Skip to content

Authorization Service data model (available attributes)

Please note that in the following tables, rows with Has to be requested = yes imply that the field should be explicitly requested in the API call e.g. GET https://authorization-service-api.web.cern.ch/api/v1.0/Account?filter=uniqueIdentifier%3Amcurie&field=personId

Account

An account is a set of credentials that can be used to authenticate. Multiple accounts from different authentication providers (CERN, eduGain, social providers etc) can be associated to an identity.

Name Type Description Read Only Has to be requested
personId String Person Id for a CERN identity (the old CCID). True yes
assignedScopes Reference List of systems to which the account is exported (freeIPA, AD). True yes
displayName String Account display name. True no
uniqueIdentifier String The unique and immutable provider login name. False no
accountProviderId Reference Account provider (e.g. cern, google). False no
emailAddress String Account's email address. False no
resourceCategory String Resource category which determines the lifecycle of the resource. Values: Undefined, Official, Personal, Test True no
reassignable Boolean True if the owner of the resource can assign it to a new owner. The new owner has to approve. True no
autoReassign Boolean True is the resource will be reassigned automatically to the owner's supervisor once the owner will leave CERN. True no
blocked Boolean True if the resource is blocked. True no
blockingReason String Reason for blocking the resource. True no
ownerId Reference Id of the identity that is the owner of this resource. True no
id String Object id in the DB False no
resetPasswordRequired* Boolean True if the password must be changed on next logon. True no
securityIssues* Boolean True if the resource is blocked for security reasons and thus can be managed only by the security team or the service admisn. True no
blockingTime* DateTime Date and time when the resource was blocked True no
blockingDeadline* DateTime Date and time when the resource will be blocked automatically, according to its lifecycle. True no
expirationDeadline* DateTime Date and time when the resource will be deleted automatically, according to its lifecycle. True no
creationTime* DateTime Date and time when the object was created in the DB. False no
modificationTime* DateTime Date and time of when the object was last modified in the Db. False no
builtin* Boolean If true, the object is a builtin object, and cannot be modified. False no
*Property used for internal system purpose. Might change in the future without warning.

Application (client)

"Client" is an application that can registered to the SSO.

Name Type Description Read Only Has to be requested
applicationIdentifier String A unique and immutable identifier for the application, used as the client ID to register the application to the SSO. The identifier must start with a lowercase letter, can contain only lowercase letters, numbers, dashes and underscores, and must be between 3 and 128 characters long. False no
displayName String Application display name (unique). True no
identityId Reference Id of the identity that represents the application. False no
description String Application description. True no
administratorsId Reference Id of the group of administrators of the application. True no
managerId Reference Id of a service identity that is managing the application. Used by services that register applications on behalf of the owner (e.g., web frameworks True no
administratorsAccess String Administrators access level. Values: Undefined, Full, Limited True no
homePage String Home page of the application. True no
resourceCategory String Resource category which determines the lifecycle of the resource. Values: Undefined, Official, Personal, Test True no
reassignable Boolean True if the owner of the resource can assign it to a new owner. The new owner has to approve. True no
autoReassign Boolean True is the resource will be reassigned automatically to the owner's supervisor once the owner will leave CERN. True no
blocked Boolean True if the resource is blocked. True no
blockingReason String Reason for blocking the resource. True no
ownerId Reference Id of the identity that is the owner of this resource. True no
id String Object id in the DB False no
securityIssues* Boolean True if the resource is blocked for security reasons and thus can be managed only by the security team or the service admisn. True no
blockingTime* DateTime Date and time when the resource was blocked True no
blockingDeadline* DateTime Date and time when the resource will be blocked automatically, according to its lifecycle. True no
expirationDeadline* DateTime Date and time when the resource will be deleted automatically, according to its lifecycle. True no
creationTime* DateTime Date and time when the object was created in the DB. False no
modificationTime* DateTime Date and time of when the object was last modified in the Db. False no
builtin* Boolean If true, the object is a builtin object, and cannot be modified. False no
*Property used for internal system purpose. Might change in the future without warning.

Group

A set of groups and identities. Used for authorization, mailing and grouping.

Name Type Description Read Only Has to be requested
memberGroupIds Reference Ids of groups that are direct members of the group. True yes
memberGroupIdsRecursive Reference Ids of groups that are direct or indirect members of the group, i.e. including members of children groups recursively. True yes
memberOfIdsRecursive Reference Ids of groups that this group is member of directly or indirectly. True yes
assignedScopes Reference Ids of systems or services to which the group is exported. True yes
memberIdentityIds Reference Ids of identities that are direct members of the group. True yes
memberIdentityIdsRecursive Reference Ids of identities that are direct or indirect members of the group, i.e. including members of children groups recursively. True yes
owner Reference True yes
groupIdentifier String A unique and immutable alphanumeric identifier for the group. The identifier: must start with a lowercase letter; can contain only lowercase letters, numbers, dashes and underscores; must contain at least one dash character and must be between 3 and 32 characters long. False no
displayName String The group display name. True no
description String Group description. True no
public Boolean If true, the group is a public group that can be used by all applications. True no
administratorsId Reference Id of the group of administrators for the group. True no
approvalRequired Boolean Whether or not an approval is required for this group, when performing self-subscription. True no
selfSubscriptionType String Self-Subscription access level. Values: Closed, Open, CernUsers True no
privacyType String Group privacy level. Values: Open, Members, Admins True no
dynamic Boolean Whether or not the group is dynamic (some criteria are defined for it). True no
criteria String Dynamic group criteria. True no
gid Number Unix id of the group. True no
removeNonActiveMembers Boolean If set to true, members without an active CERN affiliation will be periodically removed from the group. True no
resourceCategory String Resource category which determines the lifecycle of the resource. Values: Undefined, Official, Personal, Test True no
reassignable Boolean True if the owner of the resource can assign it to a new owner. The new owner has to approve. True no
autoReassign Boolean True is the resource will be reassigned automatically to the owner's supervisor once the owner will leave CERN. True no
blocked Boolean True if the resource is blocked. True no
blockingReason String Reason for blocking the resource. True no
ownerId Reference Id of the identity that is the owner of this resource. True no
id String Object id in the DB False no
source* String The source of information for the group. True no
syncType* String Group synchronization options. Values: Replica, Primary, SyncError, NoSync True no
isComputingGroup* Boolean True if the group is a computing group (triggers gid assignment). True no
securityIssues* Boolean True if the resource is blocked for security reasons and thus can be managed only by the security team or the service admisn. True no
blockingTime* DateTime Date and time when the resource was blocked True no
blockingDeadline* DateTime Date and time when the resource will be blocked automatically, according to its lifecycle. True no
expirationDeadline* DateTime Date and time when the resource will be deleted automatically, according to its lifecycle. True no
creationTime* DateTime Date and time when the object was created in the DB. False no
modificationTime* DateTime Date and time of when the object was last modified in the Db. False no
builtin* Boolean If true, the object is a builtin object, and cannot be modified. False no
*Property used for internal system purpose. Might change in the future without warning.

Identity

An identity, which can represent a person, a service or an application. Please note that almost all Identity information is considered Read Only as it is synchronised in from HR's Foundation database. Many fields are only available to authorised users meaning that this table may not apply to you directly.

Name Type Description Has to be requested
owner Reference Identity of the owner. yes
supervisor Reference Identity of the supervisor. yes
externalEmail String External (non-CERN) mail address, that can be used as a contact. Polulated for primary CERN identities only. yes
primaryAccountEmail String Email of the primary account of the identity. yes
type String The type of the identity, which can represent either a person or an application. Values: Undefined, Person, Application, Service, Secondary no
upn String Unique identifier for the identity. For CERN identities this is equal to the login of the associated CERN account. no
displayName String First name and last name. no
personId String Person Id for a CERN identity (the old CCID). no
supervisorId Reference Id of the supervisor's identity. Populated for primary CERN identities only. no
primaryAccountId Reference Id of the primary account linked to this identity. no
uid Number The Unix user id of the identity. no
gid Number The Unix group id for this identity. no
resourceCategory String Resource category which determines the lifecycle of the resource. Values: Undefined, Official, Personal, Test no
reassignable Boolean True if the owner of the resource can assign it to a new owner. The new owner has to approve. no
autoReassign Boolean True is the resource will be reassigned automatically to the owner's supervisor once the owner will leave CERN. no
blocked Boolean True if the resource is blocked. no
blockingReason String Reason for blocking the resource. no
ownerId Reference Id of the identity that is the owner of this resource. no
id String Object id in the DB no
room String Office room no
floor String Office floor no
orcid String The Open Researcher and Contributor ID of the person no
cernId String CERN ID (sensitive information) no
hrEmail String Mail provided by HR with no uniqueness constraints, validation or verification no
building String Office building no
endClass DateTime End date of the current affiliation no
lastName DateTime Last Name no
birthDate DateTime Date of birth no
cernClass String Persons's affiliation with CERN (STAF, FELL, USER, EXTN etc.) no
cernGroup String The CERN group of the person no
firstName String First Name no
activeUser Boolean Flag indicating if the person has an active affiliation with CERN no
startClass DateTime Start date of the current affiliation no
telephone1 String 1st CERN telephone number no
telephone2 String 2nd CERN telephone number no
cernSection String The CERN section of the person no
description String The description of this account, in case of service or secondary identities. no
isPersonnel Boolean Flag indicating if the person is a member of the personnel no
cernPersonId String Person ID (primary key in Foundation, public) no
nextEndClass DateTime End date of the next affiliation no
instituteName String Name of the institute the person is affiliated with no
nextCernClass String Persons's next affiliation with CERN no
portablePhone String CERN portable phone number no
cernDepartment String The CERN department of the person no
externalReason String If the CERN_CLASS is EXTN, this is the type of external user no
expectedEndDate DateTime Expected end date of current or next affiliation, used to send contract end alerts no
eduPersonUniqueID DateTime Unique and non-reassignable identifier for a person no
lastActivationDate DateTime Most recent date when the identity was activated. no
firstActivationDate DateTime Date when the identity was first activated. no
instituteAbbreviation String Abbreviated name of the institute the person is affiliated with no
preferredCernLanguage String The preferred official CERN language of the person no
computingRulesAccepted Boolean Most recent date when the computing rules were accepted or the security course was taken. no
computingRulesValidUntil DateTime Validity limit of the computing rules and security course. no
computingRulesAcceptedFlag Boolean Flag indicating if the user signed the computing rules and took the security course for the first time. no
source* String Source of info for the identity (‘cern’ for the CERN identities). no
unconfirmed* Boolean Whether the identity is unconfirmed or not. Unconfirmed identities are created in order to be added as members to groups prior to that person's first login. no
unconfirmedEmail* String When an unconfirmed identity is created, this email field is populated in order to link the future account of the person to this specific identity. no
properties* String no
securityIssues* Boolean True if the resource is blocked for security reasons and thus can be managed only by the security team or the service admisn. no
blockingTime* DateTime Date and time when the resource was blocked no
blockingDeadline* DateTime Date and time when the resource will be blocked automatically, according to its lifecycle. no
expirationDeadline* DateTime Date and time when the resource will be deleted automatically, according to its lifecycle. no
creationTime* DateTime Date and time when the object was created in the DB. no
modificationTime* DateTime Date and time of when the object was last modified in the Db. no
builtin* Boolean If true, the object is a builtin object, and cannot be modified. no

*Property used for internal system purpose. Might change in the future without warning.

Note: not all properties are available to all users. Sensitive data is subject to authorization.