Authorization Service data model (available attributes)
Please note that in the following tables, rows with Has to be requested = yes imply that the field should be explicitly requested in the API call e.g. GET https://authorization-service-api.web.cern.ch/api/v1.0/Account?filter=uniqueIdentifier%3Amcurie&field=personId
Account
An account is a set of credentials that can be used to authenticate. Multiple accounts from different authentication providers (CERN, eduGain, social providers etc) can be associated to an identity.
| Name | Type | Description | Read Only | Has to be requested |
|---|---|---|---|---|
| personId | String | Person Id for a CERN identity (the old CCID). | True | yes |
| assignedScopes | Reference | List of systems to which the account is exported (freeIPA, AD). | True | yes |
| displayName | String | Account display name. | True | no |
| uniqueIdentifier | String | The unique and immutable provider login name. | False | no |
| accountProviderId | Reference | Account provider (e.g. cern, google). | False | no |
| emailAddress | String | Account's email address. | False | no |
| resourceCategory | String | Resource category which determines the lifecycle of the resource. Values: Undefined, Official, Personal, Test | True | no |
| reassignable | Boolean | True if the owner of the resource can assign it to a new owner. The new owner has to approve. | True | no |
| autoReassign | Boolean | True is the resource will be reassigned automatically to the owner's supervisor once the owner will leave CERN. | True | no |
| blocked | Boolean | True if the resource is blocked. | True | no |
| blockingReason | String | Reason for blocking the resource. | True | no |
| ownerId | Reference | Id of the identity that is the owner of this resource. | True | no |
| id | String | Object id in the DB | False | no |
| resetPasswordRequired* | Boolean | True if the password must be changed on next logon. | True | no |
| securityIssues* | Boolean | True if the resource is blocked for security reasons and thus can be managed only by the security team or the service admisn. | True | no |
| blockingTime* | DateTime | Date and time when the resource was blocked | True | no |
| blockingDeadline* | DateTime | Date and time when the resource will be blocked automatically, according to its lifecycle. | True | no |
| expirationDeadline* | DateTime | Date and time when the resource will be deleted automatically, according to its lifecycle. | True | no |
| creationTime* | DateTime | Date and time when the object was created in the DB. | False | no |
| modificationTime* | DateTime | Date and time of when the object was last modified in the Db. | False | no |
| builtin* | Boolean | If true, the object is a builtin object, and cannot be modified. | False | no |
| *Property used for internal system purpose. Might change in the future without warning. |
Application (client)
"Client" is an application that can registered to the SSO.
| Name | Type | Description | Read Only | Has to be requested |
|---|---|---|---|---|
| applicationIdentifier | String | A unique and immutable identifier for the application, used as the client ID to register the application to the SSO. The identifier must start with a lowercase letter, can contain only lowercase letters, numbers, dashes and underscores, and must be between 3 and 128 characters long. | False | no |
| displayName | String | Application display name (unique). | True | no |
| identityId | Reference | Id of the identity that represents the application. | False | no |
| description | String | Application description. | True | no |
| administratorsId | Reference | Id of the group of administrators of the application. | True | no |
| managerId | Reference | Id of a service identity that is managing the application. Used by services that register applications on behalf of the owner (e.g., web frameworks | True | no |
| administratorsAccess | String | Administrators access level. Values: Undefined, Full, Limited | True | no |
| homePage | String | Home page of the application. | True | no |
| resourceCategory | String | Resource category which determines the lifecycle of the resource. Values: Undefined, Official, Personal, Test | True | no |
| reassignable | Boolean | True if the owner of the resource can assign it to a new owner. The new owner has to approve. | True | no |
| autoReassign | Boolean | True is the resource will be reassigned automatically to the owner's supervisor once the owner will leave CERN. | True | no |
| blocked | Boolean | True if the resource is blocked. | True | no |
| blockingReason | String | Reason for blocking the resource. | True | no |
| ownerId | Reference | Id of the identity that is the owner of this resource. | True | no |
| id | String | Object id in the DB | False | no |
| securityIssues* | Boolean | True if the resource is blocked for security reasons and thus can be managed only by the security team or the service admisn. | True | no |
| blockingTime* | DateTime | Date and time when the resource was blocked | True | no |
| blockingDeadline* | DateTime | Date and time when the resource will be blocked automatically, according to its lifecycle. | True | no |
| expirationDeadline* | DateTime | Date and time when the resource will be deleted automatically, according to its lifecycle. | True | no |
| creationTime* | DateTime | Date and time when the object was created in the DB. | False | no |
| modificationTime* | DateTime | Date and time of when the object was last modified in the Db. | False | no |
| builtin* | Boolean | If true, the object is a builtin object, and cannot be modified. | False | no |
| *Property used for internal system purpose. Might change in the future without warning. |
Group
A set of groups and identities. Used for authorization, mailing and grouping.
| Name | Type | Description | Read Only | Has to be requested |
|---|---|---|---|---|
| memberGroupIds | Reference | Ids of groups that are direct members of the group. | True | yes |
| memberGroupIdsRecursive | Reference | Ids of groups that are direct or indirect members of the group, i.e. including members of children groups recursively. | True | yes |
| memberOfIdsRecursive | Reference | Ids of groups that this group is member of directly or indirectly. | True | yes |
| assignedScopes | Reference | Ids of systems or services to which the group is exported. | True | yes |
| memberIdentityIds | Reference | Ids of identities that are direct members of the group. | True | yes |
| memberIdentityIdsRecursive | Reference | Ids of identities that are direct or indirect members of the group, i.e. including members of children groups recursively. | True | yes |
| owner | Reference | True | yes | |
| groupIdentifier | String | A unique and immutable alphanumeric identifier for the group. The identifier: must start with a lowercase letter; can contain only lowercase letters, numbers, dashes and underscores; must contain at least one dash character and must be between 3 and 32 characters long. | False | no |
| displayName | String | The group display name. | True | no |
| description | String | Group description. | True | no |
| public | Boolean | If true, the group is a public group that can be used by all applications. | True | no |
| administratorsId | Reference | Id of the group of administrators for the group. | True | no |
| approvalRequired | Boolean | Whether or not an approval is required for this group, when performing self-subscription. | True | no |
| selfSubscriptionType | String | Self-Subscription access level. Values: Closed, Open, CernUsers | True | no |
| privacyType | String | Group privacy level. Values: Open, Members, Admins | True | no |
| dynamic | Boolean | Whether or not the group is dynamic (some criteria are defined for it). | True | no |
| criteria | String | Dynamic group criteria. | True | no |
| gid | Number | Unix id of the group. | True | no |
| removeNonActiveMembers | Boolean | If set to true, members without an active CERN affiliation will be periodically removed from the group. | True | no |
| resourceCategory | String | Resource category which determines the lifecycle of the resource. Values: Undefined, Official, Personal, Test | True | no |
| reassignable | Boolean | True if the owner of the resource can assign it to a new owner. The new owner has to approve. | True | no |
| autoReassign | Boolean | True is the resource will be reassigned automatically to the owner's supervisor once the owner will leave CERN. | True | no |
| blocked | Boolean | True if the resource is blocked. | True | no |
| blockingReason | String | Reason for blocking the resource. | True | no |
| ownerId | Reference | Id of the identity that is the owner of this resource. | True | no |
| id | String | Object id in the DB | False | no |
| source* | String | The source of information for the group. | True | no |
| syncType* | String | Group synchronization options. Values: Replica, Primary, SyncError, NoSync | True | no |
| isComputingGroup* | Boolean | True if the group is a computing group (triggers gid assignment). | True | no |
| securityIssues* | Boolean | True if the resource is blocked for security reasons and thus can be managed only by the security team or the service admisn. | True | no |
| blockingTime* | DateTime | Date and time when the resource was blocked | True | no |
| blockingDeadline* | DateTime | Date and time when the resource will be blocked automatically, according to its lifecycle. | True | no |
| expirationDeadline* | DateTime | Date and time when the resource will be deleted automatically, according to its lifecycle. | True | no |
| creationTime* | DateTime | Date and time when the object was created in the DB. | False | no |
| modificationTime* | DateTime | Date and time of when the object was last modified in the Db. | False | no |
| builtin* | Boolean | If true, the object is a builtin object, and cannot be modified. | False | no |
| *Property used for internal system purpose. Might change in the future without warning. |
Identity
An identity, which can represent a person, a service or an application. Please note that almost all Identity information is considered Read Only as it is synchronised in from HR's Foundation database. Many fields are only available to authorised users meaning that this table may not apply to you directly.
| Name | Type | Description | Has to be requested |
|---|---|---|---|
| owner | Reference | Identity of the owner. | yes |
| supervisor | Reference | Identity of the supervisor. | yes |
| externalEmail | String | External (non-CERN) mail address, that can be used as a contact. Polulated for primary CERN identities only. | yes |
| primaryAccountEmail | String | Email of the primary account of the identity. | yes |
| type | String | The type of the identity, which can represent either a person or an application. Values: Undefined, Person, Application, Service, Secondary | no |
| upn | String | Unique identifier for the identity. For CERN identities this is equal to the login of the associated CERN account. | no |
| displayName | String | First name and last name. | no |
| personId | String | Person Id for a CERN identity (the old CCID). | no |
| supervisorId | Reference | Id of the supervisor's identity. Populated for primary CERN identities only. | no |
| primaryAccountId | Reference | Id of the primary account linked to this identity. | no |
| uid | Number | The Unix user id of the identity. | no |
| gid | Number | The Unix group id for this identity. | no |
| resourceCategory | String | Resource category which determines the lifecycle of the resource. Values: Undefined, Official, Personal, Test | no |
| reassignable | Boolean | True if the owner of the resource can assign it to a new owner. The new owner has to approve. | no |
| autoReassign | Boolean | True is the resource will be reassigned automatically to the owner's supervisor once the owner will leave CERN. | no |
| blocked | Boolean | True if the resource is blocked. | no |
| blockingReason | String | Reason for blocking the resource. | no |
| ownerId | Reference | Id of the identity that is the owner of this resource. | no |
| id | String | Object id in the DB | no |
| room | String | Office room | no |
| floor | String | Office floor | no |
| orcid | String | The Open Researcher and Contributor ID of the person | no |
| cernId | String | CERN ID (sensitive information) | no |
| hrEmail | String | Mail provided by HR with no uniqueness constraints, validation or verification | no |
| building | String | Office building | no |
| endClass | DateTime | End date of the current affiliation | no |
| lastName | DateTime | Last Name | no |
| birthDate | DateTime | Date of birth | no |
| cernClass | String | Persons's affiliation with CERN (STAF, FELL, USER, EXTN etc.) | no |
| cernGroup | String | The CERN group of the person | no |
| firstName | String | First Name | no |
| activeUser | Boolean | Flag indicating if the person has an active affiliation with CERN | no |
| startClass | DateTime | Start date of the current affiliation | no |
| telephone1 | String | 1st CERN telephone number | no |
| telephone2 | String | 2nd CERN telephone number | no |
| cernSection | String | The CERN section of the person | no |
| description | String | The description of this account, in case of service or secondary identities. | no |
| isPersonnel | Boolean | Flag indicating if the person is a member of the personnel | no |
| cernPersonId | String | Person ID (primary key in Foundation, public) | no |
| nextEndClass | DateTime | End date of the next affiliation | no |
| instituteName | String | Name of the institute the person is affiliated with | no |
| nextCernClass | String | Persons's next affiliation with CERN | no |
| portablePhone | String | CERN portable phone number | no |
| cernDepartment | String | The CERN department of the person | no |
| externalReason | String | If the CERN_CLASS is EXTN, this is the type of external user | no |
| expectedEndDate | DateTime | Expected end date of current or next affiliation, used to send contract end alerts | no |
| eduPersonUniqueID | DateTime | Unique and non-reassignable identifier for a person | no |
| lastActivationDate | DateTime | Most recent date when the identity was activated. | no |
| firstActivationDate | DateTime | Date when the identity was first activated. | no |
| instituteAbbreviation | String | Abbreviated name of the institute the person is affiliated with | no |
| preferredCernLanguage | String | The preferred official CERN language of the person | no |
| computingRulesAccepted | Boolean | Most recent date when the computing rules were accepted or the security course was taken. | no |
| computingRulesValidUntil | DateTime | Validity limit of the computing rules and security course. | no |
| computingRulesAcceptedFlag | Boolean | Flag indicating if the user signed the computing rules and took the security course for the first time. | no |
| source* | String | Source of info for the identity (‘cern’ for the CERN identities). | no |
| unconfirmed* | Boolean | Whether the identity is unconfirmed or not. Unconfirmed identities are created in order to be added as members to groups prior to that person's first login. | no |
| unconfirmedEmail* | String | When an unconfirmed identity is created, this email field is populated in order to link the future account of the person to this specific identity. | no |
| properties* | String | no | |
| securityIssues* | Boolean | True if the resource is blocked for security reasons and thus can be managed only by the security team or the service admisn. | no |
| blockingTime* | DateTime | Date and time when the resource was blocked | no |
| blockingDeadline* | DateTime | Date and time when the resource will be blocked automatically, according to its lifecycle. | no |
| expirationDeadline* | DateTime | Date and time when the resource will be deleted automatically, according to its lifecycle. | no |
| creationTime* | DateTime | Date and time when the object was created in the DB. | no |
| modificationTime* | DateTime | Date and time of when the object was last modified in the Db. | no |
| builtin* | Boolean | If true, the object is a builtin object, and cannot be modified. | no |
*Property used for internal system purpose. Might change in the future without warning.
Note: not all properties are available to all users. Sensitive data is subject to authorization.