Authorization Service data model (available attributes)
Please note that in the following tables, rows with Has to be requested = yes imply that the field should be explicitly requested in the API call e.g. GET https://authorization-service-api.web.cern.ch/api/v1.0/Account?filter=uniqueIdentifier%3Amcurie&field=personId
Account
An account is a set of credentials that can be used to authenticate. Multiple accounts from different authentication providers (CERN, eduGain, social providers etc) can be associated to an identity.
| Name | Type | Description | Read Only | Has to be requested |
|---|---|---|---|---|
| personId | String | Person Id for a CERN identity (the old CCID). | True | yes |
| assignedScopes | Reference | List of systems to which the account is exported (freeIPA, AD). | True | yes |
| displayName | String | Account display name. | True | no |
| uniqueIdentifier | String | The unique and immutable provider login name. | False | no |
| accountProviderId | Reference | Account provider (e.g. cern, google). | False | no |
| emailAddress | String | Account's email address. | False | no |
| resourceCategory | String | Resource category which determines the lifecycle of the resource. Values: Undefined, Official, Personal, Test | True | no |
| reassignable | Boolean | True if the owner of the resource can assign it to a new owner. The new owner has to approve. | True | no |
| autoReassign | Boolean | True is the resource will be reassigned automatically to the owner's supervisor once the owner will leave CERN. | True | no |
| blocked | Boolean | True if the resource is blocked. | True | no |
| blockingReason | String | Reason for blocking the resource. | True | no |
| ownerId | Reference | Id of the identity that is the owner of this resource. | True | no |
| id | String | Object id in the DB | False | no |
| resetPasswordRequired* | Boolean | True if the password must be changed on next logon. | True | no |
| securityIssues* | Boolean | True if the resource is blocked for security reasons and thus can be managed only by the security team or the service admisn. | True | no |
| blockingTime* | DateTime | Date and time when the resource was blocked | True | no |
| blockingDeadline* | DateTime | Date and time when the resource will be blocked automatically, according to its lifecycle. | True | no |
| expirationDeadline* | DateTime | Date and time when the resource will be deleted automatically, according to its lifecycle. | True | no |
| creationTime* | DateTime | Date and time when the object was created in the DB. | False | no |
| modificationTime* | DateTime | Date and time of when the object was last modified in the Db. | False | no |
| builtin* | Boolean | If true, the object is a builtin object, and cannot be modified. | False | no |
| *Property used for internal system purpose. Might change in the future without warning. |
Application (client)
"Client" is an application that can registered to the SSO.
| Name | Type | Description | Read Only | Has to be requested |
|---|---|---|---|---|
| applicationIdentifier | String | A unique and immutable identifier for the application, used as the client ID to register the application to the SSO. The identifier must start with a lowercase letter, can contain only lowercase letters, numbers, dashes and underscores, and must be between 3 and 128 characters long. | False | no |
| displayName | String | Application display name (unique). | True | no |
| identityId | Reference | Id of the identity that represents the application. | False | no |
| description | String | Application description. | True | no |
| administratorsId | Reference | Id of the group of administrators of the application. | True | no |
| managerId | Reference | Id of a service identity that is managing the application. Used by services that register applications on behalf of the owner (e.g., web frameworks | True | no |
| administratorsAccess | String | Administrators access level. Values: Undefined, Full, Limited | True | no |
| homePage | String | Home page of the application. | True | no |
| resourceCategory | String | Resource category which determines the lifecycle of the resource. Values: Undefined, Official, Personal, Test | True | no |
| reassignable | Boolean | True if the owner of the resource can assign it to a new owner. The new owner has to approve. | True | no |
| autoReassign | Boolean | True is the resource will be reassigned automatically to the owner's supervisor once the owner will leave CERN. | True | no |
| blocked | Boolean | True if the resource is blocked. | True | no |
| blockingReason | String | Reason for blocking the resource. | True | no |
| ownerId | Reference | Id of the identity that is the owner of this resource. | True | no |
| id | String | Object id in the DB | False | no |
| securityIssues* | Boolean | True if the resource is blocked for security reasons and thus can be managed only by the security team or the service admisn. | True | no |
| blockingTime* | DateTime | Date and time when the resource was blocked | True | no |
| blockingDeadline* | DateTime | Date and time when the resource will be blocked automatically, according to its lifecycle. | True | no |
| expirationDeadline* | DateTime | Date and time when the resource will be deleted automatically, according to its lifecycle. | True | no |
| creationTime* | DateTime | Date and time when the object was created in the DB. | False | no |
| modificationTime* | DateTime | Date and time of when the object was last modified in the Db. | False | no |
| builtin* | Boolean | If true, the object is a builtin object, and cannot be modified. | False | no |
| *Property used for internal system purpose. Might change in the future without warning. |
Group
A set of groups and identities. Used for authorization, mailing and grouping.
| Name | Type | Description | Read Only | Has to be requested |
|---|---|---|---|---|
| memberGroupIds | Reference | Ids of groups that are direct members of the group. | True | yes |
| memberGroupIdsRecursive | Reference | Ids of groups that are direct or indirect members of the group, i.e. including members of children groups recursively. | True | yes |
| memberOfIdsRecursive | Reference | Ids of groups that this group is member of directly or indirectly. | True | yes |
| assignedScopes | Reference | Ids of systems or services to which the group is exported. | True | yes |
| memberIdentityIds | Reference | Ids of identities that are direct members of the group. | True | yes |
| memberIdentityIdsRecursive | Reference | Ids of identities that are direct or indirect members of the group, i.e. including members of children groups recursively. | True | yes |
| owner | Reference | True | yes | |
| groupIdentifier | String | A unique and immutable alphanumeric identifier for the group. The identifier: must start with a lowercase letter; can contain only lowercase letters, numbers, dashes and underscores; must contain at least one dash character and must be between 3 and 32 characters long. | False | no |
| displayName | String | The group display name. | True | no |
| description | String | Group description. | True | no |
| public | Boolean | If true, the group is a public group that can be used by all applications. | True | no |
| administratorsId | Reference | Id of the group of administrators for the group. | True | no |
| approvalRequired | Boolean | Whether or not an approval is required for this group, when performing self-subscription. | True | no |
| selfSubscriptionType | String | Self-Subscription access level. Values: Closed, Open, CernUsers | True | no |
| privacyType | String | Group privacy level. Values: Open, Members, Admins | True | no |
| dynamic | Boolean | Whether or not the group is dynamic (some criteria are defined for it). | True | no |
| criteria | String | Dynamic group criteria. | True | no |
| gid | Number | Unix id of the group. | True | no |
| removeNonActiveMembers | Boolean | If set to true, members without an active CERN affiliation will be periodically removed from the group. | True | no |
| resourceCategory | String | Resource category which determines the lifecycle of the resource. Values: Undefined, Official, Personal, Test | True | no |
| reassignable | Boolean | True if the owner of the resource can assign it to a new owner. The new owner has to approve. | True | no |
| autoReassign | Boolean | True is the resource will be reassigned automatically to the owner's supervisor once the owner will leave CERN. | True | no |
| blocked | Boolean | True if the resource is blocked. | True | no |
| blockingReason | String | Reason for blocking the resource. | True | no |
| ownerId | Reference | Id of the identity that is the owner of this resource. | True | no |
| id | String | Object id in the DB | False | no |
| source* | String | The source of information for the group. | True | no |
| syncType* | String | Group synchronization options. Values: Replica, Primary, SyncError, NoSync | True | no |
| isComputingGroup* | Boolean | True if the group is a computing group (triggers gid assignment). | True | no |
| securityIssues* | Boolean | True if the resource is blocked for security reasons and thus can be managed only by the security team or the service admisn. | True | no |
| blockingTime* | DateTime | Date and time when the resource was blocked | True | no |
| blockingDeadline* | DateTime | Date and time when the resource will be blocked automatically, according to its lifecycle. | True | no |
| expirationDeadline* | DateTime | Date and time when the resource will be deleted automatically, according to its lifecycle. | True | no |
| creationTime* | DateTime | Date and time when the object was created in the DB. | False | no |
| modificationTime* | DateTime | Date and time of when the object was last modified in the Db. | False | no |
| builtin* | Boolean | If true, the object is a builtin object, and cannot be modified. | False | no |
| *Property used for internal system purpose. Might change in the future without warning. |
Identity
An identity, which can represent a person, a service or an application.
| Name | Type | Description | Read Only | Has to be requested |
|---|---|---|---|---|
| owner | Reference | Identity of the owner. | True | yes |
| supervisor | Reference | Identity of the supervisor. | True | yes |
| externalEmail | String | External (non-CERN) mail address, that can be used as a contact. Polulated for primary CERN identities only. | True | yes |
| primaryAccountEmail | String | Email of the primary account of the identity. | True | yes |
| type | String | The type of the identity, which can represent either a person or an application. Values: Undefined, Person, Application, Service, Secondary | True | no |
| upn | String | Unique identifier for the identity. For CERN identities this is equal to the login of the associated CERN account. | True | no |
| displayName | String | First name and last name. | True | no |
| personId | String | Person Id for a CERN identity (the old CCID). | True | no |
| supervisorId | Reference | Id of the supervisor's identity. Populated for primary CERN identities only. | True | no |
| primaryAccountId | Reference | Id of the primary account linked to this identity. | True | no |
| uid | Number | The Unix user id of the identity. | True | no |
| gid | Number | The Unix group id for this identity. | True | no |
| resourceCategory | String | Resource category which determines the lifecycle of the resource. Values: Undefined, Official, Personal, Test | True | no |
| reassignable | Boolean | True if the owner of the resource can assign it to a new owner. The new owner has to approve. | True | no |
| autoReassign | Boolean | True is the resource will be reassigned automatically to the owner's supervisor once the owner will leave CERN. | True | no |
| blocked | Boolean | True if the resource is blocked. | True | no |
| blockingReason | String | Reason for blocking the resource. | True | no |
| ownerId | Reference | Id of the identity that is the owner of this resource. | True | no |
| id | String | Object id in the DB | False | no |
| room | DateTime | Office room | yes | no |
| floor | DateTime | Office floor | yes | no |
| orcid | DateTime | The Open Researcher and Contributor ID of the person | yes | no |
| cernId | DateTime | CERN ID (sensitive information) | yes | no |
| hrEmail | DateTime | Mail provided by HR with no uniqueness constraints, validation or verification | yes | no |
| building | DateTime | Office building | yes | no |
| endClass | string | End date of the current affiliation | yes | no |
| lastName | DateTime | Last Name | yes | no |
| birthDate | string | Date of birth | yes | no |
| cernClass | DateTime | Persons's affiliation with CERN (STAF, FELL, USER, EXTN etc.) | yes | no |
| cernGroup | DateTime | The CERN group of the person | yes | no |
| firstName | DateTime | First Name | yes | no |
| activeUser | DateTime | Flag indicating if the person has an active affiliation with CERN | yes | no |
| startClass | string | Start date of the current affiliation | yes | no |
| telephone1 | DateTime | 1st CERN telephone number | yes | no |
| telephone2 | DateTime | 2nd CERN telephone number | yes | no |
| cernSection | DateTime | The CERN section of the person | yes | no |
| description | DateTime | The description of this account, in case of service or secondary identities. | yes | no |
| isPersonnel | DateTime | Flag indicating if the person is a member of the personnel | yes | no |
| cernPersonId | DateTime | Person ID (primary key in Foundation, public) | yes | no |
| nextEndClass | string | End date of the next affiliation | yes | no |
| instituteName | DateTime | Name of the institute the person is affiliated with | yes | no |
| nextCernClass | DateTime | Persons's next affiliation with CERN | yes | no |
| portablePhone | DateTime | CERN portable phone number | yes | no |
| cernDepartment | DateTime | The CERN department of the person | yes | no |
| externalReason | DateTime | If the CERN_CLASS is EXTN, this is the type of external user | yes | no |
| expectedEndDate | string | Expected end date of current or next affiliation, used to send contract end alerts | yes | no |
| edhAuthPwdExpiry | string | Date at which the person's EDH authorization password will expire | yes | no |
| eduPersonUniqueID | DateTime | Unique and non-reassignable identifier for a person | yes | no |
| lastActivationDate | string | Most recent date when the identity was activated. | yes | no |
| firstActivationDate | string | Date when the identity was first activated. | yes | no |
| instituteAbbreviation | DateTime | Abbreviated name of the institute the person is affiliated with | yes | no |
| preferredCernLanguage | DateTime | The preferred official CERN language of the person | yes | no |
| computingRulesAccepted | string | Most recent date when the computing rules were accepted or the security course was taken. | yes | no |
| computingRulesValidUntil | string | Validity limit of the computing rules and security course. | yes | no |
| computingRulesAcceptedFlag | DateTime | Flag indicating if the user signed the computing rules and took the security course for the first time. | yes | no |
| source* | String | Source of info for the identity (‘cern’ for the CERN identities). | True | no |
| unconfirmed* | Boolean | Whether the identity is unconfirmed or not. Unconfirmed identities are created in order to be added as members to groups prior to that person's first login. | True | no |
| unconfirmedEmail* | String | When an unconfirmed identity is created, this email field is populated in order to link the future account of the person to this specific identity. | True | no |
| properties* | String | True | no | |
| securityIssues* | Boolean | True if the resource is blocked for security reasons and thus can be managed only by the security team or the service admisn. | True | no |
| blockingTime* | DateTime | Date and time when the resource was blocked | True | no |
| blockingDeadline* | DateTime | Date and time when the resource will be blocked automatically, according to its lifecycle. | True | no |
| expirationDeadline* | DateTime | Date and time when the resource will be deleted automatically, according to its lifecycle. | True | no |
| creationTime* | DateTime | Date and time when the object was created in the DB. | False | no |
| modificationTime* | DateTime | Date and time of when the object was last modified in the Db. | False | no |
| builtin* | Boolean | If true, the object is a builtin object, and cannot be modified. | False | no |
| *Property used for internal system purpose. Might change in the future without warning. |