String user first name lastName String user last name lastName2 String user second last name (when applicable) mailServer String mail server host name homeServer String home drive server host name profileServer String roaming profile server host name phone String user's phone number userType String user type createdBy String user name creator of this user modifiedBy String user name modifier of this user secondaryGroups List> list ofĀ  groups Ā the user belongs to, including primary group The attributes of the inner map are described later attributes Map additional user attributes grantedRoles List> list ofĀ  grants Ā directly granted to the user allGrantedRoles List> list ofĀ  grants Ā directly on indirectly granted to the user granted List list of role names and group names directly granted to the user allGranted List list of role names and group names directly or indirectly granted to the user Account object An account object holds the information belonging to an account. Attribute Type Description accountDescription String account description accountDisabled Boolean true if account is diabled accountId Long account id accountName String account name allGranted List list of role names directly or indirectly granted to the user allGrantedRoles List> list ofĀ  grants Ā directly on indirectly granted to the user attributes Map additional account attributes granted List list of role names directly granted to the user grantedRoles List> list ofĀ  grants Ā directly granted to the user lastLogin Calendar lastLogin lastPasswordUpdate Calendar lastPasswordUpdate lastUpdate Calendar lastUpdate passwordExpiration Calendar passwordExpiration passwordPolicy String password policy system String managed system (agent) name type AccountType "U"=user, "S"=shared, "P"=privileged, "I=ignored Group object An group object holds the information belonging to a group. Attribute Type Description groupId Long group id name String group name description String group description parent String parent group name server String home server host name disabled boolean true if the group is disabled accountingGroup String group accounting information type String group type driveLetter String home server letter to connect to users List> list ofĀ  users Ā belonging to this group userNames List list of user names belonging to this group allUsers List> list ofĀ  users Ā directly or indirectly belonging to this group allUserNames List list of user names either directly or indirectly grantee of this role grantedRoles List> list ofĀ  roles Ā granted to this group grantedRoleNames List list of role names granted to this group Role object An role object holds the information belonging to a role. Attribute Type Description roleId Long role id system String managed system (agent) name name String role name application String application system name category String role category passwordProtected boolean true if role should be password protected (where applicable) description String Role description wfmanaged boolean true if role should be displayed in self service requests domain String custom domain for this role: Use com.soffid.iam.api.DomainType constants or configured custom domain ownedRoles List> list of Ā roles granted Ā to this one ownerRoles List> list ofĀ  roles grantee Ā of this one ownerGroups List> list ofĀ  groups Ā grantee of this role grantedAccountNames List list of account names directly grantee of this role grantedAccounts List> list ofĀ  users Ā directlyĀ grantee of this role allGrantedAccountNames List list of account names either directly or indirectly grantee of this role allGrantedAccounts List> list ofĀ  users Ā either directly or indirectlyĀ grantee of this role attributes Map role's custom attributes Grant object Grant, grantedRole & allGrantedRoles The objects grant, grantedRole and allGrantedRoles are used to assing roles to accounts and roles. Attribute Type Description domainValue String grant value (if any) grantedRole String granted role name grantedRoleId Long granted role id grantedRoleObject role object granted role grantedRoleSystem String granted role managed system (agent) name id Long grant id ownerAccount String grantee account name ownerAccountObject account object grantee account ownerGroup String grantee group name ownerRoleId String grantee role id ownerRoleName String grantee role name ownerSystem String grantee account or role managed system name ownerUser String grantee user name Examples Grant Example to map a grant object (assign a role to an account): System attribute Direction Soffid attribute role_name => grantedRole account_name => ownerAccount GrantedRole Example to map a grantedRole object (assign a role as a child of another role): System attribute Direction Soffid attribute role_name => grantedRole parent_role_name => ownerRoleName AllGrantedRoles Example to map a allGrantedRoles object in a holderGroup (assign a role to an account in a specific group): System attribute Direction Soffid attribute role_name => grantedRole parent_role_name => ownerRoleName group_code => domainValue group_code => holderGroup userName => ownerUser Maillist object Attribute Type Description id Long internal mail list id name String mail list name ( the initial part, before the @ sign) domain String mail list domain ( the remaining part after the @ sign) system String managed system (agent) name description String mail list description users String array user names that are bound to this mail list groups String array group names thta are subscribed to this mai list roles String array role names that grant access to this mail list lists String array Nested mail lists explodedUsers String array Names of the users that should be subscribed to this mail list, including the users that should be subscribed due to group or role membership explodedUserAddresses String array Mail addresses of any exploded User Membership object A membership object contains the user account information as well as the group the user belongs to. Attribute Type Description userName String User name user Map user object groupName String Group name group Map group object attributes Map Membership custom attributes dispatcherService dispatcherService is an object available from agents' attribute translation rules. This object contains four methods: method name parameters result type comments soffidToSystem ExtensibleObject Ā soffidObject ExtensibleObject Uses attribute translation tables to transform a soffid object to a target system object. Mind to fill-in objectType property to use the proper object mapping systemToSoffid ExtensibleObject Ā systemObject ExtensibleObject Uses attribute translation tables to transform a target system object to a Soffid object. Mind to fill-in objectType property to use the proper object mapping search ExtensibleObject Ā exampleObject ExtensibleObject Uses the exampleObject to perform a query by example on the target system. If the object exists on the target system, it is returned. Mind to fill-in objectType property with the desired system object type invoke String verb String action Map parameters List of Map This method allows arbitrary executions on the target system, but it semantics can change depending on the connector used. For instance, it can be used to perform a GET on the target system in REST connector, can issue an LDAP query on ActiveDirectory connector, can execute a SELECT sentence on a SQL connector, or can execute an operating system command in Shell connector. The results are returned as a list of objects (map). Examples Snippet to query the sys_id attribute for a grant owner System.out.println("Searching id for "+ownerRoleName); com.soffid.iam.sync.intf.ExtensibleObject eo = new com.soffid.iam.sync.intf.ExtensibleObject(); eo.setObjectType("ROLE"); eo{"name"} = ownerRoleName; eo = dispatcherService.search(eo); System.out.println("FOUND "+eo{"sys_id"}); return eo{"sys_id"}; Snippet that performs a REST query to get group to role assignments in ServiceNow list = dispatcherService.invoke ("GET", "https://arxusdev.service-now.com/api/now/table/sys_group_has_role?sysparm_exclude_reference_link=true&sysparm_display_value=all&sysparm_fields=role%2Cgroup&sysparm_query=group="+sys_id, null). get(0).get("result") r = new java.util.LinkedList(); for ( d: list) { grant = new java.util.HashMap(); grant{"grantedRole"} = d.get("role").get("display_value"); grant{"grantedRoleSystem"} = "ServiceNow"; grant{"ownerRoleName"} = name; grant{"ownerSystem"} = "ServiceNow"; r.add (grant); } return r; Snippet of invoke usage on a relational database // Table ITREPRT role = source{"granted"}.size() == 0 ? "" : source{"granted"}.get(0); System.out.println ("************** ROLE "+role); args = new java.util.HashMap(); args.put("user", source{"accountName"}.toUpperCase()); if (role.equals ("Receptores PR") || role.equals("Jefes_Personal")) { r = dispatcherService.invoke("select", "* from ITREPRT where IDUSER=:user", args); if (r.size() == 0) { dispatcherService.invoke("insert", "into ITREPRT(IDUSER,NOMECO) values (:user, 1)", args); } } else { dispatcherService.invoke("delete", "from ITREPRT where IDUSER=:user", args); } // TABLE MRGEUCT cc = source{"attributes"}{"dominio"}; if ( source{"userType"} .equals ("T")) { cc = source{"userName"}.substring(1); } while (cc != null && cc.startsWith("0")) cc = cc.substring(1); System.out.println ("************** COST CENTER "+cc); if (cc != null && ! cc.trim().isEmpty()) { args = new java.util.HashMap(); args.put("user", source{"accountName"}.toUpperCase()); args.put("cc", cc); r = dispatcherService.invoke("SELECT", "* from MRGEUCT where IDUSER=:user and MOARPR=:cc", args); if (r.size() == 0) { dispatcherService.invoke("INSERT", "into MRGEUCT(MOARPR,CENTRA, IDUSER, NOTIFI ) "+ "values ('II', :cc, :user, 'S')", args); dispatcherService.invoke("INSERT", "into MRGEUCT(MOARPR,CENTRA, IDUSER, NOTIFI ) "+ "values ('BM', :cc, :user, 'S')", args); dispatcherService.invoke("DELETE", "FROM MRGEUCT WHERE CENTRA!=:cc AND IDUSER=:user", args); } } return true; Snippet of invoke usage on a Active Directory I hashMap = new java.util.HashMap(); list = serviceLocator.getDispatcherService().invoke("AD soffid.pat", "select", "(&(objectClass=user))", hashMap); out.println("** list.size -- " + list.size()); Snippet of invoke usage on a Active Directory II ACC = source{"accountName"}; la = dispatcherService.invoke("AD soffid.pat", "(&(objectClass=user)(sAMAccountName=userName))", new java.util.HashMap()); Authoritative change object A user objects are maps that hold the information belonging to a single user account Attribute Type Description id Long user id accountId Long account id accountName String account name system String managed system (agent) name accountDescription String account description active Boolean true if user is active accountDisabled Boolean true if account is diabled mailAlias String blank separated mails userName String user name primaryGroup String user's primary group name comments String user's comments createdOn Date user creation date modifiedOn Date user last modification date mailDomain Date user mail domain ( email right side of @) fullName String user full name shortName String user mail name (email left side of @) firstName String user first name lastName String user last name lastName2 String user second last name (when applicable) mailServer String mail server host name homeServer String home drive server host name profileServer String roaming profile server host name phone String user's phone number userType String user type createdBy String user name creator of this user modifiedBy String user name modifier of this user secondaryGroups List> list ofĀ  groups Ā the user belongs to, including primary group The attributes of the inner map are described in the link secondariGroups2 List> list of userĀ  memberships , excluding primary group The attributes of the inner map are described link attributes Map additional user attributes grantedRoles List> list ofĀ  grants Ā directly granted to the user allGrantedRoles List> list ofĀ  grants Ā directly on indirectly granted to the user granted List list of role names and group names directly granted to the user allGranted List list of role names and group names directly or indirectly granted to the user Sample scripts Introduction Note that Soffid supports different scripting languages, you can configure it in the Smart engine settings screen. Soffid 4 configures the smart engine withĀ  Javascript scripting language as the default. Additionally, in the initial configuration of the container, we can configure the SOFFID_TRUSTED_SCRIPTS environment variable to allow the use of insecure classes.Ā  You can find this information visiting the Installing IAM Console page . Custom scripts page The following examples of custom scripts can be run directly on the Custom script page. These scripts can also be used in any other Soffid script component. The scripts have been generated for the Javascript engine . Identity scripts Recover a user for userName var u = serviceLocator.getUserService().findUserByUserName("admin"); out.print("User: " + u.firstName); Print some attributes var u = serviceLocator.getUserService().findUserByUserName("test"); out.println("UserName: " + u.userName); out.println("Name: " + u.firstName); out.println("LastName: " + u.lastName); Print by user the email var u = serviceLocator.getUserService().findUserByUserName("test"); out.print("Email: " + u.shortName + "@" + u.mailDomain); Print by user some additional data llistaDadesUsuari = serviceLocator.getUserService().findUserDataByUserName("test"); for (var i=0; i 0) { out.println("Users whose username contains 'a':"); for (var i = 0; i < users.size(); i++) { var user = users.get(i); out.println(user.userName); } } else { out.println("No users found with 'a' in their username."); } Create a new identity var newUser = new com.soffid.iam.base.api.User(); newUser.userName = "jkepler"; newUser.firstName = "Johannes"; newUser.lastName = "Kepler"; newUser.userType = "I"; newUser.primaryGroup = "world"; newUser.active = true; serviceLocator.getUserService().create(newUser); out.println("Created "+newUser.userName); Update an identity var u = serviceLocator.getUserService().findUserByUserName("jkepler"); u.userType = "E"; u = serviceLocator.getUserService().update(u); out.println("Updated "+u.userName); Delete an identity var u = serviceLocator.getUserService().findUserByUserName("jkepler"); if (u!=null) { serviceLocator.getUserService().delete(u); out.println("Deleted "+u.userName); } else { out.println("User not found"); } Account scripts Recover accounts of users in Soffid 3 la = serviceLocator.getAccountService().findAccountByJsonQuery("users.user.userName eq \"02\" "); for(a:la) { out.println("Cuenta: " + a.name); out.println("ID: " + a.id); out.println("System: " + a.system + "\n"); } Recover accounts of users in Soffid 4 with AI with pagination /** search all account whose owner's userName contains the letter 'd' and print the name of the account and the system by the screen **/ var query = new com.soffid.zkdb.api.Query(); query.filter = "users.user.userName co \"a\""; query.pageSize = 2; query.startIndex = 0; var pagedResult; do { pagedResult = serviceLocator.getAccountService().findAccounts(query); var accounts = pagedResult.resources; for (var i = 0; i < accounts.size(); i++) { var account = accounts.get(i); out.println("Account: " + account.name + ", System: " + account.system); } query.startIndex += query.pageSize; } while (query.startIndex < pagedResult.totalResults); Remove attribute values of a metadata in Soffid 3 public void removeUnAttributeValues(String attribute, String system) { la = serviceLocator.getAccountService().findAccountByJsonQuery("system eq \""+system+"\""); for (a : la) { laa = serviceLocator.getAccountService().getAccountAttributes(a); for (aa : laa) { if (aa.attribute.equals(attribute)) { if (aa.value!=null) { out.print("accountName: "+accountName+", attribute.value: "+aa.value); serviceLocator.getAccountService().removeAccountAttribute(aa); out.println(" ---> removed"); } } } } } removeUnAttributeValues("manager","AD"); Remove attribute values of a metadata in Soffid 4 function removeUnAttributeValues(attribute, system) { var query = new com.soffid.zkdb.api.Query(); query.filter = "system eq \"" + system + "\""; var pagedResult = serviceLocator.getAccountService().findAccounts(query); var la = pagedResult.getResources(); for (var i = 0; i < la.size(); i++) { var a = la.get(i); var laa = serviceLocator.getAccountService().getAccountAttributes(a); for (var j = 0; j < laa.size(); j++) { var aa = laa.get(j); if (aa.attribute == attribute) { if (aa.value != null) { out.print("accountName: " + a.name + ", attribute.value: " + aa.value); serviceLocator.getAccountService().removeAccountAttribute(aa); out.println(" ---> removed"); } } } } } removeUnAttributeValues("manager", "AD"); Role scripts Recover roles of a user user = serviceLocator.getUserService().findUserByUserName("Ivan"); out.println("Usuari: " + user.userName + "\n"); rolsUser = serviceLocator.getUserService().findUserRolesHierachyByUserName(user.userName); for(listrRolsUser:rolsUser){ out.println("Nombre: " + listrRolsUser.name); out.println("Descripcion: " + listrRolsUser.description); out.println(); } Print the associated roles for each account var queryUsuaris = new com.soffid.zkdb.api.Query(); queryUsuaris.filter = "userName eq \"david.gomez\""; var pagedUsuaris = serviceLocator.getUserService().findUsers(queryUsuaris); var llistaUsuaris = pagedUsuaris.getResources(); for (var i = 0; i < llistaUsuaris.size(); i++) { var usuari = llistaUsuaris.get(i); var queryComptes = new com.soffid.zkdb.api.Query(); queryComptes.filter = "users.user.userName eq \"" + usuari.userName + "\""; var pagedComptes = serviceLocator.getAccountService().findAccounts(queryComptes); var llisstacuentas = pagedComptes.getResources(); for (var j = 0; j < llisstacuentas.size(); j++) { var cuenta = llisstacuentas.get(j); out.print(" Cuenta : " + cuenta.name); var llistaRole = serviceLocator.getApplicationService().findRoleAccountByAccount(cuenta.id); for (var k = 0; k < llistaRole.size(); k++) { var role = llistaRole.get(k); out.print(" Role: " + role.roleName + "\n"); } } } Print for an account the roles and applications for each of them var queryUsuaris = new com.soffid.zkdb.api.Query(); queryUsuaris.filter = "userName eq \"david.gomez\""; var pagedUsuaris = serviceLocator.getUserService().findUsers(queryUsuaris); var llistaUsuaris = pagedUsuaris.getResources(); for (var i = 0; i < llistaUsuaris.size(); i++) { var usuari = llistaUsuaris.get(i); var queryComptes = new com.soffid.zkdb.api.Query(); queryComptes.filter = "users.user.userName eq \"" + usuari.userName + "\""; var pagedComptes = serviceLocator.getAccountService().findAccounts(queryComptes); var llisstacuentas = pagedComptes.getResources(); for (var j = 0; j < llisstacuentas.size(); j++) { var cuenta = llisstacuentas.get(j); out.print(" Cuenta : " + cuenta.name); out.println(" ID: " + cuenta.id); var llistaRole = serviceLocator.getApplicationService().findRoleAccountByAccount(cuenta.id); for (var k = 0; k < llistaRole.size(); k++) { var role = llistaRole.get(k); out.print(" Role: " + role.roleName + "\n"); out.println(" Aplicacion: " + role.informationSystemName); } } } Print the roles associated with each account var query = new com.soffid.zkdb.api.Query(); query.filter = ""; var paged = serviceLocator.getUserService().findUsers(query); var usuCuenta = paged.getResources(); for (var i = 0; i < usuCuenta.size(); i++) { var listaUsuCuenta = usuCuenta.get(i); out.println("Usuario: " + listaUsuCuenta.userName); out.println("Nombre: " + listaUsuCuenta.firstName); var rolsUser = serviceLocator.getUserService().findUserRolesHierachyByUserName(listaUsuCuenta.userName); for (var j = 0; j < rolsUser.size(); j++) { var listaRolsUser = rolsUser.get(j); out.println("Nombre del Rol: " + listaRolsUser.name); out.println("Descripcion: " + listaRolsUser.description); out.println(); } } Create a new role try { var newRol = new com.soffid.iam.iga.api.Role(); newRol.name = "Rol_New_Script"; newRol.description = "Rol Script"; newRol.informationSystemName = "SOFFID"; newRol.system = "soffid"; serviceLocator.getApplicationService().create(newRol); out.println("Created: " + newRol.name); } catch(e) { out.println("Error: " + e); } Update a role var query = new com.soffid.zkdb.api.Query(); query.filter = "name eq \"Rol editado por script\" and informationSystemName eq \"APPLICATION01\""; var pagedResult = serviceLocator.getApplicationService().findRoles(query); var editRole = pagedResult.getResources(); for (var i = 0; i < editRole.size(); i++) { var role = editRole.get(i); out.println(role.name); role.name = "ROL01"; try { role = serviceLocator.getApplicationService().update(role); out.println(role.name); } catch(e) { out.println("Error: " + e.message); out.println("Stack: " + e.stack); } } Delete a role try { var editRole = serviceLocator.getApplicationService().findRoleById(16576); serviceLocator.getApplicationService().delete(editRole); } catch(e) { out.println("Error: " + e.message); } List the roles of an application var query = new com.soffid.zkdb.api.Query(); query.filter = "informationSystemName eq \"SOFFID\""; var pagedResult = serviceLocator.getApplicationService().findRoles(query); var list = pagedResult.getResources(); for (var i = 0; i < list.size(); i++) { var role = list.get(i); out.println(role.name); } Mail scripts Send a simple email serviceLocator.getMailService().sendTextMail("user@domian.com", "Test", "Hello world!"); out.println("Mail sent!"); Send emails with attached files import javax.mail.BodyPart; import javax.mail.internet.MimeBodyPart; import javax.activation.DataHandler; import javax.activation.FileDataSource; import java.util.ArrayList; path = "/tmp/"; name = "file.txt"; BodyPart att = new MimeBodyPart(); att.setDataHandler(new DataHandler(new FileDataSource(path+name))); att.setFileName(name); to = "aretha@soffid.com"; cc = "etaylor@soffid.com"; subject = "This is an email with attachment "; body = "In this email you can see an attachment."; mimeBodyParts = new ArrayList(); mimeBodyParts.add(att); serviceLocator.getMailService().sendHtmlMail(to, subject, body, mimeBodyParts); serviceLocator.getMailService().sendHtmlMail(to, cc, subject, body, mimeBodyParts); serviceLocator.getMailService().sendTextMailToActors(new String[]{"aretha"}, subject, body, mimeBodyParts); serviceLocator.getMailService().sendTextMailToActors(new String[]{"aretha"}, cc, subject, body, mimeBodyParts); out.println("Mails sent!"); Event Sample scripts On grant permission Update a user attribute when assigning a specific permission if (grant.roleName.equals("RS002")) { user = serviceLocator.getUserService().findUserByUserName(grant.user); if (user != null) { attributes = serviceLocator.getUserService().findUserAttributes(user.userName); if (attributes == null) { attributes = new HashMap(); } attributes.put("language", "Spanish"); serviceLocator.getUserService().updateUserAttributes(user.userName, attributes); } } On user change Run a Python script when the user has assigned an specific role if (user != null) { roleGrantList = serviceLocator.getApplicationService().findEffectiveRoleGrantByUser(user.id); for(roleGrant:roleGrantList){ if (roleGrant.roleName.equals("SOFFID_TEST")) { // RUN SCRIPT String command = "python3 /opt/soffid/iam-console-3/conf/exampleScript.py > /opt/soffid/iam-console-3/conf/resultscript01.txt"; Process process = Runtime.getRuntime().exec(command); user.comments = "ADD comments"; user = serviceLocator.getUserService().update(user); } } } Agent scripts User full name return firstName + lastName; Create mainDomain if it doesn't exit var mailDomain = "exampledomain"; if (mailDomain != null && mailDomain.contains("@")) { var mailTokens = email.split("@"); mailDomain = mailTokens[1]; } var service = serviceLocator.getMailListsService(); var domain = service.findMailDomainByName(mailDomain); if (domain == null) { domain = new com.soffid.iam.iga.api.MailDomain(); // ā† iga.api domain.setCode(mailDomain); domain.setDescription(mailDomain); domain.setObsolete(new java.lang.Boolean(false)); domain = service.create(domain); } return mailDomain; Recover active agents var llistaAgents = serviceLocator.getDispatcherService().findAllActiveDispatchers(); for (var i = 0; i < llistaAgents.size(); i++) { var agent = llistaAgents.get(i); out.println("Nom: " + agent.name); out.println("Class Name: " + agent.className + "\n"); } Show by a user the agents that have associates var queryUsuaris = new com.soffid.zkdb.api.Query(); queryUsuaris.filter = "userName eq \"admin\""; var pagedUsuaris = serviceLocator.getUserService().findUsers(queryUsuaris); var llistaUsuaris = pagedUsuaris.getResources(); for (var i = 0; i < llistaUsuaris.size(); i++) { var usuari = llistaUsuaris.get(i); out.println("Usuario: " + usuari.userName); var queryComptes = new com.soffid.zkdb.api.Query(); queryComptes.filter = "users.user.userName eq \"" + usuari.userName + "\""; var pagedComptes = serviceLocator.getAccountService().findAccounts(queryComptes); var llisstacuentas = pagedComptes.getResources(); for (var j = 0; j < llisstacuentas.size(); j++) { var cuenta = llisstacuentas.get(j); out.print(" Cuenta : " + cuenta.name); out.println(" ID: " + cuenta.id); var llistaRole = serviceLocator.getApplicationService().findRoleAccountByAccount(cuenta.id); for (var k = 0; k < llistaRole.size(); k++) { var role = llistaRole.get(k); out.print(" Role: " + role.roleName + "\n"); out.println(" Aplicacion: " + role.informationSystemName); out.println(" Agente: " + role.system); } } } Utility classes Crypt Crypt allows to encrypt text with different algorithms and verify the resulting hash. To use this class: com.soffid.iam.crypt.Crypt All methods are static: hash(String algorithm, String text) -> String pBKDF2Sha256(String text, String utf8Salt, int iterations) -> String pBKDF2Sha256(String text, byte []salt, int iterations) -> String pBKDF2Sha1(String text, String utf8Salt, int iterations) -> String pBKDF2Sha1(String text, byte []salt, int iterations) -> String genSaltBytes() -> byte[] // 8 bytes genSaltBytes(int size) -> byte[] genSalt() -> String // 8 bytes genSalt(int size) -> String verify(String algorithm, String text, String hash) -> boolean The algorithms allowed are: bcrypt pBKDF2Sha256 pBKDF2Sha1 (or pBKDF2) Base64 (used by default is the algorithm is not in the previous list) One example: String myText = "abcd"; String myAlgorithm = "bcrypt"; String myHash = com.soffid.iam.crypt.Crypt.hash(myAlgorithm, myText); boolean isVerified = com.soffid.iam.crypt.Crypt.verify(myAlgorithm, myText, myHash); if (isVerified) { return myHash; } else { return null; } CalendarConverter CalendarConverter allows to covert Calendar into String. To use this class:Ā  com.soffid.iam.json.CalendarConverter The methods (non static): toString(Calendar instance) -> String fromString(final String text) -> Calendar One example: out.println(new com.soffid.iam.json.CalendarConverter().toString(date)); Beanshell vs Javascript Description Soffid 4 configures the smart engine with Javascript scripting language as theĀ default. See Smart engine settings . Previously, the default engine was Beanshell, and many scripts will need to be adapted. This page lists these differences. Related objects Smart engine settings :Ā  where the engine is configured. Where we can use scripts: Agents : properties, mappings and triggers Custom scripts :Ā  all the scripts Account naming rules :Ā  script to validate and set name Role assignment rules :Ā  script to validate BPM editor : visualization, triggers, transitions Password policies : optional script Table of differences Topic Beanshell Javascript variable s = "text"; // The use of var should be mandatory, //but it almost always works without using it. var s = "text"; Ā  or Ā  s = "text"; function public void doSomething(String system) { Ā  ... } doSomething("APP_USERS"); function doSomething(system) { Ā  ... } doSomething("APP_USERS"); for for (user : listOfUsers) { Ā  ... } for (var i=0; i/soffid-iam-console Reply URL : https:///soffid/saml/log/post Sign on URL : https:///soffid/ Logout URL : https:///soffid/saml/slo/post 9. Configure Attributes & Claims and change the attributes and claims to send the mailnickname as the user identifier (nameid) 10. Copy the App Federation Metadata Url 11. Configure the External SAML identity Provider in the Soffid Console Authentication page 12. Optional, enable any user to login UI common actions UI common actions Search types Description Throughout the Soffid you will be able to perform searches on the different objects that make up the application. You will be able to search in the system by applying different ways of searching.Ā  Quick This option allows a quick search by fields that have been defined in the application metadata. You can find the metadata configuration on theĀ  Metadata page. Attribute metadata configuration You only have to type in the field provided for this purpose and press enter or click on the magnifying glass icon, then Soffid will display the list with the objects that complain the criteria typed.Ā  You can include some characters as "," "." and "/" as word separators in the search text. Check textual index page for more information. Examples Ā  Basic This is the default option. It provides some default search criteria and other criteria can be added from the add criteria option. These criteria will depend on the entity or object on which the search is being performed. Remember, each criteria will be added to the previous ones. Each search criteria will have different search forms depending on the type of data in the particular field. For instance, a text field provides four different options to search, "Contains", "Start with", "Ends with" and "Equals", a date field provides the date "Since" and date "Until". Search criterias Text Date Ā Boolean List Soffid allows you to and criteria by clicking on the "Add criteria" button, then Soffid will display a list with all the criteria available and allows you to select to add a new one. To delete criteria you only have to click on the "Equis" icon (x) on the left side of the criteria, then automatically Soffid will remove the criteria and run the search without the removed criteria. The criteria depend on the object list where you are working, so for instance the criteria are not the same for the user's list and the group's list. Example If you want to clear a value of the criteria, select the criteria anb click the "Clear" button. Clear button Advanced This option allows an advanced search system using the SCIM query syntax . You can type the query to search the info using the SCIM standard.Ā  You can access toĀ  SCIM Book for more information Examples Column selector Description Throughout the Soffid Console, we can find a large number of list-type components. These lists are used to display the corresponding objects data in each case, for instance users, accounts, etc. The " View " component allows you to add or remove columns, but also allows you to sort by the name of the columns to display them in the list. Be in mind, the columns are the attributes of an object (an user, or an account...). It is easy to use, once you click on the "View" button, Soffid will display a popup with the available columns for the object, then add, remove or drag and drop them in the order you want and click outside the popup, Soffid will refresh the list with the attributes with the changes that you defined. Download CSV file & Import Description On many pages of the Console, you may see the option "Download CSV file", and on a few pages, you may see the "import" button. Download CSV file Soffid allows you to download all data objects displayed in tables in a CSV file with the " Download CSV file ". If you require additional attributes, add them first using the " View " option. This CSV file can be very useful for the " Import " option, as you can edit its values or add new rows. Import Soffid allows you to upload a CSV file with the data list to add , update or delete information to the data table. The operations that can be performed with the data import depend on the table on which the process is being performed. To " Import " data from a CSV file, first of all it will be to pick the file to import. Once the file has been selected, the data will be displayed to check contents. If the content is correct, then it is allowed to set up the mappings for each CSV file column, "Don't load" option is available. Finally it is allowed to perform the import process. When the import process finishes, Soffid will show a message with the result of the process execution. Example Bulk actions Description Allows massive operations to be performed on the selected records. With that operation, updates can be made to any of the object parameters. You can access this option through the "three points" icon from a few of the Soffid pages, like users list or accounts list. 1.Ā  First of all, you need to select the records that you want to update from the list, once you have selected them, you must choose the bulk action button on the three poins icon. 2. Then Soffid display a popup where you can select one by one the attributes that will be updated. The fist dropdown list displays the attributes of the object , for instance, the user attributes. The second dropdown list displays the operation to be performed on the selected attribute. The operation can be change the value or clear the value ,Ā  and if it is neccesary the new value. The type of the third field will depend on the attribute type selected previously. Image 3. Soffid shows a confirmation message with the number of records that will be updated. Finally, you can choose apply or come back.Ā If you apply the changes, the attributes of the seleccted records will be updated šŸ’» Image Textual index Textual index Textual index IntroductionĀ  A textual index is a data structure used in database systems to facilitate efficient search and retrieval of text-based information. It is designed to handle large volumes of textual data and provide quick access to relevant documents or records based on specified search criteria. When a search query is performed on a database with a textual index, the index is queried to identify relevant documents or records that match the search terms. The index provides information about the location and relevance of the documents, which enables the database system to retrieve and present the results in a timely manner. Textual indexes play a crucial role in enabling efficient search and retrieval of textual information in databases, making them an essential component in applications that handle large volumes of textual data, such as search engines, content management systems, and document repositories. Soffid incorporates a textual index usingĀ  the Apache Lucene library .Ā  Index configuration Soffid allows you to configure the objects you want to use in the textual index. To do this, you must select the proper object from the metadata page and enable the option "Use textual index". Once you enable this option, the textual index will be applied to the attributes of this object that have been included in the quick search. Notice, from the user interface, it is not interpreted as a Lucene expression. Example 1. Enable the " Use textual index " on the User object and save the changes. Image 2. Check the attributes if the opction " Included in the quick search " is enabled. Image How does the user interface search work? Once you have configured the textual index for a specific object, Soffid will apply it when you use Quick Search on this object. Example 1 1. If you search for users using the text "frankin" , then Soffid will display all the users whose userName, firstName, lastName, or middleName match, to some degree, with the typed text following the textual index rules. Image 2. If you include the attribute manager in the quick search: Image 3.Ā  And search for "frankin", Ā  then Soffid will display all the users whose userName, firstName, lastName, middleName, or manager match with the typed text following the textual index rules. Image Example 2 1. If you search for users using the text "manager:frank"Ā  Soffid will display all users whose manager matches the text "frank". Image Notice the difference by searching "manager:frank?": Image And by searching "manager:frank*":Ā  Image And also by searching "manager:fr*" Image Example 3 1. If you search for users using the text "userName:frank*"Ā  Soffid will display all users whose user name matches the text "frank" followed by any other text. Image Notice the difference by searching the text "userName:frank?": Image Example 4 1. If you search for users using the text "frank" plus the wildcard "?", Soffid will display all users whose userName, firstName, lastName, middleName, or manager match the typed text as long as it has variation in the characters where the wildcard has been used. Image Notice the difference by searching "fran?" Image How does the SCIM interface search work? 1. First of all, you must install the SCIM addon in Soffid. For more information, you can visit the How to install SCIM in Soffid? page . 2. Then, you can use any REST client to test and consume our SCIM REST web service. For more information, you can visit the Testing tool page . 3. Finally, you can start to use the SCIM interface search by using Lucene syntaxis Lucene syntaxisĀ  Please browse the standard specifications in this link: Siebel Term Modifiers Lucene supports modifying query terms to provide a wide range of search options. Here are the most common ones:Ā  Wildcard Searches To perform a single character wildcard search use the "?" symbol. To perform a multiple character wildcard search use the "*" symbol. Regular Expression Searches Lucene supports regular expression searches matching a pattern between forward slashes "/" Fuzzy Searches To do a fuzzy search use the tilde, "~", symbol at the end of a Single word Term Soffid Console <= 3.4 version ~0.8: stricter search ~0.1: more lax search Soffid Console > 3.4 version An additional (optional) parameter can specify the maximum number of edits allowed. The value is between 0 and 2. Range Searches Range Queries allow one to match documents whose field(s) values are between the lower and upper bound specified by the Range Query Boosting a Term To boost a term use the caret, "^", symbol with a boost factor (a number) at the end of the term you are searching. The higher the boost factor, the more relevant the term will be. Boolean Operators OR The OR operator links two terms and finds a matching document if either of the terms exist in a document. This is equivalent to a union using sets AND The AND operator matches documents where both terms exist anywhere in the text of a single document. This is equivalent to an intersection using sets.Ā  + The "+" or required operator requires that the term after the "+" symbol exist somewhere in a the field of a single document. NOT The NOT operator excludes documents that contain the term after NOT. This is equivalent to a difference using sets.Ā  - The "-" or prohibit operator excludes documents that contain the term after the "-" symbol. Escaping Special Characters Lucene supports escaping special characters that are part of the query syntax. The current list of special characters are + - && || ! ( ) { } [ ] ^ " ~ * ? : \ / Examples Example 1 1. Use the wildcard search 1.1. * Request GET http:///webservice/scim2/v1/User?textFilter=fran* Response 200 OK { "schemas": [ "urn:ietf:params:scim:api:messages:2.0:ListResponse" ], "totalResults": 4, "startIndex": 1, "Resources": [ { "lastName": "Franklin", "createdByUser": "ActiveDirectory", "fullName": "Rosalind Franklin", "active": true, "userName": "rfranklin", "mailAlias": "", "firstName": "Rosalind", "createdDate": "2023-08-08 14:26:14", "multiSession": true, "meta": { "location": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/2862", "links": { "roleAccounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/RoleAccount?filter=userCode+eq+'rfranklin'+and+enabled+eq+true", "groupUsers": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/GroupUser?filter=user+eq+'rfranklin'+and+disabled+eq+false", "accounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Account?filter=type+eq+U+and+users.user.userName+eq+'rfranklin'", "issues": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Issue?filter=user.userName+eq+'rfranklin'", "effectiveGrants": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/2862/effectiveGrants" }, "resourceType": "User" }, "modifiedByUser": "ActiveDirectory", "schemas": [ "urn:soffid:com.soffid.iam.api.User" ], "modifiedDate": "2023-08-08 14:26:14", "attributes": {}, "id": 2862, "userType": "I", "primaryGroupDescription": "scientist", "primaryGroup": "scientist" }, { "lastName": "Franklin", "createdByUser": "ActiveDirectory", "fullName": "Aretha Franklin", "active": true, "userName": "aretha", "mailAlias": "", "firstName": "Aretha", "createdDate": "2023-09-06 13:12:54", "multiSession": true, "meta": { "location": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/276397", "links": { "roleAccounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/RoleAccount?filter=userCode+eq+'aretha'+and+enabled+eq+true", "groupUsers": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/GroupUser?filter=user+eq+'aretha'+and+disabled+eq+false", "accounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Account?filter=type+eq+U+and+users.user.userName+eq+'aretha'", "issues": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Issue?filter=user.userName+eq+'aretha'", "effectiveGrants": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/276397/effectiveGrants" }, "resourceType": "User" }, "modifiedByUser": "ActiveDirectory", "schemas": [ "urn:soffid:com.soffid.iam.api.User" ], "modifiedDate": "2023-09-06 13:12:54", "attributes": {}, "id": 276397, "userType": "I", "primaryGroupDescription": "World", "primaryGroup": "world" }, { "lastName": "Sinatra", "createdByUser": "ActiveDirectory", "fullName": "Frank Sinatra", "active": true, "userName": "frank", "mailAlias": "", "firstName": "Frank", "createdDate": "2023-09-06 13:12:54", "multiSession": true, "meta": { "location": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/276435", "links": { "roleAccounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/RoleAccount?filter=userCode+eq+'frank'+and+enabled+eq+true", "groupUsers": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/GroupUser?filter=user+eq+'frank'+and+disabled+eq+false", "accounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Account?filter=type+eq+U+and+users.user.userName+eq+'frank'", "issues": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Issue?filter=user.userName+eq+'frank'", "effectiveGrants": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/276435/effectiveGrants" }, "resourceType": "User" }, "modifiedByUser": "ActiveDirectory", "schemas": [ "urn:soffid:com.soffid.iam.api.User" ], "modifiedDate": "2023-09-06 13:12:55", "attributes": {}, "id": 276435, "userType": "I", "primaryGroupDescription": "Music", "primaryGroup": "Music" }, { "lastName": "Sherwood", "createdByUser": "pgarcia", "fullName": "Frank Sherwood", "active": true, "userName": "franks", "mailAlias": "", "firstName": "Frank", "createdDate": "2023-10-05 15:32:40", "multiSession": false, "meta": { "location": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/432644", "links": { "roleAccounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/RoleAccount?filter=userCode+eq+'franks'+and+enabled+eq+true", "groupUsers": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/GroupUser?filter=user+eq+'franks'+and+disabled+eq+false", "accounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Account?filter=type+eq+U+and+users.user.userName+eq+'franks'", "issues": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Issue?filter=user.userName+eq+'franks'", "effectiveGrants": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/432644/effectiveGrants" }, "resourceType": "User" }, "modifiedByUser": "pgarcia", "schemas": [ "urn:soffid:com.soffid.iam.api.User" ], "modifiedDate": "2023-10-05 15:32:40", "attributes": {}, "id": 432644, "userType": "I", "primaryGroupDescription": "scientist", "primaryGroup": "scientist" } ] } 1.2. ? RequestĀ  http:///webservice/scim2/v1/User?textFilter=fran? Response 200 OK { "schemas": [ "urn:ietf:params:scim:api:messages:2.0:ListResponse" ], "totalResults": 2, "startIndex": 1, "Resources": [ { "lastName": "Sinatra", "createdByUser": "ActiveDirectory", "fullName": "Frank Sinatra", "active": true, "userName": "frank", "mailAlias": "", "firstName": "Frank", "createdDate": "2023-09-06 13:12:54", "multiSession": true, "meta": { "location": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/276435", "links": { "roleAccounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/RoleAccount?filter=userCode+eq+'frank'+and+enabled+eq+true", "groupUsers": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/GroupUser?filter=user+eq+'frank'+and+disabled+eq+false", "accounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Account?filter=type+eq+U+and+users.user.userName+eq+'frank'", "issues": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Issue?filter=user.userName+eq+'frank'", "effectiveGrants": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/276435/effectiveGrants" }, "resourceType": "User" }, "modifiedByUser": "ActiveDirectory", "schemas": [ "urn:soffid:com.soffid.iam.api.User" ], "modifiedDate": "2023-09-06 13:12:55", "attributes": {}, "id": 276435, "userType": "I", "primaryGroupDescription": "Music", "primaryGroup": "Music" }, { "lastName": "Sherwood", "createdByUser": "pgarcia", "fullName": "Frank Sherwood", "active": true, "userName": "franks", "mailAlias": "", "firstName": "Frank", "createdDate": "2023-10-05 15:32:40", "multiSession": false, "meta": { "location": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/432644", "links": { "roleAccounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/RoleAccount?filter=userCode+eq+'franks'+and+enabled+eq+true", "groupUsers": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/GroupUser?filter=user+eq+'franks'+and+disabled+eq+false", "accounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Account?filter=type+eq+U+and+users.user.userName+eq+'franks'", "issues": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Issue?filter=user.userName+eq+'franks'", "effectiveGrants": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/432644/effectiveGrants" }, "resourceType": "User" }, "modifiedByUser": "pgarcia", "schemas": [ "urn:soffid:com.soffid.iam.api.User" ], "modifiedDate": "2023-10-05 15:32:40", "attributes": {}, "id": 432644, "userType": "I", "primaryGroupDescription": "scientist", "primaryGroup": "scientist" } ] } Example 2 1. Use the wildcard search in a specific attribute RequestĀ  GET http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User?textFilter=userName:frank Response 200 OK { "schemas": [ "urn:ietf:params:scim:api:messages:2.0:ListResponse" ], "totalResults": 1, "startIndex": 1, "Resources": [ { "lastName": "Sinatra", "profileServer": "Void host", "createdByUser": "admin", "fullName": "Frankaaa Sinatra", "active": true, "userName": "frank", "mailAlias": "", "mailServer": "Void host", "firstName": "Frankaaa", "emailAddress": "pgarcia@soffid.com", "mailDomain": "soffid.com", "createdDate": "2023-06-02 07:41:47", "multiSession": false, "meta": { "location": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/3910", "links": { "roleAccounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/RoleAccount?filter=userCode+eq+'frank'+and+enabled+eq+true", "groupUsers": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/GroupUser?filter=user+eq+'frank'+and+disabled+eq+false", "accounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Account?filter=type+eq+U+and+users.user.userName+eq+'frank'", "effectiveGrants": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/3910/effectiveGrants" }, "resourceType": "User" }, "modifiedByUser": "admin", "schemas": [ "urn:soffid:com.soffid.iam.api.User" ], "modifiedDate": "2023-06-02 07:41:47", "attributes": { "picture": "/9j/4AAQSkZJRgABAQAAAQABAAD/2wCEAAoHCBYWFRgVFRYYGRgaGhkYGhgaGBoYGhoYHBkaGhgZGhgcIS4lHB4rIRgYJjgmKy8xNTU1GiQ7QDs0Py40NTEBDAwMBgYGEAYGEDEdFh0xMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMf/AABEIAKgBKwMBIgACEQEDEQH/xAAcAAABBQEBAQAAAAAAAAAAAAADAQIEBQYABwj/xABFEAACAQIDBAcECAQFAgcBAAABAgADEQQSIQUxQVEGEyJhcYGRMkKhsQcjUnKSwdHwFGKCoiQzY7LhU3NDZIOTo8LxFf/EABQBAQAAAAAAAAAAAAAAAAAAAAD/xAAUEQEAAAAAAAAAAAAAAAAAAAAA/9oADAMBAAIRAxEAPwDeqIVZwEcBAQQiCIBHqIDgItogjwICWiqIto4CAqiZn6ScNnwDn7DI/wAcp/3TUKJX9JcNnwldOdNj5qMw+UD5zcQYh6qG+gPpGrQblAdThBHUsK3MfEw4wR5n5QG4dtd8t8JU3DT0/wCZBpYVRvI9ZMpqg97ytxgTi44n8zz3D9+k4G+4ee79iR/4pF3C/iY2rtIAakD0gT6WHOlz4/v97oZEpL7RzHu5/nM/U2wg3Fm+Eh1NsN7oA+MDWfxir7Kj975FxO0re04Xuvb+0a+kyVTaDtvc+ANh6CANQwNFW2wg3ZnP4R6nX4SFV2y59kKv9x9Tp8JUXMab3gS62MZvaYnxOnpI7Vo0oeAJiVKLAXINoCl41njAJzixsdPnAUNEZpY7H2FiMSbUabMOLnsoPFzp6XM9G6O/R/SpEPiCKrjULb6tT906ue86d0DLdEuhz4krVqhkob+IaoOSclP2vTmPWqNFUUIihVUBVUCwAG4AQw3RpEBhEYVhjGkQAOsCZJYQbLAjO0ZeFqLBQNAqwgSKphFgMCRwSEAhVWAFUsCToBqSdwHEmUmI6YYJCQapJH2Uc/G0r/pH2y1FEpLcBwSx5gaBfz9J4/isWzHfaB61ivpKwqexTrP32RB8Wv8ACU2J+lVrkU8MgHAvULf2qo+c8xZol4G1xn0kY5/ZdKY/00F/V80pMX0jxNX/ADMTVYHeM5VfwrYfCUmaITAmCoI7r5BzTrmBYDFGDav3yJaKtNjwgGOJPjGHFNFXCkyTR2cDqxPgIEA12PExERmPZBPgCZd0cIgOiE+MtKeznb2QQDwtv/esDLjBPxGXx/SOTB8zfwm2w/Rose1eXOH6PUltm3wMBhtiM5si+usu8N0KdvaNvKwm/wAFhUQjIl7d36y1COfcC+JEDzE9Csu8mFodF1G+3pN9XRuQ+cjFLDUQMvh+j6BtRbyhdq7DTJu56j9JatvvFxL9gg3/AHxgeYYjZ6qWPLlu8ZsuhfRzDPSGIemHcsw7faUZTYWTdfxvKNkzswtcA30F766D4fGekbCw4TD01At2Qbd51J8TeBNRQAABYDcBuHlHho2dAfeJmgyY0mATNGs0YzRmeA8tBu0VngWeAjtBZo4vB5oGlQwimAVo4PAkq0KryIHjg8CJ0k2DSxtLq6hZWGqOp7SHjpuIPEGeN9IuhWKwpLMhqU+FRAWFv5l3p56d89yDxy1IHzNEn0BtTozg8QSalBMx3ul0bzKWv5zM4z6L8M2tOtVp9zZXHyB+MDyOJPRqv0VVPcxKH71Nl+TGQNofRzWoI9Z61Iog1Az5iScqgXHMiBjUp3498lrhlG+DanlPwlmaV0Q/y/L/APIEXIL6CEWnynDfJ2BVScpNoDMNgGYiwB85ZJsuotiU08QZabMwigg38949RNKmFDLrYwMxgKS3CurKeFx++c02GwAt2XBHDSSKOFKqLi45b/Cd1AGqi3h+kB38Jbe/oJJpBFGm+N0y8z6RmGIBvx5wDde5PZB8bWkoI1u03kJyMOJnVsQAL6Ad/OAKpSHf6yvxNhuvFq7U1IW1++RhXz3vpADm3yJjn7DW0IBsYdjyOm6QsShyt90/KBUbOw/YVt9xmJ14k6fAes3+DZcqoHViqqDYi+gHDhMLhELhETQMoGhsQNM5PLfaW+MxaU6iJTUllIuw9lRbUM3EnlA1BE6DLxM8B5Ea0b1k7NAY4g4UxpEATGBYw7iDKwAxmWHIEbpAv1hAIJYQGA4R4jBHKYBBFiAziYCGKI0mKIDxKHp4p/gnt9unfwzj87S+WVnSxL4Kv3Jn/Awb8oHi+LpAtpwCmTqVH6pL8j/uMFTp7yfD0AEnYpciIOBRfjrAqkoXa1o9sMyG/wCWnpCqLax+P2oEAAAzHXUcOEBuG2w9M3yg25f8S2wnTNcwDIV4XHw0mTxWIe/bsugPAWvz7+6Ds9sxW4G/mLgEEjkQQbwPYdnbdpOtlYa+nfLBmVhpuni2G2nk5ibjox0jD9g+1A09OoBmEitj0Q9owi4RzrKDaxdWsqFiONtLwJe1Nt1stqKgXF8zfvTjKHE9o3r4nX71hfmBI2JNUkK1xfQKDqSeQ4eJg2Z8Ndy6U7OEuEzszWubs29R690C1wGKw6nLnDHd2jL1KiMNDfvvYD0kKjgKuJpO2alXZGKulSmACAAVNNxYrcHiN8yiYoo/1QqBNzI3a6sg20f3l+UDb1TcaayG99YLDVibZuUk110vAhbBpXJHHMU8r3NvIXlxWpAOVAFrgj9+szmA26uHxLoVuxF8xPshgCQB4W9Zf5y75h7639bpf+4QLmn7I8B8opESLAQRSZxEYRAW84xVE5lgBYxpjmSMcQBuYO8c0HaBqFEdaIojhA60UCdaKIC3nTohMDoojLxYBVMbjsP1lGpT+2jp+JSBOWSKZgeB1Kp0Oul7jkbk/vwlli6oegjjgSvkDp8CI/pbs/qcXWp7lc51+6/at4A3HlImFX6t6ZG7tr8j+UAlLCO40F4zEbH7S52sx0vb2eXjNL0VIZATb/n9/KWu19kBxmXQj98IGOTYFU5lennDEMHVwpzDQWO+1uGnHnNbsvolSSiyOLs5zWXUILAKoYgXsANe+Q8Hh6yEAG/jrL6i1S3bbTugYXaXQ1kVnDLZbm2rE6nyGhHpM9sZiuJS2mtp6ltrFKtJgd1tTPLqFT65SN94HsuGfsAnu+Ufhgt75QfLjIuz+1RvxtHYapAj4/C02a5WxBBvoDod17eMqcZsNajEq+W9iylQwJGgOp0PfNTXoh1uN8rv4fnp++cBcFhkw6ZFYm9yxvqzHS5t4W8pG/gUe5YAchbcJMTBrvzEwopiBUrg8h/4lZtB7dkbyQB56TQ4phaZjFDNUQd9/Td8bQI229jI9RKiXznsuP5V7Kn0EvcEgzKo1ChU89Xb/avrCVqJVLKbE72tckHSwHG5Mk7OweRdd9txNyL6knmx4+AECTOvHGNIgcTEvEvHgQODTs04iNJgKRBOsfnjWeBHcRto52gs8DUARwjVMdA4CLEvEJgLmiXnRsB0VYwQloDhDI0AIRTAxP0o7PNqWJUaLenUI4Am6E+eYeYmDw9UBh37/Oe5VqSujI6hkYZWU6gg8JgdrdBEo5qwxGSiNSGQu4/lQgjOeAvr4wM1sXH9VVKndfT4zd0cfmE80xrIxFSncKb2DEFhY21K6E7t3OXuwto7lJ8PlA2Ard3nO6y5sYGlVBj0S8Cg6Z4oCnkHEzE7Io56qjvvL/ppibsEXgLmM6G4G5LnU7v1gej7Jp2pnw/f78JGXeRLHZOnZ5iQ8ahDHxgHwb8L/v8AZkhwDvEqkdl13jjJlDFBhA51I3QLsRvk1jIWJ4wKjG4nWU+GrMa6sqlramys1hY6kKCQOEtMYmhJ/fKO6LJ2qrfcF/xE/lAs8Iju2dxlA0VbWPiV90b9DrrraTTFtOgDjSsIREgCyx6xWEEzQFcwbGNZ4wtAdeNaNBjjAG8FDNBWgaVIVYNBCCAtowwgEaywEnRLR0DgI4CII4QHARwWcsKggKizyb6SuknWv1CEdWhsbnss/E2Gr24DcOPdrun3SL+HpGjTI611Nze2SnuJJ4E7v+bTxqtUN81wt9c7DtH7icB+7wJWz3GQ7rF2IsLC4VLi3C418pJw1TIwPCQcC+dKiBizLaqtxY2HZf4FT5Q9B8ynmNfKBv8AAV8wUjWWO0topRpFjvI0HMzObBq2S54CUO2tqmq1+A3DugQ8XiC7Mx1JMteiWOCVCjGwOovzmezzkuzALcnhaB7LhMcpbRh6ynx/SJDV6tFeq17HIhZVPe268pNh7EZSHrs1j7oNvWbzB00RQEUKOAAAgOw1AhbuLE7xy7ryn2jQek3WJdk3uo3gfaHdLt60jjFKDraBFwe0VdbqZ1epbUyi21hjSb+IoeyT9YnAX94Dh3jvklMVnTN3XgLjDmU21PLvgMBtE4cMhpliTc62bcBfLa5XvGmshPisis53LZv7h+svMLthHUHQ8bwOo9JUb3G13ZSGv929s3leSqe26De/bhqDv46jSGQYeotmRCDvuo1MhbU6NKwLJdWt97dqAQfbHc3kRAnjF0yLiolueYTqeJRjZXRjyDAn0BmAqsyOUcEMBmsLtdQdXS+rqOK+2ttcwgXRDe9gGs5INldRufMpF1ud+4ccu6B6SwgnWYXCbfq4dsrl3UvlyN1aJTW1xZyBw58LTZbO2lTrpnpsDb2gGBKnkcpIgPYRhEKyxloAwJ0JlnZYAmg80M6wVoGlURyiDVo9WgEUzmiRYDZ1o4LHBYAwIRRHBI9afpA5Fld0g22mFplmILkHIv8A9jyUSDtXpfQpBshFRl35TdR4kanyE8l25t56zl3bUm4JF2HIIl7IOV9YAdtY96jmo7asbl21uearvbkCQAOHOVYJOqIW/nqaj46R5ze0EAv79Q3Y9/a/SMrFTrUqM55LrbuudPSBKwGOenVR3emQDZl7PsEWYaC24mWO1MAcPUsuqPc025rxUnmNPKxmeDJuWmW8ST8BN30bdMVhuoqqQUsNfaAt2HUnlqPLvgR9m1s1F1XeFOg4ixmeqLlAvLV6L4StkfVT7LcGXn+o4SHj6gZrj0gRKKK28i3jNVsJcOhzM6X7yJjqyEbxLXZWyKdXXPc8V9lh+vH1gennFUKlO6upAtexBt6RKG0aIATrVuObCZzBdEcPa+errycDcByGssE6MYNd6FiL+3UbXfwB8IFliNoU1FzUQD74/WQ6rmqv1Op0IY6KdeHP5QB2bhUYFKNPNwsoNvM6k+Mt6LhBfjAr8ArglKo9rnuInbSpBFsDpu/WO2lWLLpvGt5SYmpUqsiXsSQo8WNh5m8CJjaud0QA5ew5W2joHAbXkCJXdSp60K/VFKpSmST1be2VVrjsaL7V7a6jjLPpIow2ITLotHEVKZ/7bpTqW/C7yp2jh7L1V7t1qlydNVZqRPhYo3/qXgEo4qrTdHd2K0zldCMrI/DOOIPBhoZ6XsnaiuoN73nmW0axavinDG1IBRfVWBdaZpsOKntaeYtJOysU9FkKezUynIWGZMwzDxUjc3rY7w3nSHYi10upKPcMjrvVx7LDv+YnntXOjMjjqyHGew0pVW0TEU/9J9zLuveeobLrFls2t5lOm2FAIrBc2VWWon/Uot/mKOZA7Y+6YGXF7dWUANygQ3KrUHabDk7zTcdpD7p3RNlY16Lq9JaRQDsgkU6zpftIdbOym6kHiNN8FVXQqXuAEps/NG7WExPipshPIyLinS4esjFHZg6Icpp11stS3DWwax/KB6xhMStRFqJqrC4594I4EboRhMj0Hx62egHzrq9Jjo2XQOjD7amxP3r8Zq2eAhMS8S8SBzmBzwjiDtA0Aj1M4COtAVWhVMCBCKIBRHARiiRNq7XTDrdu05BKotyzd9hqB3wD7R2hToJnqNbkPeY8gPz3Cefbb6Q1MV2EJCfYp1aYc/eBBznuB8oLaWJq1nNR1qDk3ULUVV5atoB4CQEqVGPZGGxAPuZFV/JLIw8rwKDGk7hUL2YDIyZKwN9ymx1vyPlK50ZfdWn3sbufz+E021aYrLlCZKo0FOr7R5CnVNmBvuV9OR4SrOAFuxg3J+1UZiPSyiBRsyX1Lufwj8zHpm9ykB3kFj6tJGIp1UOuSn3Bk09CZFc39qrfuAY/OwgPdXPtOq92YD4LJmwdonD1lfrMynsuNTdTvI7xv8u+Vl6Y4OfML+s4svBP7mMD1fauAXE0SgIv7dN+Aa2mv2Tx9eE87VGRzTcFWU5WB3gzRdCtsAr/AA7XBXVNd68VvzHyPdLHpPsXrl62mPrUH/uKPdP8w4engFDiMASugvpKhsM6nshr915ouju0Vaytv3WPxmjQICCANf3+/CBisM2ONsgqW3bv1Es8NsrHsczs4B3gkCbZKigX+EmJXUiBQbP2a6bxr6n1lg1Mrv3yfUrASqx+LAHfuA4k8LCBWba2itJc7nTlxJ5DmZA6C4tsTjKebgxcjkEBK/HLKfpc5Y6nQbhy5zQ/Q3hO3WrHgqovmczH4CAP6SFHW4pbah8NVH9aGkf9qiE2bsF6/wBY3YLomZSAe2qKGPgSin+kS8x2CTEYypiASUKU0A91shJzeFybeF5Z136pVYaWdAfBjl+ZEDzTpXQqUi6OEyuVLMihCxW5UtbedTIH8cGxKuoIRVRFB3gKoFj33BM3PTvCipTzDhr+v5TzzDUi7qote/tW1sPnA9d2HUBUGQemastPrE1ZCHA+0FN3XzXMPOSdh0cqAdwndKCwoO6i7IpcDmV7VvO0Dzg0kVsl70xZM3PC4jWm39Dnfwgu0wdH9tlI3X/xOGNhod5en63hCiEZfcQ5Cf8AyuJ7VNv6HIgqrsCKje2pV3H+rQcUq/4kZWgM2btIJUTEU1C9pespjQB7WLIPsuuYW4G3dPUetDAMpupAIPMEXE8uxRp1M9RRlKXSqqjUoHHV107xZcwm56J4o1MMoNsyMyG27TVSO4gi0C2Dzs84rGEQH5oy8WMtA0itHgwSiFUQHrDoINU4zGdIek3WXo4c3QGzuC/a5gdWpIXzF/DeFztjpMlO6Uu2/wBoK7IvgUUhjMJjHaqxLujltSr1alIn8YRYF6ii1+qB/mOLuPMyRQqZtFBb/s1s/wD8Fa5bwgREwrUzmFDEp/NScOO7ULb4yQtRa182WsRvV16rEabyrrcOd+hJPdEZFQK9xlL5M6B8PURt5zpqmnd6wjJUc5Hb/E02z0yQt6iWuAHHtEAZhqQdYA8QV6tTmaphnOVs4+sovpoDztqOBA3XlXicJTRnTE1atwQaZUB1dCLhrsRv/MS4p4hAGqZPqqnYxFIb0YnR0HAX1XkbjlB1kdCEV1z01vSqEArUwzm7C5BtYdsb9zCBncSuEX2RWfvZkXX+mV75T7FEkcNWf8psHbEnQYnDaaAhqY9Oxf4SsxeHrn28ZT8qxPwUAQKEdYNyZf6Lf7o1jV4sB/Uo+XhCYvCoNTXVj3Bm+N5DyJ9o+SwDU69VHV1cZlII7SnX9P1nqGx9pJWpo67yO0L+y3vCeTOE4FvSXHRnaYo1At+w5AJ3Wf3Tv47vTlA1u2+jpZzXw1g+903BjxZTuDcxuO/TjQrtipSbI6spG9WFj6H5zbUsRcSPjXUizqGHJgGHxgRMN0ipMmrWPIx9Hb6D3x6yH/8AzqbGwo0/wLNBszohhaq2enlb7SGx9LW9RArK/SBdynOeAGvryjMCjM2dzdzcADco7uZ75dYno3h6JP1yIBpeoMgNt4DAENbQHdaRa+TIWoulWxCk03R+0QSq2U3zEA2HceUCsw1Km1Zmex6u1g1rDjmN+QmgwLtUzCklkIKs9ygdTvAG8i3Ezz7Z2MV8Qrkgrmtl4HS4J5ier7LqLYeEBlNcgHYJUb8upHlxHhrIfSHFKcJWdWBC0y6nvWzD4iX7rxEwfTqkiISzMqVDcqpsrOpv6nTTja8Cg2p0g69FppfddzyEi7FT64abpV0WBHYBuxsANSeQ75othbJc1O2xVtDlWxIHedwgegbLY2F5Kx9MMpHAjXzkbD0coGpPiZIfVbwPLsVhVpv1TaJrh3v/ANGsSabX5JUVvK0hKC5AbewGcfz64asfU03mk6V0Q532zjqSeRftU2Pg6IP6zM2WLHNuNTK/eDUU0qg7stVEPnAFg665ErFRmpDqcQm7rKT9gP4i+U94Uy96A1slSpSvcG4/qT2GH3lLfglFtHDhLOvsYijUvbXtg3YfiVJJ2VieorLWJy5KjUqwIJ3lijEDXUZlvwtxgemMIwiSaRV1V0IZWAII1BB3WIiMkCPaDtJBgvOBoEWFd1RS7sFUbyTYTp0DC9Iekj1wUpgrR5nKvWcLl3ITL/KA/eAZQI/86eeKcHw7ChR6Tp0Agruuod7aC9PGo1rm2qtra54+sI6Z2am7KtVWVqfWU6ahxbRS677k6Xup011iToBqdRsz5UIc/wCdhXvapzemTx423jeMwjKioEUhyaOb6up/4mHqb8j21tfXTxHI9OgdUZyzOFXrkU9fT9yvSPtOoGhuLE27mG6MWmjotLP2HzNh6jWBR/foudwBNvPKdxnToFfhKN1KnCO7U2NNyr1PbXmoBANiDbviVqCa5sFWHi9QfNPGLOgVmKRPdwr373qH4BRKmop4Ubd1nPznToAWY/YH4W/WNKnflsNxGtjOnQNv0Y2pnQKx7SaG/EcD+veJpKeEaoQBOnQNJs3YoWxI1/f6SZtnGU8Jh3rsAci3VLhc77kQHvNok6B5JT2saH+ISun8TUqVC6OjMtMPmcvncZb3IAABOp7xM2+LZ83ZA7CltWIZlv23Gt3OY2JtlvpaLOgDw+Is2lgBusLcbi/E8tZ6p0a2mHRTfXd5zp0DV0sRKjpdsX+ModWrhGDBwxGYXAIsRcEXvvE6dAotl9HqeDQsVNSqB7ZsLE7gg90X85Z7D2aEGdtXY3J8Yk6BdVGAtIuKJtp8506BjNvIztkU+32A2mj5WZCP60UTO583aC2LXcDgpqA51/pr0x+KLOgBwo6xBTJ0FSoi62s1VCafkXQjzkps9UU61NVZ3BpVUYLlNSmAwJDGxLIN3MGdOgazoNtEWfDFSjKSwpNe6X9oITqUvrY6i54Wmqczp0ATiAnToH//2Q==" }, "id": 3910, "userType": "I", "homeServer": "Void host", "shortName": "pgarcia", "primaryGroupDescription": "Music", "primaryGroup": "Music" } ] } Example 3 1. Use the Fuzzy Searches Request GET http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User?textFilter=fran~ Response 200 OK { "schemas": [ "urn:ietf:params:scim:api:messages:2.0:ListResponse" ], "totalResults": 2, "startIndex": 1, "Resources": [ { "lastName": "Sinatra", "createdByUser": "ActiveDirectory", "fullName": "Frank Sinatra", "active": true, "userName": "frank", "mailAlias": "", "firstName": "Frank", "createdDate": "2023-09-06 13:12:54", "multiSession": true, "meta": { "location": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/276435", "links": { "roleAccounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/RoleAccount?filter=userCode+eq+'frank'+and+enabled+eq+true", "groupUsers": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/GroupUser?filter=user+eq+'frank'+and+disabled+eq+false", "accounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Account?filter=type+eq+U+and+users.user.userName+eq+'frank'", "issues": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Issue?filter=user.userName+eq+'frank'", "effectiveGrants": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/276435/effectiveGrants" }, "resourceType": "User" }, "modifiedByUser": "ActiveDirectory", "schemas": [ "urn:soffid:com.soffid.iam.api.User" ], "modifiedDate": "2023-09-06 13:12:55", "attributes": {}, "id": 276435, "userType": "I", "primaryGroupDescription": "Music", "primaryGroup": "Music" }, { "lastName": "Sherwood", "createdByUser": "pgarcia", "fullName": "Frank Sherwood", "active": true, "userName": "franks", "mailAlias": "", "firstName": "Frank", "createdDate": "2023-10-05 15:32:40", "multiSession": false, "meta": { "location": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/432644", "links": { "roleAccounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/RoleAccount?filter=userCode+eq+'franks'+and+enabled+eq+true", "groupUsers": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/GroupUser?filter=user+eq+'franks'+and+disabled+eq+false", "accounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Account?filter=type+eq+U+and+users.user.userName+eq+'franks'", "issues": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Issue?filter=user.userName+eq+'franks'", "effectiveGrants": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/432644/effectiveGrants" }, "resourceType": "User" }, "modifiedByUser": "pgarcia", "schemas": [ "urn:soffid:com.soffid.iam.api.User" ], "modifiedDate": "2023-10-05 15:32:40", "attributes": {}, "id": 432644, "userType": "I", "primaryGroupDescription": "scientist", "primaryGroup": "scientist" } ] } 2. Use the Fuzzy Searches: specify the maximum number of edits allowed Request GET http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User?textFilter=frankl~2 Response 200 OK { "schemas": [ "urn:ietf:params:scim:api:messages:2.0:ListResponse" ], "totalResults": 4, "startIndex": 1, "Resources": [ { "lastName": "Franklin", "createdByUser": "ActiveDirectory", "fullName": "Rosalind Franklin", "active": true, "userName": "rfranklin", "mailAlias": "", "firstName": "Rosalind", "createdDate": "2023-08-08 14:26:14", "multiSession": true, "meta": { "location": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/2862", "links": { "roleAccounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/RoleAccount?filter=userCode+eq+'rfranklin'+and+enabled+eq+true", "groupUsers": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/GroupUser?filter=user+eq+'rfranklin'+and+disabled+eq+false", "accounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Account?filter=type+eq+U+and+users.user.userName+eq+'rfranklin'", "issues": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Issue?filter=user.userName+eq+'rfranklin'", "effectiveGrants": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/2862/effectiveGrants" }, "resourceType": "User" }, "modifiedByUser": "ActiveDirectory", "schemas": [ "urn:soffid:com.soffid.iam.api.User" ], "modifiedDate": "2023-08-08 14:26:14", "attributes": {}, "id": 2862, "userType": "I", "primaryGroupDescription": "scientist", "primaryGroup": "scientist" }, { "lastName": "Franklin", "createdByUser": "ActiveDirectory", "fullName": "Aretha Franklin", "active": true, "userName": "aretha", "mailAlias": "", "firstName": "Aretha", "createdDate": "2023-09-06 13:12:54", "multiSession": true, "meta": { "location": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/276397", "links": { "roleAccounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/RoleAccount?filter=userCode+eq+'aretha'+and+enabled+eq+true", "groupUsers": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/GroupUser?filter=user+eq+'aretha'+and+disabled+eq+false", "accounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Account?filter=type+eq+U+and+users.user.userName+eq+'aretha'", "issues": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Issue?filter=user.userName+eq+'aretha'", "effectiveGrants": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/276397/effectiveGrants" }, "resourceType": "User" }, "modifiedByUser": "ActiveDirectory", "schemas": [ "urn:soffid:com.soffid.iam.api.User" ], "modifiedDate": "2023-09-06 13:12:54", "attributes": {}, "id": 276397, "userType": "I", "primaryGroupDescription": "World", "primaryGroup": "world" }, { "lastName": "Sinatra", "createdByUser": "ActiveDirectory", "fullName": "Frank Sinatra", "active": true, "userName": "frank", "mailAlias": "", "firstName": "Frank", "createdDate": "2023-09-06 13:12:54", "multiSession": true, "meta": { "location": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/276435", "links": { "roleAccounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/RoleAccount?filter=userCode+eq+'frank'+and+enabled+eq+true", "groupUsers": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/GroupUser?filter=user+eq+'frank'+and+disabled+eq+false", "accounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Account?filter=type+eq+U+and+users.user.userName+eq+'frank'", "issues": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Issue?filter=user.userName+eq+'frank'", "effectiveGrants": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/276435/effectiveGrants" }, "resourceType": "User" }, "modifiedByUser": "ActiveDirectory", "schemas": [ "urn:soffid:com.soffid.iam.api.User" ], "modifiedDate": "2023-09-06 13:12:55", "attributes": {}, "id": 276435, "userType": "I", "primaryGroupDescription": "Music", "primaryGroup": "Music" }, { "lastName": "Sherwood", "createdByUser": "pgarcia", "fullName": "Frank Sherwood", "active": true, "userName": "franks", "mailAlias": "", "firstName": "Frank", "createdDate": "2023-10-05 15:32:40", "multiSession": false, "meta": { "location": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/432644", "links": { "roleAccounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/RoleAccount?filter=userCode+eq+'franks'+and+enabled+eq+true", "groupUsers": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/GroupUser?filter=user+eq+'franks'+and+disabled+eq+false", "accounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Account?filter=type+eq+U+and+users.user.userName+eq+'franks'", "issues": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Issue?filter=user.userName+eq+'franks'", "effectiveGrants": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/432644/effectiveGrants" }, "resourceType": "User" }, "modifiedByUser": "pgarcia", "schemas": [ "urn:soffid:com.soffid.iam.api.User" ], "modifiedDate": "2023-10-05 15:32:40", "attributes": {}, "id": 432644, "userType": "I", "primaryGroupDescription": "scientist", "primaryGroup": "scientist" } ] } Example 4 1. Use the boolean operator AND Request GET http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User?textFilter=fran~ AND Sinatra Response 200 OK { "schemas": [ "urn:ietf:params:scim:api:messages:2.0:ListResponse" ], "totalResults": 1, "startIndex": 1, "Resources": [ { "lastName": "Sinatra", "profileServer": "Void host", "createdByUser": "admin", "fullName": "Frankaaa Sinatra", "active": true, "userName": "frank", "mailAlias": "", "mailServer": "Void host", "firstName": "Frankaaa", "emailAddress": "pgarcia@soffid.com", "mailDomain": "soffid.com", "createdDate": "2023-06-02 07:41:47", "multiSession": false, "meta": { "location": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/3910", "links": { "roleAccounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/RoleAccount?filter=userCode+eq+'frank'+and+enabled+eq+true", "groupUsers": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/GroupUser?filter=user+eq+'frank'+and+disabled+eq+false", "accounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Account?filter=type+eq+U+and+users.user.userName+eq+'frank'", "effectiveGrants": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/3910/effectiveGrants" }, "resourceType": "User" }, "modifiedByUser": "admin", "schemas": [ "urn:soffid:com.soffid.iam.api.User" ], "modifiedDate": "2023-06-02 07:41:47", "attributes": { "picture": "/9j/4AAQSkZJRgABAQAAAQABAAD/2wCEAAoHCBYWFRgVFRYYGRgaGhkYGhgaGBoYGhoYHBkaGhgZGhgcIS4lHB4rIRgYJjgmKy8xNTU1GiQ7QDs0Py40NTEBDAwMBgYGEAYGEDEdFh0xMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMf/AABEIAKgBKwMBIgACEQEDEQH/xAAcAAABBQEBAQAAAAAAAAAAAAADAQIEBQYABwj/xABFEAACAQIDBAcECAQFAgcBAAABAgADEQQSIQUxQVEGEyJhcYGRMkKhsQcjUnKSwdHwFGKCoiQzY7LhU3NDZIOTo8LxFf/EABQBAQAAAAAAAAAAAAAAAAAAAAD/xAAUEQEAAAAAAAAAAAAAAAAAAAAA/9oADAMBAAIRAxEAPwDeqIVZwEcBAQQiCIBHqIDgItogjwICWiqIto4CAqiZn6ScNnwDn7DI/wAcp/3TUKJX9JcNnwldOdNj5qMw+UD5zcQYh6qG+gPpGrQblAdThBHUsK3MfEw4wR5n5QG4dtd8t8JU3DT0/wCZBpYVRvI9ZMpqg97ytxgTi44n8zz3D9+k4G+4ee79iR/4pF3C/iY2rtIAakD0gT6WHOlz4/v97oZEpL7RzHu5/nM/U2wg3Fm+Eh1NsN7oA+MDWfxir7Kj975FxO0re04Xuvb+0a+kyVTaDtvc+ANh6CANQwNFW2wg3ZnP4R6nX4SFV2y59kKv9x9Tp8JUXMab3gS62MZvaYnxOnpI7Vo0oeAJiVKLAXINoCl41njAJzixsdPnAUNEZpY7H2FiMSbUabMOLnsoPFzp6XM9G6O/R/SpEPiCKrjULb6tT906ue86d0DLdEuhz4krVqhkob+IaoOSclP2vTmPWqNFUUIihVUBVUCwAG4AQw3RpEBhEYVhjGkQAOsCZJYQbLAjO0ZeFqLBQNAqwgSKphFgMCRwSEAhVWAFUsCToBqSdwHEmUmI6YYJCQapJH2Uc/G0r/pH2y1FEpLcBwSx5gaBfz9J4/isWzHfaB61ivpKwqexTrP32RB8Wv8ACU2J+lVrkU8MgHAvULf2qo+c8xZol4G1xn0kY5/ZdKY/00F/V80pMX0jxNX/ADMTVYHeM5VfwrYfCUmaITAmCoI7r5BzTrmBYDFGDav3yJaKtNjwgGOJPjGHFNFXCkyTR2cDqxPgIEA12PExERmPZBPgCZd0cIgOiE+MtKeznb2QQDwtv/esDLjBPxGXx/SOTB8zfwm2w/Rose1eXOH6PUltm3wMBhtiM5si+usu8N0KdvaNvKwm/wAFhUQjIl7d36y1COfcC+JEDzE9Csu8mFodF1G+3pN9XRuQ+cjFLDUQMvh+j6BtRbyhdq7DTJu56j9JatvvFxL9gg3/AHxgeYYjZ6qWPLlu8ZsuhfRzDPSGIemHcsw7faUZTYWTdfxvKNkzswtcA30F766D4fGekbCw4TD01At2Qbd51J8TeBNRQAABYDcBuHlHho2dAfeJmgyY0mATNGs0YzRmeA8tBu0VngWeAjtBZo4vB5oGlQwimAVo4PAkq0KryIHjg8CJ0k2DSxtLq6hZWGqOp7SHjpuIPEGeN9IuhWKwpLMhqU+FRAWFv5l3p56d89yDxy1IHzNEn0BtTozg8QSalBMx3ul0bzKWv5zM4z6L8M2tOtVp9zZXHyB+MDyOJPRqv0VVPcxKH71Nl+TGQNofRzWoI9Z61Iog1Az5iScqgXHMiBjUp3498lrhlG+DanlPwlmaV0Q/y/L/APIEXIL6CEWnynDfJ2BVScpNoDMNgGYiwB85ZJsuotiU08QZabMwigg38949RNKmFDLrYwMxgKS3CurKeFx++c02GwAt2XBHDSSKOFKqLi45b/Cd1AGqi3h+kB38Jbe/oJJpBFGm+N0y8z6RmGIBvx5wDde5PZB8bWkoI1u03kJyMOJnVsQAL6Ad/OAKpSHf6yvxNhuvFq7U1IW1++RhXz3vpADm3yJjn7DW0IBsYdjyOm6QsShyt90/KBUbOw/YVt9xmJ14k6fAes3+DZcqoHViqqDYi+gHDhMLhELhETQMoGhsQNM5PLfaW+MxaU6iJTUllIuw9lRbUM3EnlA1BE6DLxM8B5Ea0b1k7NAY4g4UxpEATGBYw7iDKwAxmWHIEbpAv1hAIJYQGA4R4jBHKYBBFiAziYCGKI0mKIDxKHp4p/gnt9unfwzj87S+WVnSxL4Kv3Jn/Awb8oHi+LpAtpwCmTqVH6pL8j/uMFTp7yfD0AEnYpciIOBRfjrAqkoXa1o9sMyG/wCWnpCqLax+P2oEAAAzHXUcOEBuG2w9M3yg25f8S2wnTNcwDIV4XHw0mTxWIe/bsugPAWvz7+6Ds9sxW4G/mLgEEjkQQbwPYdnbdpOtlYa+nfLBmVhpuni2G2nk5ibjox0jD9g+1A09OoBmEitj0Q9owi4RzrKDaxdWsqFiONtLwJe1Nt1stqKgXF8zfvTjKHE9o3r4nX71hfmBI2JNUkK1xfQKDqSeQ4eJg2Z8Ndy6U7OEuEzszWubs29R690C1wGKw6nLnDHd2jL1KiMNDfvvYD0kKjgKuJpO2alXZGKulSmACAAVNNxYrcHiN8yiYoo/1QqBNzI3a6sg20f3l+UDb1TcaayG99YLDVibZuUk110vAhbBpXJHHMU8r3NvIXlxWpAOVAFrgj9+szmA26uHxLoVuxF8xPshgCQB4W9Zf5y75h7639bpf+4QLmn7I8B8opESLAQRSZxEYRAW84xVE5lgBYxpjmSMcQBuYO8c0HaBqFEdaIojhA60UCdaKIC3nTohMDoojLxYBVMbjsP1lGpT+2jp+JSBOWSKZgeB1Kp0Oul7jkbk/vwlli6oegjjgSvkDp8CI/pbs/qcXWp7lc51+6/at4A3HlImFX6t6ZG7tr8j+UAlLCO40F4zEbH7S52sx0vb2eXjNL0VIZATb/n9/KWu19kBxmXQj98IGOTYFU5lennDEMHVwpzDQWO+1uGnHnNbsvolSSiyOLs5zWXUILAKoYgXsANe+Q8Hh6yEAG/jrL6i1S3bbTugYXaXQ1kVnDLZbm2rE6nyGhHpM9sZiuJS2mtp6ltrFKtJgd1tTPLqFT65SN94HsuGfsAnu+Ufhgt75QfLjIuz+1RvxtHYapAj4/C02a5WxBBvoDod17eMqcZsNajEq+W9iylQwJGgOp0PfNTXoh1uN8rv4fnp++cBcFhkw6ZFYm9yxvqzHS5t4W8pG/gUe5YAchbcJMTBrvzEwopiBUrg8h/4lZtB7dkbyQB56TQ4phaZjFDNUQd9/Td8bQI229jI9RKiXznsuP5V7Kn0EvcEgzKo1ChU89Xb/avrCVqJVLKbE72tckHSwHG5Mk7OweRdd9txNyL6knmx4+AECTOvHGNIgcTEvEvHgQODTs04iNJgKRBOsfnjWeBHcRto52gs8DUARwjVMdA4CLEvEJgLmiXnRsB0VYwQloDhDI0AIRTAxP0o7PNqWJUaLenUI4Am6E+eYeYmDw9UBh37/Oe5VqSujI6hkYZWU6gg8JgdrdBEo5qwxGSiNSGQu4/lQgjOeAvr4wM1sXH9VVKndfT4zd0cfmE80xrIxFSncKb2DEFhY21K6E7t3OXuwto7lJ8PlA2Ard3nO6y5sYGlVBj0S8Cg6Z4oCnkHEzE7Io56qjvvL/ppibsEXgLmM6G4G5LnU7v1gej7Jp2pnw/f78JGXeRLHZOnZ5iQ8ahDHxgHwb8L/v8AZkhwDvEqkdl13jjJlDFBhA51I3QLsRvk1jIWJ4wKjG4nWU+GrMa6sqlramys1hY6kKCQOEtMYmhJ/fKO6LJ2qrfcF/xE/lAs8Iju2dxlA0VbWPiV90b9DrrraTTFtOgDjSsIREgCyx6xWEEzQFcwbGNZ4wtAdeNaNBjjAG8FDNBWgaVIVYNBCCAtowwgEaywEnRLR0DgI4CII4QHARwWcsKggKizyb6SuknWv1CEdWhsbnss/E2Gr24DcOPdrun3SL+HpGjTI611Nze2SnuJJ4E7v+bTxqtUN81wt9c7DtH7icB+7wJWz3GQ7rF2IsLC4VLi3C418pJw1TIwPCQcC+dKiBizLaqtxY2HZf4FT5Q9B8ynmNfKBv8AAV8wUjWWO0topRpFjvI0HMzObBq2S54CUO2tqmq1+A3DugQ8XiC7Mx1JMteiWOCVCjGwOovzmezzkuzALcnhaB7LhMcpbRh6ynx/SJDV6tFeq17HIhZVPe268pNh7EZSHrs1j7oNvWbzB00RQEUKOAAAgOw1AhbuLE7xy7ryn2jQek3WJdk3uo3gfaHdLt60jjFKDraBFwe0VdbqZ1epbUyi21hjSb+IoeyT9YnAX94Dh3jvklMVnTN3XgLjDmU21PLvgMBtE4cMhpliTc62bcBfLa5XvGmshPisis53LZv7h+svMLthHUHQ8bwOo9JUb3G13ZSGv929s3leSqe26De/bhqDv46jSGQYeotmRCDvuo1MhbU6NKwLJdWt97dqAQfbHc3kRAnjF0yLiolueYTqeJRjZXRjyDAn0BmAqsyOUcEMBmsLtdQdXS+rqOK+2ttcwgXRDe9gGs5INldRufMpF1ud+4ccu6B6SwgnWYXCbfq4dsrl3UvlyN1aJTW1xZyBw58LTZbO2lTrpnpsDb2gGBKnkcpIgPYRhEKyxloAwJ0JlnZYAmg80M6wVoGlURyiDVo9WgEUzmiRYDZ1o4LHBYAwIRRHBI9afpA5Fld0g22mFplmILkHIv8A9jyUSDtXpfQpBshFRl35TdR4kanyE8l25t56zl3bUm4JF2HIIl7IOV9YAdtY96jmo7asbl21uearvbkCQAOHOVYJOqIW/nqaj46R5ze0EAv79Q3Y9/a/SMrFTrUqM55LrbuudPSBKwGOenVR3emQDZl7PsEWYaC24mWO1MAcPUsuqPc025rxUnmNPKxmeDJuWmW8ST8BN30bdMVhuoqqQUsNfaAt2HUnlqPLvgR9m1s1F1XeFOg4ixmeqLlAvLV6L4StkfVT7LcGXn+o4SHj6gZrj0gRKKK28i3jNVsJcOhzM6X7yJjqyEbxLXZWyKdXXPc8V9lh+vH1gennFUKlO6upAtexBt6RKG0aIATrVuObCZzBdEcPa+errycDcByGssE6MYNd6FiL+3UbXfwB8IFliNoU1FzUQD74/WQ6rmqv1Op0IY6KdeHP5QB2bhUYFKNPNwsoNvM6k+Mt6LhBfjAr8ArglKo9rnuInbSpBFsDpu/WO2lWLLpvGt5SYmpUqsiXsSQo8WNh5m8CJjaud0QA5ew5W2joHAbXkCJXdSp60K/VFKpSmST1be2VVrjsaL7V7a6jjLPpIow2ITLotHEVKZ/7bpTqW/C7yp2jh7L1V7t1qlydNVZqRPhYo3/qXgEo4qrTdHd2K0zldCMrI/DOOIPBhoZ6XsnaiuoN73nmW0axavinDG1IBRfVWBdaZpsOKntaeYtJOysU9FkKezUynIWGZMwzDxUjc3rY7w3nSHYi10upKPcMjrvVx7LDv+YnntXOjMjjqyHGew0pVW0TEU/9J9zLuveeobLrFls2t5lOm2FAIrBc2VWWon/Uot/mKOZA7Y+6YGXF7dWUANygQ3KrUHabDk7zTcdpD7p3RNlY16Lq9JaRQDsgkU6zpftIdbOym6kHiNN8FVXQqXuAEps/NG7WExPipshPIyLinS4esjFHZg6Icpp11stS3DWwax/KB6xhMStRFqJqrC4594I4EboRhMj0Hx62egHzrq9Jjo2XQOjD7amxP3r8Zq2eAhMS8S8SBzmBzwjiDtA0Aj1M4COtAVWhVMCBCKIBRHARiiRNq7XTDrdu05BKotyzd9hqB3wD7R2hToJnqNbkPeY8gPz3Cefbb6Q1MV2EJCfYp1aYc/eBBznuB8oLaWJq1nNR1qDk3ULUVV5atoB4CQEqVGPZGGxAPuZFV/JLIw8rwKDGk7hUL2YDIyZKwN9ymx1vyPlK50ZfdWn3sbufz+E021aYrLlCZKo0FOr7R5CnVNmBvuV9OR4SrOAFuxg3J+1UZiPSyiBRsyX1Lufwj8zHpm9ykB3kFj6tJGIp1UOuSn3Bk09CZFc39qrfuAY/OwgPdXPtOq92YD4LJmwdonD1lfrMynsuNTdTvI7xv8u+Vl6Y4OfML+s4svBP7mMD1fauAXE0SgIv7dN+Aa2mv2Tx9eE87VGRzTcFWU5WB3gzRdCtsAr/AA7XBXVNd68VvzHyPdLHpPsXrl62mPrUH/uKPdP8w4engFDiMASugvpKhsM6nshr915ouju0Vaytv3WPxmjQICCANf3+/CBisM2ONsgqW3bv1Es8NsrHsczs4B3gkCbZKigX+EmJXUiBQbP2a6bxr6n1lg1Mrv3yfUrASqx+LAHfuA4k8LCBWba2itJc7nTlxJ5DmZA6C4tsTjKebgxcjkEBK/HLKfpc5Y6nQbhy5zQ/Q3hO3WrHgqovmczH4CAP6SFHW4pbah8NVH9aGkf9qiE2bsF6/wBY3YLomZSAe2qKGPgSin+kS8x2CTEYypiASUKU0A91shJzeFybeF5Z136pVYaWdAfBjl+ZEDzTpXQqUi6OEyuVLMihCxW5UtbedTIH8cGxKuoIRVRFB3gKoFj33BM3PTvCipTzDhr+v5TzzDUi7qote/tW1sPnA9d2HUBUGQemastPrE1ZCHA+0FN3XzXMPOSdh0cqAdwndKCwoO6i7IpcDmV7VvO0Dzg0kVsl70xZM3PC4jWm39Dnfwgu0wdH9tlI3X/xOGNhod5en63hCiEZfcQ5Cf8AyuJ7VNv6HIgqrsCKje2pV3H+rQcUq/4kZWgM2btIJUTEU1C9pespjQB7WLIPsuuYW4G3dPUetDAMpupAIPMEXE8uxRp1M9RRlKXSqqjUoHHV107xZcwm56J4o1MMoNsyMyG27TVSO4gi0C2Dzs84rGEQH5oy8WMtA0itHgwSiFUQHrDoINU4zGdIek3WXo4c3QGzuC/a5gdWpIXzF/DeFztjpMlO6Uu2/wBoK7IvgUUhjMJjHaqxLujltSr1alIn8YRYF6ii1+qB/mOLuPMyRQqZtFBb/s1s/wD8Fa5bwgREwrUzmFDEp/NScOO7ULb4yQtRa182WsRvV16rEabyrrcOd+hJPdEZFQK9xlL5M6B8PURt5zpqmnd6wjJUc5Hb/E02z0yQt6iWuAHHtEAZhqQdYA8QV6tTmaphnOVs4+sovpoDztqOBA3XlXicJTRnTE1atwQaZUB1dCLhrsRv/MS4p4hAGqZPqqnYxFIb0YnR0HAX1XkbjlB1kdCEV1z01vSqEArUwzm7C5BtYdsb9zCBncSuEX2RWfvZkXX+mV75T7FEkcNWf8psHbEnQYnDaaAhqY9Oxf4SsxeHrn28ZT8qxPwUAQKEdYNyZf6Lf7o1jV4sB/Uo+XhCYvCoNTXVj3Bm+N5DyJ9o+SwDU69VHV1cZlII7SnX9P1nqGx9pJWpo67yO0L+y3vCeTOE4FvSXHRnaYo1At+w5AJ3Wf3Tv47vTlA1u2+jpZzXw1g+903BjxZTuDcxuO/TjQrtipSbI6spG9WFj6H5zbUsRcSPjXUizqGHJgGHxgRMN0ipMmrWPIx9Hb6D3x6yH/8AzqbGwo0/wLNBszohhaq2enlb7SGx9LW9RArK/SBdynOeAGvryjMCjM2dzdzcADco7uZ75dYno3h6JP1yIBpeoMgNt4DAENbQHdaRa+TIWoulWxCk03R+0QSq2U3zEA2HceUCsw1Km1Zmex6u1g1rDjmN+QmgwLtUzCklkIKs9ygdTvAG8i3Ezz7Z2MV8Qrkgrmtl4HS4J5ier7LqLYeEBlNcgHYJUb8upHlxHhrIfSHFKcJWdWBC0y6nvWzD4iX7rxEwfTqkiISzMqVDcqpsrOpv6nTTja8Cg2p0g69FppfddzyEi7FT64abpV0WBHYBuxsANSeQ75othbJc1O2xVtDlWxIHedwgegbLY2F5Kx9MMpHAjXzkbD0coGpPiZIfVbwPLsVhVpv1TaJrh3v/ANGsSabX5JUVvK0hKC5AbewGcfz64asfU03mk6V0Q532zjqSeRftU2Pg6IP6zM2WLHNuNTK/eDUU0qg7stVEPnAFg665ErFRmpDqcQm7rKT9gP4i+U94Uy96A1slSpSvcG4/qT2GH3lLfglFtHDhLOvsYijUvbXtg3YfiVJJ2VieorLWJy5KjUqwIJ3lijEDXUZlvwtxgemMIwiSaRV1V0IZWAII1BB3WIiMkCPaDtJBgvOBoEWFd1RS7sFUbyTYTp0DC9Iekj1wUpgrR5nKvWcLl3ITL/KA/eAZQI/86eeKcHw7ChR6Tp0Agruuod7aC9PGo1rm2qtra54+sI6Z2am7KtVWVqfWU6ahxbRS677k6Xup011iToBqdRsz5UIc/wCdhXvapzemTx423jeMwjKioEUhyaOb6up/4mHqb8j21tfXTxHI9OgdUZyzOFXrkU9fT9yvSPtOoGhuLE27mG6MWmjotLP2HzNh6jWBR/foudwBNvPKdxnToFfhKN1KnCO7U2NNyr1PbXmoBANiDbviVqCa5sFWHi9QfNPGLOgVmKRPdwr373qH4BRKmop4Ubd1nPznToAWY/YH4W/WNKnflsNxGtjOnQNv0Y2pnQKx7SaG/EcD+veJpKeEaoQBOnQNJs3YoWxI1/f6SZtnGU8Jh3rsAci3VLhc77kQHvNok6B5JT2saH+ISun8TUqVC6OjMtMPmcvncZb3IAABOp7xM2+LZ83ZA7CltWIZlv23Gt3OY2JtlvpaLOgDw+Is2lgBusLcbi/E8tZ6p0a2mHRTfXd5zp0DV0sRKjpdsX+ModWrhGDBwxGYXAIsRcEXvvE6dAotl9HqeDQsVNSqB7ZsLE7gg90X85Z7D2aEGdtXY3J8Yk6BdVGAtIuKJtp8506BjNvIztkU+32A2mj5WZCP60UTO583aC2LXcDgpqA51/pr0x+KLOgBwo6xBTJ0FSoi62s1VCafkXQjzkps9UU61NVZ3BpVUYLlNSmAwJDGxLIN3MGdOgazoNtEWfDFSjKSwpNe6X9oITqUvrY6i54Wmqczp0ATiAnToH//2Q==" }, "id": 3910, "userType": "I", "homeServer": "Void host", "shortName": "pgarcia", "primaryGroupDescription": "Music", "primaryGroup": "Music" } ] } 2. Use the boolean operator + Request GET http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User?textFilter=fran~ +bacall Response 200 OK { "schemas": [ "urn:ietf:params:scim:api:messages:2.0:ListResponse" ], "totalResults": 3, "startIndex": 1, "Resources": [ { "lastName": "Bacall", "createdByUser": "ActiveDirectory", "fullName": "Lauren Bacall", "active": true, "userName": "lbacall", "mailAlias": "", "firstName": "Lauren", "createdDate": "2023-08-08 14:26:14", "multiSession": true, "meta": { "location": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/2844", "links": { "roleAccounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/RoleAccount?filter=userCode+eq+'lbacall'+and+enabled+eq+true", "groupUsers": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/GroupUser?filter=user+eq+'lbacall'+and+disabled+eq+false", "accounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Account?filter=type+eq+U+and+users.user.userName+eq+'lbacall'", "issues": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Issue?filter=user.userName+eq+'lbacall'", "effectiveGrants": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/2844/effectiveGrants" }, "resourceType": "User" }, "modifiedByUser": "pgarcia", "schemas": [ "urn:soffid:com.soffid.iam.api.User" ], "modifiedDate": "2023-08-22 17:34:07", "attributes": {}, "id": 2844, "userType": "I", "primaryGroupDescription": "Music", "primaryGroup": "Music" }, { "lastName": "Sinatra", "createdByUser": "ActiveDirectory", "fullName": "Frank Sinatra", "active": true, "userName": "frank", "mailAlias": "", "firstName": "Frank", "createdDate": "2023-09-06 13:12:54", "multiSession": true, "meta": { "location": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/276435", "links": { "roleAccounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/RoleAccount?filter=userCode+eq+'frank'+and+enabled+eq+true", "groupUsers": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/GroupUser?filter=user+eq+'frank'+and+disabled+eq+false", "accounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Account?filter=type+eq+U+and+users.user.userName+eq+'frank'", "issues": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Issue?filter=user.userName+eq+'frank'", "effectiveGrants": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/276435/effectiveGrants" }, "resourceType": "User" }, "modifiedByUser": "ActiveDirectory", "schemas": [ "urn:soffid:com.soffid.iam.api.User" ], "modifiedDate": "2023-09-06 13:12:55", "attributes": {}, "id": 276435, "userType": "I", "primaryGroupDescription": "Music", "primaryGroup": "Music" }, { "lastName": "Sherwood", "createdByUser": "pgarcia", "fullName": "Frank Sherwood", "active": true, "userName": "franks", "mailAlias": "", "firstName": "Frank", "createdDate": "2023-10-05 15:32:40", "multiSession": false, "meta": { "location": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/432644", "links": { "roleAccounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/RoleAccount?filter=userCode+eq+'franks'+and+enabled+eq+true", "groupUsers": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/GroupUser?filter=user+eq+'franks'+and+disabled+eq+false", "accounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Account?filter=type+eq+U+and+users.user.userName+eq+'franks'", "issues": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Issue?filter=user.userName+eq+'franks'", "effectiveGrants": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/432644/effectiveGrants" }, "resourceType": "User" }, "modifiedByUser": "pgarcia", "schemas": [ "urn:soffid:com.soffid.iam.api.User" ], "modifiedDate": "2023-10-05 15:32:40", "attributes": {}, "id": 432644, "userType": "I", "primaryGroupDescription": "scientist", "primaryGroup": "scientist" } ] } 3. Use the boolean operator - Request GET http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User?textFilter=fran~ -Sherwood Response 200 OK { "schemas": [ "urn:ietf:params:scim:api:messages:2.0:ListResponse" ], "totalResults": 1, "startIndex": 1, "Resources": [ { "lastName": "Sinatra", "createdByUser": "ActiveDirectory", "fullName": "Frank Sinatra", "active": true, "userName": "frank", "mailAlias": "", "firstName": "Frank", "createdDate": "2023-09-06 13:12:54", "multiSession": true, "meta": { "location": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/276435", "links": { "roleAccounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/RoleAccount?filter=userCode+eq+'frank'+and+enabled+eq+true", "groupUsers": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/GroupUser?filter=user+eq+'frank'+and+disabled+eq+false", "accounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Account?filter=type+eq+U+and+users.user.userName+eq+'frank'", "issues": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Issue?filter=user.userName+eq+'frank'", "effectiveGrants": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/276435/effectiveGrants" }, "resourceType": "User" }, "modifiedByUser": "ActiveDirectory", "schemas": [ "urn:soffid:com.soffid.iam.api.User" ], "modifiedDate": "2023-09-06 13:12:55", "attributes": {}, "id": 276435, "userType": "I", "primaryGroupDescription": "Music", "primaryGroup": "Music" } ] } Example 5 1. U RequestĀ  GET http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User?textFilter=(firstName:aretha OR firstName:Rosalind) AND lastName:Franklin AND birthDate:1979-01-01 Response 200 OK { "schemas": [ "urn:ietf:params:scim:api:messages:2.0:ListResponse" ], "totalResults": 2, "startIndex": 1, "Resources": [ { "lastName": "Franklin", "createdByUser": "ActiveDirectory", "fullName": "Aretha Franklin", "active": true, "userName": "aretha", "mailAlias": "", "firstName": "Aretha", "createdDate": "2023-09-06 13:12:54", "multiSession": true, "meta": { "location": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/276397", "links": { "roleAccounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/RoleAccount?filter=userCode+eq+'aretha'+and+enabled+eq+true", "groupUsers": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/GroupUser?filter=user+eq+'aretha'+and+disabled+eq+false", "accounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Account?filter=type+eq+U+and+users.user.userName+eq+'aretha'", "issues": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Issue?filter=user.userName+eq+'aretha'", "effectiveGrants": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/276397/effectiveGrants" }, "resourceType": "User" }, "modifiedByUser": "pgarcia", "schemas": [ "urn:soffid:com.soffid.iam.api.User" ], "modifiedDate": "2023-10-05 16:02:40", "attributes": { "birthDate": "1979-01-01 00:00:00" }, "id": 276397, "userType": "I", "primaryGroupDescription": "World", "primaryGroup": "world" }, { "lastName": "Franklin", "createdByUser": "ActiveDirectory", "fullName": "Rosalind Franklin", "active": true, "userName": "rfranklin", "mailAlias": "", "firstName": "Rosalind", "createdDate": "2023-08-08 14:26:14", "multiSession": true, "meta": { "location": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/2862", "links": { "roleAccounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/RoleAccount?filter=userCode+eq+'rfranklin'+and+enabled+eq+true", "groupUsers": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/GroupUser?filter=user+eq+'rfranklin'+and+disabled+eq+false", "accounts": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Account?filter=type+eq+U+and+users.user.userName+eq+'rfranklin'", "issues": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/Issue?filter=user.userName+eq+'rfranklin'", "effectiveGrants": "http://soffid.35x.lab:8089/soffid/webservice/scim2/v1/User/2862/effectiveGrants" }, "resourceType": "User" }, "modifiedByUser": "pgarcia", "schemas": [ "urn:soffid:com.soffid.iam.api.User" ], "modifiedDate": "2023-10-05 16:03:02", "attributes": { "birthDate": "1979-01-01 00:00:00" }, "id": 2862, "userType": "I", "primaryGroupDescription": "scientist", "primaryGroup": "scientist" } ] } Operation Operation The Lucene index information is stored in files arranged in a folder structure. This folder structure is replicated in every Soffid Console and every Sync Server and also is saved in the database. In case an instance (Docker, Kubernetes, or stand-alone) detects an inconsistency, the information will be overwritten with the database data. When you update an object, marked as the textual index, a task will be created. The soffid agent will execute this task and the Sync Server will update the database tables related to the textual index. Folder structure The folder structure is the following: ../index// Example 1. Here you are the folder structure for the Soffid Console Images 2. And the folder structure for the Soffid Syncserver Images DatabaseĀ  The database tables involved: SC_LUINPA SC_LUNIND Example 1. The database structure Images soffid agent You can check the soffid agent status by visiting the Sync Server monitoring page. Example 1. A soffid agent pending task. Image Step-by-step Example 1 1. You update one user's data and save the changes. Image 2. New tasks are created and executed. Image 3. Then Sync Server indexes the updated text and places the index file. Image 4. Then Sync Server and updates the database table SC_LUNIND by upgrading the LIP_TIMSTA field of the User object or by creating a new record if it did not previously exist. Image 5. When the following search will be performed, the very first thing to do is check the database file. If it is necessary update the file system and finally perform the search. Example 2 1. The task engine mode is Read only Image 2. You update one user's data and save the changes. Image 3. A new task is created and executed Image 4. Then Sync Server indexes the updated text and places the index file. 5. Then Sync Server and updates the database table SC_LUNIND by upgrading the LIP_TIMSTA field of the User object or by creating a new record if it did not previously exist. 6. When the following search will be performed, the very first thing to do is check the database file. If it is necessary update the file system and finally perform the search. Lucene - Query parser syntax Overview Although Lucene provides the ability to create your own queries through its API, it also provides a rich query language through the Query Parser, a lexer which interprets a string into a Lucene Query using JavaCC. Generally, the query parser syntax may change from release to release. This page describes the syntax as of the current release. If you are using a different version of Lucene, please consult the copy ofĀ  docs/queryparsersyntax.html Ā that was distributed with the version you are using. Before choosing to use the provided Query Parser, please consider the following: If you are programmatically generating a query string and then parsing it with the query parser then you should seriously consider building your queries directly with the query API. In other words, the query parser is designed for human-entered text, not for program-generated text. Untokenized fields are best added directly to queries, and not through the query parser. If a field's values are generated programmatically by the application, then so should query clauses for this field. An analyzer, which the query parser uses, is designed to convert human-entered text to terms. Program-generated values, like dates, keywords, etc., should be consistently program-generated. In a query form, fields which are general text should use the query parser. All others, such as date ranges, keywords, etc. are better added directly through the query API. A field with a limit set of values, that can be specified with a pull-down menu should not be added to a query string which is subsequently parsed, but rather added as a TermQuery clause. https://lucene.apache.org/core/9_6_0/queryparser/org/apache/lucene/queryparser/classic/package-summary.html#Overview Terms A query is broken up into terms and operators. There are two types of terms: Single Terms and Phrases. A Single Term is a single word such as "test" or "hello". A Phrase is a group of words surrounded by double quotes such as "hello dolly". Multiple terms can be combined together with Boolean operators to form a more complex query (see below). Note: The analyzer used to create the index will be used on the terms and phrases in the query string. So it is important to choose an analyzer that will not interfere with the terms used in the query string. Fields Lucene supports fielded data. When performing a search you can either specify a field, or use the default field. The field names and default field is implementation specific. You can search any field by typing the field name followed by a colon ":" and then the term you are looking for. As an example, let's assume a Lucene index contains two fields, title and text and text is the default field. If you want to find the document entitled "The Right Way" which contains the text "don't go this way", you can enter: title:"The Right Way" AND text:go or title:"The Right Way" AND go Since text is the default field, the field indicator is not required. Note: The field is only valid for the term that it directly precedes, so the query title:The Right Way Will only find "The" in the title field. It will find "Right" and "Way" in the default field (in this case the text field). Term Modifiers Lucene supports modifying query terms to provide a wide range of searching options. Wildcard Searches Lucene supports single and multiple character wildcard searches within single terms (not within phrase queries). To perform a single character wildcard search use the "?" symbol. To perform a multiple character wildcard search use the "*" symbol. The single character wildcard search looks for terms that match that with the single character replaced. For example, to search for "text" or "test" you can use the search: te?t Multiple character wildcard searches looks for 0 or more characters. For example, to search for test, tests or tester, you can use the search: test* You can also use the wildcard searches in the middle of a term. te*t Note: You cannot use a * or ? symbol as the first character of a search. Regular Expression Searches Lucene supports regular expression searches matching a pattern between forward slashes "/". The syntax may change across releases, but the current supported syntax is documented in theĀ  RegExp Ā class. For example to find documents containing "moat" or "boat": /[mb]oat/ Fuzzy Searches Lucene supports fuzzy searches based on Damerau-Levenshtein Distance. To do a fuzzy search use the tilde, "~", symbol at the end of a Single word Term. For example to search for a term similar in spelling to "roam" use the fuzzy search: roam~ This search will find terms like foam and roams. An additional (optional) parameter can specify the maximum number of edits allowed. The value is between 0 and 2, For example: roam~1 The default that is used if the parameter is not given is 2 edit distances. Previously, a floating point value was allowed here. This syntax is considered deprecated and will be removed in Lucene 5.0. Proximity Searches Lucene supports finding words are a within a specific distance away. To do a proximity search use the tilde, "~", symbol at the end of a Phrase. For example to search for a "apache" and "jakarta" within 10 words of each other in a document use the search: "jakarta apache"~10 Range Searches Range Queries allow one to match documents whose field(s) values are between the lower and upper bound specified by the Range Query. Range Queries can be inclusive or exclusive of the upper and lower bounds. Sorting is done lexicographically. mod_date:[20020101 TO 20030101] This will find documents whose mod_date fields have values between 20020101 and 20030101, inclusive. Note that Range Queries are not reserved for date fields. You could also use range queries with non-date fields: title:{Aida TO Carmen} This will find all documents whose titles are between Aida and Carmen, but not including Aida and Carmen. Inclusive range queries are denoted by square brackets. Exclusive range queries are denoted by curly brackets. Boosting a Term Lucene provides the relevance level of matching documents based on the terms found. To boost a term use the caret, "^", symbol with a boost factor (a number) at the end of the term you are searching. The higher the boost factor, the more relevant the term will be. Boosting allows you to control the relevance of a document by boosting its term. For example, if you are searching for jakarta apache and you want the term "jakarta" to be more relevant boost it using the ^ symbol along with the boost factor next to the term. You would type: jakarta^4 apache This will make documents with the term jakarta appear more relevant. You can also boost Phrase Terms as in the example: "jakarta apache"^4 "Apache Lucene" By default, the boost factor is 1. Although the boost factor must be positive, it can be less than 1 (e.g. 0.2) Boolean Operators Boolean operators allow terms to be combined through logic operators. Lucene supports AND, "+", OR, NOT and "-" as Boolean operators(Note: Boolean operators must be ALL CAPS). OR The OR operator is the default conjunction operator. This means that if there is no Boolean operator between two terms, the OR operator is used. The OR operator links two terms and finds a matching document if either of the terms exist in a document. This is equivalent to a union using sets. The symbol || can be used in place of the word OR. To search for documents that contain either "jakarta apache" or just "jakarta" use the query: "jakarta apache" jakarta or "jakarta apache" OR jakarta AND The AND operator matches documents where both terms exist anywhere in the text of a single document. This is equivalent to an intersection using sets. The symbol && can be used in place of the word AND. To search for documents that contain "jakarta apache" and "Apache Lucene" use the query: "jakarta apache" AND "Apache Lucene" + The "+" or required operator requires that the term after the "+" symbol exist somewhere in a the field of a single document. To search for documents that must contain "jakarta" and may contain "lucene" use the query: +jakarta lucene NOT The NOT operator excludes documents that contain the term after NOT. This is equivalent to a difference using sets. The symbol ! can be used in place of the word NOT. To search for documents that contain "jakarta apache" but not "Apache Lucene" use the query: "jakarta apache" NOT "Apache Lucene" Note: The NOT operator cannot be used with just one term. For example, the following search will return no results: NOT "jakarta apache" - The "-" or prohibit operator excludes documents that contain the term after the "-" symbol. To search for documents that contain "jakarta apache" but not "Apache Lucene" use the query: "jakarta apache" -"Apache Lucene" Grouping Lucene supports using parentheses to group clauses to form sub queries. This can be very useful if you want to control the boolean logic for a query. To search for either "jakarta" or "apache" and "website" use the query: (jakarta OR apache) AND website This eliminates any confusion and makes sure you that website must exist and either term jakarta or apache may exist. Field Grouping Lucene supports using parentheses to group multiple clauses to a single field. To search for a title that contains both the word "return" and the phrase "pink panther" use the query: title:(+return +"pink panther") Escaping Special Characters Lucene supports escaping special characters that are part of the query syntax. The current list special characters are + - && || ! ( ) { } [ ] ^ " ~ * ? : \ / To escape these character use the \ before the character. For example to search for (1+1):2 use the query: \(1\+1\)\:2 Java classes Interface Summary Interface Description QueryParserConstants Token literal values and constants. Class Summary Class Description MultiFieldQueryParser A QueryParser which constructs queries to search multiple fields. QueryParser This class is generated by JavaCC. QueryParserBase This class is overridden by QueryParser in QueryParser.jj and acts to separate the majority of the Java code from the .jj grammar file. QueryParserTokenManager Token Manager. Token Describes the input token stream. Ā  Enum Summary Enum Description QueryParser.Operator The default operator for parsing queries. Ā  Exception Summary Exception Description ParseException This exception is thrown when parse errors are encountered. Ā  Error Summary Error Description TokenMgrError Token Manager Error. Releases Soffid 4 2025 december 2025-12-31 REST connector 4.0.3 Get rid of Wink Windows connector 6.0.8 Update LDAP classes Fix configuration page Fixes for version 4 Use released pwshell Fix initial configuration 2025-12-24 Recertification addon 4.0.3 Fix query error Reports addon 4.0.6 Add anonymous URL for charts Update webservices addon Add widgets Breakglass addon 2.0.0 Upgrade for version 4 2025-12-17 Consola 4.0.11 Apply policy task is displayed for systems with automatic account creation Add prometheus agent Syncserver 4.0.13 Handle tasks created in version 3 Admin addon 4.0.3 Improve scheduled task UI Add new AI use cases Fix export/import Use gemini-2.5-pro for chatting Update dependencies Add missing dependency Addon bpm 4.0.6 Fix null pointer when there is no grant 2026 january 2026-01-07 Console 4.0.19 Improve AI interface Fix food sometimes does not appear Improve startup performance Fix multiline messages Fix SSO Agent name Improve boot performance Fix welcome switch Generate documentation Fix multiline messages Fix SSO Agent name Improve boot performance Fix welcome switch Fix plugin parser Fix compilation errors Fix AI Frame Fix upgrade to version 3 Add missing dependency between services Mobile CSSs Fix custom object search Make agent transition easier Add to switch to generate documentation on demand Nullify URL when URL is blank Fix monitoring remote server status Change PWA Name Fix counter generator in multi-tenant setup Ignore yauaa log Change sync server icons Upgrade zkdb Remove unneeded log Improve log performance Reload data when the configuration log has changed Exclude deleted accounts from effective roles calculation #625 Improve log reader reponsiveness Keep history of user-accounts #Soffid/addons/backup/12 Fix. Restart sync server from plugins page #624 Do not override log object #623 Fix agents query by name #622 Remove tasks when removing an agent #621 Enable network intelligence on any product #618 Syncserver 4.0.16 Fix reconcile engine for new accounts Update console version Fix wrong dao lookup Add debug information Remove Yauaa logging Federation addon 4.0.13 Fix CSS attributes #52 Apply form class Fix CSS style in idp Fix legacy ESSO startup Fix invocation to old handler #50 Change button to regenerate dynamic open id server key #49 Fix scopes list #47 Admin addon 4.0.4 New tests Fix import process #5 Fix page arrangement Add timestamp to script log Fix metadata exporter never ends Backup addon 4.0.4 Fix primary groups are always dashed #11 Breakglass addon 2.0.1 Fix tests Google Apps Connector 4.0.0 Upgrade to version 4 Windows Connector 6.0.9 Add possword policy Fix account inital reconciliation Kebernetes Connector 1.0.1 Initial version Fix UI page 2026-01-14 Console 4.0.20 Fix button to remove acconts in discovery page #599 Add crud handler for entry points Fix: frame is not hidden when embedded frame is recreated #600 Fix account system cannot be null #597 Fix method to remove accounts from vault Fix method to move accounts accross folders Do not display removed accounts in password vault Upgrade zkdb Method to undelete accounts #Soffid/addons/backup/17 Do not fail when the user cannot remove accounts Fix deleted user accounts are returned as valid user accounts #629 Fix progress labels with values less than 0 Fix ACL field fails when the user cannot query users or groups Recover password addon 4.0.6 Reorder fields Fix messages #20 2026-01-21 Console 4.0.22 Method to temporary grant/revoke usage of entry points Do not cache configuration page Do not display menu when no option is visible #644 Allow roles to be granted more than once, with different holder groups #642 Upgrade zkdb Add account history object Fix. Change query type in application entry points page #637 Fix stack overflow #628 Remove tasks when removing an agent Glitch in password policies page #617 Fix glitch in password policies UI #616 Hide id of user type #615 Upgrade zkdb to fix #610 Hide threads field #604 Fix shell plugin #603 Fix monitor progress pct value Do not commit automatically after changing the server name #596 Raise toasts Enable BPM for PAM licenses #595 Use standard view for pam session servers #594 Syncserver 4.0.17 Remove annoying log Register cancelled tasks Add exception message to log file Shell connector 4.0.1 Fix removal of grants 2026-01-28 Console 4.0.23 Allow access to local network in embedded iframe Ā  2026 february 2026-02-04 Console 4.0.29 Fix tasks are not properly loaded #650 Fix application link does not work Set generated password non-editable Fix entry point is set as "null" Fix reservation without entry point Display diagram in a popup window Soffid/addons/bpm#26 Fix button size inside trees #591 Fix password policies page #590 Fix toast position #589 Fix separator labels #588 Fix method to reset remote servers Upgrade zkdb Upgrade zkdb-api Initialize virtual attributes in sync server Fix zoom button in property editor Sort object mappings #655 Add sleep method Add index by user attribute value Enlarge previous executions table #587 Fixed counter generation #580 Remove old WF to reconcile accounts #579 Upgrade plugins #576 Fix style of screen to change password #573 setTimeout function Fix error during datadiv initialization #571 Upgrade rest plugin Upgrade zkdb #569 Hude agent tabs until the agent iss created #568 Fix method to disable accounts #547 Change messages source Fix button to remove rols #530 Fix field type in account metadata window Javascript methods: setTimeout and sleep Improve columns selector Syncserver 4.0.23 Use service locator in remote proxies Upgrade zkdb version Fix null pointer in pre-update-password trigger Update console version Enable debugging for com.soffid classes Add log manager for proxy agents Improve method to remove accounts Hide ProxyConnectionFactory logs Improve loader process Fix reconciliation without system name Improve loader performance Added debug information Fix console sessions are dropped due to delays REST plugin 4.0.4 Fix login encoding Use load or select methods SQL server plugin 4.0.1 Version number was missing PAM (only in Docker Hub) 1.4.82 Do not remove static-data directory 2026-02-11 Console 4.0.33 Fix group message #392 Make error message more helpful Default port for syslog+ssl is 6514 Include script stack trace Add webservice classes classifier Add offline button in sync server monitoring Fix page to query account's password Fix method to propagate changes Improve monitoring page Enable remove button in single-selection tables Remove method to compute policies when synchronizing objects Change installer icon Fix upgrade of domain values to version 4 Syncserver 4.0.25 Fix authoritative loader engine Fix tasks to synchronize objects Improve mechanism to monitor tasks queue Upgrade console version Change version number to 4 in application link Do not throw exception when the group is not allowed Federation addon 4.0.14 Fix for the automatic deletion process of oauth tokens Fix duplicated attribute Fix class-loading problem when invoked from the identity provider Use new "wait" icon #57 Change style of cancel button #56 Fix selector color #55 Fix host tokens tab #Soffid/console/632 Add option to remove authentication methods #611 Fix initialization Fix progressive profile method Update OTP addon version #536 Place CAS Settings in a separated section Remove legacy method to register hosts Hack for MFA authentication on Azure New keytab parser SCIM addon 4.0.3 Fix class not found: UserType XACML addon 4.0.6 Fix legacy icons #6 Properly expose entrypoint in XACML rules 2026-02-18 Console 4.0.37 Fix magnifier icon in password vault Improve method to guess account bound to a service Fix account lookup Syncserver 4.0.27 Change JVM parameters for Java 17 Discard service 113/tcp ident Ignore hosts without significant services Reports addon 4.0.7 Change label in remove button #10 Remove import button #8 Remove import button #7 Fix label for removal button #6 Fix wrong message after removing report schedule #5 Fix tab to upload reports #4 2026-02-24 Console 4.0.38 Fix open source publication process Syncserver 4.0.28 Fix null pointer changing service account password Always one shared thread Improve logs Fix reconcile without external ids Remove unneeded log Change attribute name from lastPasswordUpdate to lastPasswordSet Do not CXF spring integration Federation addon 4.0.15 Fix null pointer Adapt porting of changes from version-3 Fix porting Add option to set custom audiences SSO Behaviour Add audience field Backup addon 4.0.5 Hide user backup id in queries #6 Change buttons style Remove quick search mode Remove button to select columns #4 Remove duplicated buttons #3 Fix excessive inheritance PAM (only in Docker Hub) 1.4.84 SSH Server with user provided passwords Improve logs Update browser image Fix compilation errors Additional log 2026 march 2026-03-04 Console 4.0.39 Fix compatibility issue with HTML fields Allow accounts to have the same name as a deleted one Properly unwrap javascript dates Syncserver 4.0.30 Fix method to retrieve account object Fix interface is defined more than once Improve exception detail Upgrade version of iam-core Fixes to convert localdate into Calendar or Date 2026-03-11 Console 4.0.42 Improve migration process Debug mail sessions #Soffid/cloud/federation-cloud/10 Add method to fetch AD domains Syncserver 4.0.31 Upgrade console dependency Fix dumping log in stdout Federation addon 4.0.18 Refresh configuration when needed Recover password addon 4.0.7 Fix fill-in window style #17 Fix error checking for null datataype #11 Fix message generation #10 Fix button message #9 Admin addon 4.0.5 Fix dependency versions #8 Use the right interpreter BPM addon 4.0.7 Fix display of risks Show BPM editor with PAM license Menu handler in account reservation workflow Fix editor display Use correct colors for diagram #26 Fix reorder fields #24 Add button to remove attributes from attribute window LDAP connector 4.0.1 Multiple bug fixes SAP connector 4.0.1 Fix checkbox to manage roles Remove eclipse file Fix account reconciliation Windows connector 6.0.11 Fix method to rename objects Fix simple windows agent Use server method to retrieve active directories Update CI/CD method 2026-03-18 Console 4.0.46 Improve migration process Debug mail sessions Add method to fetch AD domains Change method to publish Do not fail when a file does not exist Ignore host not found Fix error when host does not exist in PAM URL Remove account attributes (migration issue) Improve scheduled tasks form Fix SQL syntax error Migration issue. Set default dispatcher type Federation addon 4.0.19 Fix double quote Same challenge for each push authenticator Accept gateway parameter for CAS login 2026-03-25 Console 4.0.47 Fix renaming a role with the same name as a deleted one Fix upgrade to version 4 Improve exception message including javascript stack trace Add password policy metadata for IA generation Improve SEQUENCE generator. Add a primary key to the table Federation addon 4.0.20 Verify signatures x-forwarded-for does not contain commas Propagates loa from third party idp Windows plugin 6.0.12 Fixes a "Connection timeout" problem when trying to fetch accounts list PAM (only in Docker Hub) 1.4.86 Upgrade chrome version Add gke image Kiosk mode for http and https Accept pke keys in base64 Always apply ips policies Remove duplicated / Avoid null pointer Ā  Ā  2026 april 2026-04-22 Console 4.0.53 Fix error creating mappings Prevent null pointer Fix method to find deleted roles Fix popup window with system raw attributes Allow meatadata types page in AM license Update LDAP & Windows plugin Cleanup latest link Fix infinite loop starting a discovery task Prevent deadlock when changing an account password on the sync server feat: Add global SAML logout option Improve remote action log Fix role deletion Add entry point metadata Publish issue service Add missing class Make last execution label more clear Allow port in syslog server parameter Option to not to store user credentials Fix when the server is a standby server Send syslog message size Display error message when connecting to a sync server Option to not to store user credentials Allow manual launcher when passwords are not stored Fix merge errors Improve launching accounts without well-known password Improve log file selector Fix link creation for documentation Fix link creation Fix syncserver is marked as offline Optimize creation of the search dictionary Syncserver 4.0.34 Debug in BaseAgent Update jaxb implementation fix: Pipelines are not fully loaded Change deployment URL Publish syncserver on docker hub Fix error processing duplicated OoB task Force method to intialize trusted certificates from source Log certificate failures Upgrade console Ignore stand-by servers in servers list Decode username in remote request Add jsoncpp dependency for role mining Fix error in passwordless agents Fix transaction to change service passwords Method to ignore standby servers Federation addon 4.0.23 fix: refresh token expiration date can ben null feat: Options to customize user registration process Fix null pointer New method to register users feat: Registration process can be the initial step of a progressive profile feat: support the response_mode=form_post feat: Ability to configure refresh token timeout Usage of expiration token timeout Method to fetch all esso settings at onec Fix null pointer Update expires attribute in refresh token Fixes fields without datatype Fix generation of refresh token expiration claim Role mining addon 4.0.1 Fix Null pointer Application is not required Update war plugin New performance engine Adapt CI/CD Update repositories Remove duplicated entry in pom.xml User C++ image SCIM addon 4.0.4 Fix patch of account object LDAP plugin 4.0.4 Multiple bug fixes Fix login Method to configure the LDAPS security level PAM (only in Docker Hub) 1.4.88 New image for http session in mode kiosk and not-kiosk Option to open a wireguard tunnel feat: option to maximize screen fix: Click up windows key after losing focus Fix keypad subtract key Fix transfer of file with UTF-8 characters in its name Fix session is closed after ten seconds 2026 may 2026-05-06 Console 4.0.56 Improve method to launch entry points Fix method to jump into soffid console Fixes problem due to secure class loaders Allow creation of hosts by users allowed to create hosts on a single network Improve method to update user aliases. Remove alias if no other user is assigned Fix ordering of recertification date Remove account services before removing accounts Fix query of custom objects Fix compilation error Fix HQL error Fix upgrade in sql server Fix null pointer during upgrade process Federation addon 4.0.24 Relax CAS Host validation Reports addon 4.0.8 Enable dashboards for IGA, AM ad PAM licensces Ā  New features 2026-05-20 New feature: filter holder groups at the IdP login The new feature From now on, the service providers who have selected the ā€œ Ask for group membership after authentication ā€ option will be able to filter which of these should be selectable with the attribute " Script to filter out group memberships ". Bear in mind Please note the following points: The holder groups must be correctly configured in Soffid. If there is only one possible holder group , it is selected automatically and is not displayed to the user. How to configure it? The following components must be installed: Addon federation 4.0.25 (or higher) Let's look at an example Letā€™s look at an example, here we have the user " user4 " who has already set up the holder groups . Ā  We had a service provider that was already selected the option " Ask for group membership after authentication ". Ā  The holder groups have several custom attributes (startDate, endDate and status). Ā  We now want to filter the holder groups with the attibuteĀ  status with the Active value. Ā  So we're going to create a script in the " Script to filter out group memberships " of the service provider. Ā  This is the script. // Return the groups whose ā€œstatusā€ attribute has the value "Active" // l = new java.util.ArrayList(); lug = serviceLocator.getGroupService().findUsersGroupByUserName(user.userName); for (i=0; i