Reporting Object Configurations
Definition
Reporting Objects define how one may interact with an underlying (built-in or custom) Document Collection:
Is it writeable or not ?
Is it append-only ?
What are the available search criteria ?
Configuration
You can access the Report configuration :
by clicking on "Reporting" → “Report Configuration”
by clicking on "System" → "Configurations" → "Reporting service" and perform an import/export.
Mandatory properties
The properties of this object are as follow:
Property | Type | Mandatory | Description |
|---|---|---|---|
id |
| YES | The Reporting Object Configuration unique identifier |
name |
| YES | The name of the Reporting Object Configuration |
description |
| NO | A description of the Reporting Object Configuration purpose |
| YES | A configuration object allowing to specify options for writing in the targeted Collection. | |
built-inCollection |
| YES - mutually exclusive with | A collection name from an enumeration of built-in collections. A built-in Collection comes with pre-declared Criteria and can be used instead of defining a custom collection manually. |
built-inCollectionAdditionalCriteria |
| NO - only meaningful if | Additional, custom criteria when using a built-in Collection. See Criteria. |
customCollection |
| YES - mutually exclusive with | Allow to configure a custom collection or to override the presets of a built-in collection by targeting the same collection name. |
legacy |
| YES | Is the Reporting Object Configuration legacy. |
collectionWriteConfiguration
Property | Type | Values (default in bold) | Description |
|---|---|---|---|
writable |
| true, false | Allow to write in the collection |
appendOnly |
| true, false | If true, documents with an |
Built-in Collection available
ACCOUNT_INFORMATION
Targets the "account" collection (paginated search). Used to display the properties and attributes of provisioned accounts.
AUTHENTICATION_COUNT
Targets the "authentication_hour" collection (aggregation). Used for displaying authentication data typically with a XY chart.
AUTHENTICATION_DETAIL
Targets the "authentication_agg" collection (paginated search). Used for displaying the details of authentication typically with a reporting list widget.
ACCESS_COUNT
Targets the "access_hour" collection (aggregation). Used for displaying access data typically with a XY chart.
ACCESS_DETAIL
Targets the "access_agg" collection (paginated search). Used for displaying the details of access typically with a reporting list widget.
FEDERATION
Targets the "federation" collection (paginated search). Used for displaying the details of a federation typically with a reporting list widget.
SYNC_TASK_OPERATION
Targets the "domino_sync_task_operation" collection (paginated search). Used to display the sync operations with the sync operation widget.
SYNC_TASK_REPORT
Targets the "domino_sync_task_report" collection (paginated search). Used to display the sync report, typically with a list widget.
PROV_TASK_OPERATION
Targets the "domino_prov_task_operation" collection. Used to display provisioning operations.
PROV_TASK_REPORT
Targets the "domino_prov_task_report"" collection. Used to display the provisioning reports.
ACCOUNT_DISCOVERY_TASK_OPERATION
Targets the "domino_account_discovery_task_operation" collection. Used to display account discovery operations.
To activate the publication of event in this collection, fill to True the SYNC settings accountDiscovery.task.execution.event.publish and fill reportingObjectDefinition Id into accountDiscovery.task.taskReport.reporting.id
ACCOUNT_DISCOVERY_TASK_REPORT
Targets the "domino_account_discovery_task_report" collection. Used to display the reports of account discovery task executions.
ROLE_ASSIGNMENT
Targets the "role_assignment" collection. Used to display information about role assignments.
This collection is provisioned using a Synchronization Reporting Application Connector. In the Application that reference this connector, in order to sync automatically the Role Assignment(s) to the collection, one need to use a built-in rule in the "postActions".
<!-- Example of Application configuration -->
<postActions>
<action class="identityRoleAssignmentsMongoSynchronization">
<config xsi:type="dmn:IdentityRoleAssignmentsMongoSynchronizationConfigurationType">
<collectionName>role_assignment</collectionName>
</config>
</action>
</postActions>The collection name can be changed if needed, if not provided the default role_assignment value will apply. Note that if you change the collection name you must define a custom configuration and not use the ROLE_ASSIGNMENT built-in configuration.
Hard/Soft delete of identities
The post action should also be executed when there is a delete in order to remove the Role Assignment(s) of the identity. In order to execute post actions on activation event, one need to toggle the "executePostActions" flag in the options
<applicationObjectActivationDefinition>
<executePostActions>true</executePostActions>
<onApplicationUnassignedEvent>NO_OP</onApplicationUnassignedEvent>
<onIdmObjectDeleteEvent>NO_OP</onIdmObjectDeleteEvent>
<onIdmObjectDisableEvent>NO_OP</onIdmObjectDisableEvent>
</applicationObjectActivationDefinition>Since all post actions will be executed sequentially, one must take care to verify that this is the wanted behaviour.
SMS_NOTIFICATION
Targets the “sms_notification“ collection. Used to store the SMS notification reports
The report contains the following information:
Info | Details | |
|---|---|---|
date | Date of the SMS Notification | |
notificationDefinitionId | The SMS Notification Definition Id | |
sender | The sender used for sending the SMS | |
recipients | SmsMessageRecipient[] | |
uid | ||
name | ||
language | ||
phone | ||
transmitted | true if the SMS has been sent | |
status | One of ‘SUCCESS', ‘PARTIAL’, 'ERROR’ | |
cost | ||
MY_MFA_ACCOUNT_ERROR
Target the “my_mfa_account_error“ collection.
This collection is provisionned when errors occured during the MyMFA cleanup job:
Orphan accounts are encountered (a MyMFA account exists without any identity associated to it)
Multiple identities share the same MyMFA account (although not forbidden this might be suspicious)
IDENTITY_RECERTIFICATION_CAMPAIGN
Store the campaigns information launched for policies targetting IDENTITY object kind.
ORGANIZATION_RECERTIFICATION_CAMPAIGN
Store the campaigns information launched for policies targetting ORGANIZATION object kind
Exemple of document: similar to the example for IDENTITY_RECERTIFICATION_CAMPAIGN
RESOURCE_RECERTIFICATION_CAMPAIGN
Store the campaigns information launched for policies targetting RESOURCE object kind
Exemple of document: similar to the example for IDENTITY_RECERTIFICATION_CAMPAIGN
ROLE_RECERTIFICATION_CAMPAIGN
Store the campaigns information launched for policies targetting ROLE object kind
Exemple of document: similar to the example for IDENTITY_RECERTIFICATION_CAMPAIGN
ROLE_PUBLICATION_RECERTIFICATION_CAMPAIGN
Store the campaigns information launched for policies targetting ROLE_PUBLICATION object kind
Exemple of document: similar to the example for IDENTITY_RECERTIFICATION_CAMPAIGN
IDENTITY_RECERTIFICATION_METADATA
Store the recertification metadata for IDENTITY object kind.
Targets the "identityRecertificationMetadata" collection.
This collection is provisionned using a Synchronization Application Mongo Connector. In the Application that reference this connector, in order to sync automatically the object recertification to the collection, one need to use a builtin rule in the "postActions".
<!-- Example of Application configuration -->
<postActions>
<action class="objectRecertificationMetadataMongoSynchronization">
</action>
</postActions>Hard/Soft delete of identities
The post action should also be executed when there is a delete in order to remove the identity recertification metadata. In order to execute post actions on activation event, one need to toggle the "executePostActions" flag in the options
<applicationObjectActivationDefinition>
<executePostActions>true</executePostActions>
<onApplicationUnassignedEvent>NO_OP</onApplicationUnassignedEvent>
<onIdmObjectDeleteEvent>NO_OP</onIdmObjectDeleteEvent>
<onIdmObjectDisableEvent>NO_OP</onIdmObjectDisableEvent>
</applicationObjectActivationDefinition>ORGANIZATION_RECERTIFICATION_METADATA
Store the recertifcation metadata for ORGANIZATION object kind
Targets the "organizationRecertificationMetadata" collection.
This collection is provisionned using a Synchronization Application Mongo Connector. In the Application that reference this connector, in order to sync automatically the object recertification to the collection, one need to use a builtin rule in the "postActions".
<!-- Example of Application configuration -->
<postActions>
<action class="objectRecertificationMetadataMongoSynchronization">
</action>
</postActions>Hard/Soft delete of identities
The post action should also be executed when there is a delete in order to remove the organization recertification metadata. In order to execute post actions on activation event, one need to toggle the "executePostActions" flag in the options
<applicationObjectActivationDefinition>
<executePostActions>true</executePostActions>
<onApplicationUnassignedEvent>NO_OP</onApplicationUnassignedEvent>
<onIdmObjectDeleteEvent>NO_OP</onIdmObjectDeleteEvent>
<onIdmObjectDisableEvent>NO_OP</onIdmObjectDisableEvent>
</applicationObjectActivationDefinition>Exemple of document: similar to the example for IDENTITY_RECERTIFICATION_METADATA
RESOURCE_RECERTIFICATION_METADATA
Store the recertification metadata for RESOURCE object kind
Targets the "resourceRecertificationMetadata" collection. Used to display the SoD violations of identities
This collection is provisionned using a Synchronization Application Mongo Connector. In the Application that reference this connector, in order to sync automatically the object recertification to the collection, one need to use a builtin rule in the "postActions".
<!-- Example of Application configuration -->
<postActions>
<action class="objectRecertificationMetadataMongoSynchronization">
</action>
</postActions>Hard/Soft delete of identities
The post action should also be executed when there is a delete in order to remove the resource recertification metadata. In order to execute post actions on activation event, one need to toggle the "executePostActions" flag in the options
<applicationObjectActivationDefinition>
<executePostActions>true</executePostActions>
<onApplicationUnassignedEvent>NO_OP</onApplicationUnassignedEvent>
<onIdmObjectDeleteEvent>NO_OP</onIdmObjectDeleteEvent>
<onIdmObjectDisableEvent>NO_OP</onIdmObjectDisableEvent>
</applicationObjectActivationDefinition>Exemple of document: similar to the example for IDENTITY_RECERTIFICATION_METADATA
ROLE_RECERTIFICATION_METADATA
Store the certification metadata for ROLE object kind
Targets the "roleRecertificationMetadata" collection.
This collection is provisionned using a Synchronization Application Mongo Connector. In the Application that reference this connector, in order to sync automatically the object recertification to the collection, one need to use a builtin rule in the "postActions".
<!-- Example of Application configuration -->
<postActions>
<action class="objectRecertificationMetadataMongoSynchronization">
</action>
</postActions>Hard/Soft delete of identities
The post action should also be executed when there is a delete in order to remove the role recertification metadata. In order to execute post actions on activation event, one need to toggle the "executePostActions" flag in the options
<applicationObjectActivationDefinition>
<executePostActions>true</executePostActions>
<onApplicationUnassignedEvent>NO_OP</onApplicationUnassignedEvent>
<onIdmObjectDeleteEvent>NO_OP</onIdmObjectDeleteEvent>
<onIdmObjectDisableEvent>NO_OP</onIdmObjectDisableEvent>
</applicationObjectActivationDefinition>Exemple of document: similar to the example for IDENTITY_RECERTIFICATION_METADATA
ROLE_PUBLICATION_RECERTIFICATION_METADATA
Store the recertifcation metadata for ROLE_PUBLICATION object kind
Targets the "rolePublicationRecertificationMetadata" collection.
This collection is provisionned using a Synchronization Application Mongo Connector. In the Application that reference this connector, in order to sync automatically the object recertification to the collection, one need to use a builtin rule in the "postActions".
<!-- Example of Application configuration -->
<postActions>
<action class="objectRecertificationMetadataMongoSynchronization">
</action>
</postActions>Hard/Soft delete of identities
The post action should also be executed when there is a delete in order to remove the role publication recertification metadata. In order to execute post actions on activation event, one need to toggle the "executePostActions" flag in the options
<applicationObjectActivationDefinition>
<executePostActions>true</executePostActions>
<onApplicationUnassignedEvent>NO_OP</onApplicationUnassignedEvent>
<onIdmObjectDeleteEvent>NO_OP</onIdmObjectDeleteEvent>
<onIdmObjectDisableEvent>NO_OP</onIdmObjectDisableEvent>
</applicationObjectActivationDefinition>Exemple of document: similar to the example for IDENTITY_RECERTIFICATION_METADATA
IDENTITY
Target the “identity” collection.
RESOURCE
Target the “resource” collection.
ORGANIZATION
Target the “organization” collection.
ROLE
Target the “role” collection.
ROLE_PUBLICATION
Target the “role_publication” collection.
IDENTITY_DAILY
Target the “identity_daily” collection.
RESOURCE_DAILY
Target the “resource_daily” collection.
ORGANIZATION_DAILY
Target the “organization_daily” collection.
ROLE_DAILY
Target the “role_daily” collection.
ROLE_PUBLICATION_DAILY
Target the “role_publication_daily” collection.
ROLE_HISTORY
Targets the "__builtin__role_history" collection. Used to display information about role assignments history.
This collection is provisionned using a Synchronization Application Mongo Connector. In the Application that reference this connector, in order to sync automatically the Role Assignment(s) to the collection, one need to use a builtin rule in the "postActions".
<!-- Example of Application configuration -->
<postActions>
<action class="identityRoleHistoryMongoSynchronization">
</action>
</postActions>Hard/Soft delete of identities
The post action should also be executed when there is a delete in order to remove the Role Assignment(s) of the identity. In order to execute post actions on activation event, one need to toggle the "executePostActions" flag in the options
<applicationObjectActivationDefinition>
<executePostActions>true</executePostActions>
<onApplicationUnassignedEvent>NO_OP</onApplicationUnassignedEvent>
<onIdmObjectDeleteEvent>NO_OP</onIdmObjectDeleteEvent>
<onIdmObjectDisableEvent>NO_OP</onIdmObjectDisableEvent>
</applicationObjectActivationDefinition>SOD_VIOLATION
Targets the "__builtin__sod_violation" collection. Used to display the SoD violations of identities
This collection is provisionned using a Synchronization Application Mongo Connector. In the Application that reference this connector, in order to sync automatically the SoD Violation(s) to the collection, one need to use a builtin rule in the "postActions".
<!-- Example of Application configuration -->
<postActions>
<action class="identitySodViolationsMongoSynchronization">
</action>
</postActions>Hard/Soft delete of identities
The post action should also be executed when there is a delete in order to remove the SoD violations(s) of the identity. In order to execute post actions on activation event, one need to toggle the "executePostActions" flag in the options
<applicationObjectActivationDefinition>
<executePostActions>true</executePostActions>
<onApplicationUnassignedEvent>NO_OP</onApplicationUnassignedEvent>
<onIdmObjectDeleteEvent>NO_OP</onIdmObjectDeleteEvent>
<onIdmObjectDisableEvent>NO_OP</onIdmObjectDisableEvent>
</applicationObjectActivationDefinition>PLATFORM_AVAILABILITY
Target the “platform_availability” collection.
FEDERATION_MAPPING
Target the “federation_mapping” collection.
DISTRIBUTED_BATCH_MONITORING
Target the “distributed_batch_monitoring” collection.
RATE_LIMITING_METRICS
Target the “rate_limiting_metrics” collection.
IDENTITY_MONTHLY
Target the “identity_monthly” collection.
Example
<?xml version="1.0" encoding="UTF-8"?>
<kit:DataSet xmlns:ctd="http://www.memority.com/citadel/1_0"
xmlns:ctdcore="http://www.memority.com/citadel/core/1_0"
xmlns:ctdidm="http://www.memority.com/citadel/idm/1_0"
xmlns:ctdrep="http://www.memority.com/citadel/rep/1_0"
xmlns:ctdtnt="http://www.memority.com/citadel/tnt/1_0"
xmlns:kit="http://www.memority.com/toolkit/1_0"
xmlns:rule="http://www.memority.com/toolkit/rule/1_0"
xmlns:search="http://www.memority.com/toolkit/search-expression/1_0"
xmlns:settings="http://www.memority.com/toolkit/addons/settings/1_0"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ctdrep:ReportingObjectConfiguration id="test_conf_1">
<name>Test conf 1</name>
<description>Configuration for authentication hours</description>
<collectionWriteConfiguration>
<writable>false</writable>
<appendOnly>false</appendOnly>
</collectionWriteConfiguration>
<built-inCollection>AUTHENTICATION_COUNT</built-inCollection>
<built-inCollectionAdditionalCriteria>
<criterion>
<name>identity.enabledFrom</name>
<valueType>DATETIME</valueType>
</criterion>
<criterion>
<name>identity.enabledUntil</name>
<valueType>DATETIME</valueType>
</criterion>
</built-inCollectionAdditionalCriteria>
</ctdrep:ReportingObjectConfiguration>
</kit:DataSet>Built-in collections summary
Builtin collection name | Description | Long lived | Builtin searchable criteria |
|---|---|---|---|
ACCOUNT_INFORMATION | Targets the "account" collection (paginated search). Used to display the properties and attributes of provisioned accounts. | NO | { "name": "_id", "valueType": "OBJECT", "searchable": true } |
AUTHENTICATION_COUNT | Targets the "authentication_hour" collection (aggregation). Used for displaying authentication data typically with a XY chart. | NO | { "name": "_id", "valueType": "STRING", "searchable": true } |
AUTHENTICATION_DETAIL | Targets the "authentication_agg" collection (paginated search). Used for displaying the details of authentication typically with a reporting list widget. | NO | { "name": "_id", "valueType": "STRING", "searchable": true } |
ACCESS_COUNT | Targets the "access_hour" collection (aggregation). Used for displaying access data typically with a XY chart. | NO | { "name": "_id", "valueType": "STRING", "searchable": true } |
ACCESS_DETAIL | Targets the "access_agg" collection (paginated search). Used for displaying the details of access typically with a reporting list widget. | NO | { "name": "_id", "valueType": "STRING", "searchable": true } |
FEDERATION | Targets the "federation" collection (paginated search). Used for displaying the details of a federation typically with a reporting list widget. | YES | { "name": "_id", "valueType": "STRING", "searchable": true } { "name": "nextVersion.configuration.authnRequestSigningCertificate", "valueType": "STRING", "searchable": false } { "name": "nextVersion.configuration.nameId", "valueType": "STRING", "searchable": false } { "name": "nextVersion.configuration.sub", "valueType": "STRING", "searchable": false } { "name": "currentVersion.configuration.authnRequestSigningCertificate", "valueType": "STRING", "searchable": false } { "name": "currentVersion.configuration.nameId", "valueType": "STRING", "searchable": false } { "name": "currentVersion.configuration.sub", "valueType": "STRING", "searchable": false } { "name": "previousVersions.configuration.authnRequestSigningCertificate", "valueType": "STRING", "searchable": false } { "name": "previousVersions.configuration.nameId", "valueType": "STRING", "searchable": false } { "name": "previousVersions.configuration.sub", "valueType": "STRING", "searchable": false } |
SYNC_TASK_OPERATION | Targets the "domino_sync_task_operation" collection (paginated search). Used to display the sync operations with the sync operation widget. | NO | { "name": "_id", "valueType": "STRING", "searchable": true } |
SYNC_TASK_REPORT | Targets the "domino_sync_task_report" collection (paginated search). Used to display the sync report, typically with a list widget. | NO | { "name": "_id", "valueType": "STRING", "searchable": true } |
PROV_TASK_OPERATION | Targets the "domino_prov_task_operation" collection. Used to display provisioning operations. | NO | { "name": "_id", "valueType": "STRING", "searchable": true } |
PROV_TASK_REPORT | Targets the "domino_prov_task_report"" collection. Used to display the provisioning reports. | NO | { "name": "_id", "valueType": "STRING", "searchable": true } |
ACCOUNT_DISCOVERY_TASK_OPERATION | Targets the "domino_account_discovery_task_operation" collection. Used to display account discovery operations. To activate the publication of event in this collection, fill to | NO | { "name": "_id", "valueType": "STRING", "searchable": true } |
ACCOUNT_DISCOVERY_TASK_REPORT | Targets the "domino_account_discovery_task_report" collection. Used to display the reports of account discovery task executions. | NO | { "name": "_id", "valueType": "STRING", "searchable": true } |
ROLE_ASSIGNMENT | Targets the "role_assignment" collection. Used to display information about role assignments. | YES | { "name": "_id", "valueType": "STRING", "searchable": true } |
SMS_NOTIFICATION | Targets the “sms_notification“ collection. Used to store the SMS notification reports. | NO | { "name": "_id", "valueType": "STRING", "searchable": true } |
MY_MFA_ACCOUNT_ERROR | Target the “my_mfa_account_error“ collection. This collection is provisionned when errors occured during the MyMFA cleanup job:
| NO | { "name": "_id", "valueType": "STRING", "searchable": true } |
IDENTITY_RECERTIFICATION_CAMPAIGN | Store the campaigns information launched for policies targetting IDENTITY object kind. | NO | { "name": "_id", "valueType": "STRING", "searchable": true } |
ORGANIZATION_RECERTIFICATION_CAMPAIGN | Store the campaigns information launched for policies targetting ORGANIZATION object kind. | NO | { "name": "_id", "valueType": "STRING", "searchable": true } |
RESOURCE_RECERTIFICATION_CAMPAIGN | Store the campaigns information launched for policies targetting RESOURCE object kind. | NO | { "name": "_id", "valueType": "STRING", "searchable": true } |
ROLE_RECERTIFICATION_CAMPAIGN | Store the campaigns information launched for policies targetting ROLE object kind. | NO | { "name": "_id", "valueType": "STRING", "searchable": true } |
ROLE_PUBLICATION_RECERTIFICATION_CAMPAIGN | Store the campaigns information launched for policies targetting ROLE_PUBLICATION object kind. | NO | { "name": "_id", "valueType": "STRING", "searchable": true } |
IDENTITY_RECERTIFICATION_METADATA | Store the recertifcation metadata for IDENTITY object kind. | NO | { "name": "_id", "valueType": "STRING", "searchable": true } |
ORGANIZATION_RECERTIFICATION_METADATA | Store the recertifcation metadata for ORGANIZATION object kind. | NO | { "name": "_id", "valueType": "STRING", "searchable": true } |
RESOURCE_RECERTIFICATION_METADATA | Store the recertifcation metadata for RESOURCE object kind. | NO | { "name": "_id", "valueType": "STRING", "searchable": true } |
ROLE_RECERTIFICATION_METADATA | Store the recertifcation metadata for ROLE object kind | NO | { "name": "_id", "valueType": "STRING", "searchable": true } |
ROLE_PUBLICATION_RECERTIFICATION_METADATA | Store the recertifcation metadata for ROLE_PUBLICATION object kind | NO | { "name": "_id", "valueType": "STRING", "searchable": true } |
IDENTITY | Target the “identity” collection. | YES | |
RESOURCE | Target the “resource” collection. | YES | |
ORGANIZATION | Target the “organization” collection. | YES | |
ROLE | Target the “role” collection. | YES | |
ROLE_PUBLICATION | Target the “role_publication” collection. | YES | |
IDENTITY_DAILY | Target the “identity_daily” collection. | NO | { "name": "_id", "valueType": "STRING", "searchable": true } |
RESOURCE_DAILY | Target the “resource_daily” collection. | NO | { "name": "_id", "valueType": "STRING", "searchable": true } |
ORGANIZATION_DAILY | Target the “organization_daily” collection. | NO | { "name": "_id", "valueType": "STRING", "searchable": true } |
ROLE_DAILY | Target the “role_daily” collection. | NO | { "name": "_id", "valueType": "STRING", "searchable": true } |
ROLE_PUBLICATION_DAILY | Target the “role_publication_daily” collection. | NO | { "name": "_id", "valueType": "STRING", "searchable": true } |
ROLE_HISTORY | Target the “__builtin__role_history” collection. | NO | { "name": "_id", "valueType": "STRING", "searchable": true } |
SOD_VIOLATION | Target the “__builtin__sod_violation” collection. | NO | { "name": "_id", "valueType": "STRING", "searchable": true } |
PLATFORM_AVAILABILITY | Target the “platform_availability” collection. | NO | { "name": "_id", "valueType": "STRING", "searchable": true } |
FEDERATION_MAPPING | Target the “federation_mapping” collection. | YES | { "name": "_id", "valueType": "OBJECT", "searchable": true } |
DISTRIBUTED_BATCH_MONITORING | Target the “distributed_batch_monitoring” collection. | NO | { "name": "_id", "valueType": "STRING", "searchable": true } { "name": "name", "valueType": "STRING", "searchable": false } { "name": "numberOfItems", "valueType": "INTEGER, "searchable": false } { "name": "numberOfSuccess", "valueType": "INTEGER", "searchable": false } { "name": "numberOfFailure", "valueType": "INTEGER", "searchable": false } { "name": "monitoringTags", "valueType": "OBJECT", "searchable": false } { "name": "monitoringTags.mode", "valueType": "STRING", "searchable": false } { "name": "monitoringTags.origin", "valueType": "STRING", "searchable": false } { "name": "monitoringTags.tarder", "valueType": "STRING", "searchable": false } { "name": "requester", "valueType": "STRING", "searchable": false } { "name": "subject", "valueType": "STRING", "searchable": false } { "name": "_finishedAt", "valueType": "DATETIME", "searchable": false } { "name": "_createdAt", "valueType": "DATETIME", "searchable": true } { "name": "_updatedAt", "valueType": "DATETIME", "searchable": true } |
RATE_LIMITING_METRICS | Target the “rate_limiting_metrics” collection. | NO | { "name": "_id", "valueType": "STRING", "searchable": true } { "name": "maxBandwidth", "valueType": "STRING", "searchable": false } { "name": "moderators", "valueType": "STRING", "searchable": false } { "name": "effectiveModerator", "valueType": "STRING", "searchable": false } { "name": "load", "valueType": "STRING", "searchable": false } { "name": "_createdAt", "valueType": "DATETIME", "searchable": true } { "name": "_updatedAt", "valueType": "DATETIME", "searchable": true } |
IDENTITY_MONTHLY | Target the “identity_monthly” collection. | NO | { "name": "_id", "valueType": "STRING", "searchable": true } { "name": "rights", "valueType": "STRING_ARRAY", "searchable": true } |
Synchronizing recertifications with the Reporting connector
When syncing Applications using the Reporting connector it is also possible to synchronize the recertification metadata using the builtin rule objectRecertificationMetadataMongoSynchronization in a post action.
Rule configuration
The rule will use a preset configuration for the collection name as follow:
Object kind | Target collection name |
|---|---|
IDENTITY |
|
ORGANIZATION |
|
RESOURCE |
|
ROLE |
|
ROLE_PUBLICATION |
|
If one needs to change the collection name, it can be overriden in the rule configuration:
<postActions>
<action class="objectRecertificationMetadataMongoSynchronization">
<config xsi:type="dmn:ObjectRecertificationMetadataMongoSynchronizationConfigurationType>
<collectionName>my_custom_collection_name</collectionName>
</config>
</action>
</postActions>Example
Custom Collection properties
Property | Type | Mandatory | Description |
|---|---|---|---|
collectionName |
| YES | The name of the targeted collection. It cannot start by the reserved prefix “__builtin__”. |
| YES | A list of allowed search criteria for this collection. This also serves as a light schema for defining the fields value type. For instance a If a request contains other criteria than the one mentioned, the request will be rejected. (Note that built-in collections declare all the criteria of their target collection, if one need to restrict a criteria they will need to create a custom collection and re-declare the allowed criteria). A |
Criteria
Properties
Property | Type | Mandatory | Values (default in bold) | Description |
|---|---|---|---|---|
name |
| YES | The name of the criteria in the Reporting collection. This can be a nested path to a final criteria or a root criteria (Example | |
valueType |
| YES | ANY, STRING, INTEGER, FLOAT, BOOLEAN, DATETIME, OBJECT, ANY_ARRAY, STRING_ARRAY ,INTEGER_ARRAY, FLOAT_ARRAY, BOOLEAN_ARRAY, DATETIME_ARRAY, OBJECT_ARRAY | The value type of the criteria. See Criteria Type System. |
searchable | Boolean | NO | false | If true, an index will be created on the corresponding field in the collection and it will be possible to use this criteria in search expressions. _id field is always searchable and cannot be unindexed. |
Example
<!-- All criteria under "identity" are interpreted as STRING except for "identity.enabledUntil" -->
<criteria>
<criterion>
<name>identity.enabledFrom</name>
<valueType>DATETIME</valueType>
<searchable>true</searchable>
</criterion>
<criterion>
<name>identity.enabledUntil</name>
<valueType>DATETIME</valueType>
<searchable>false</searchable>
</criterion>
</criteria>Custom Report Example
<?xml version="1.0" encoding="UTF-8"?>
<kit:DataSet xmlns:ctd="http://www.memority.com/citadel/1_0" xmlns:ctdcore="http://www.memority.com/citadel/core/1_0" xmlns:ctdidm="http://www.memority.com/citadel/idm/1_0" xmlns:ctdrep="http://www.memority.com/citadel/rep/1_0" xmlns:ctdtnt="http://www.memority.com/citadel/tnt/1_0" xmlns:kit="http://www.memority.com/toolkit/1_0" xmlns:rule="http://www.memority.com/toolkit/rule/1_0" xmlns:search="http://www.memority.com/toolkit/search-expression/1_0" xmlns:settings="http://www.memority.com/toolkit/addons/settings/1_0" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ctdrep:ReportingObjectConfiguration id="test_conf_2">
<name>Test Conf 2</name>
<description>Test get filters with custom collection</description>
<collectionWriteConfiguration>
<writable>false</writable>
<appendOnly>false</appendOnly>
</collectionWriteConfiguration>
<customCollection>
<criteria>
<criterion>
<name>countries</name>
<valueType>STRING</valueType>
</criterion>
<criterion>
<name>continents</name>
<valueType>STRING</valueType>
</criterion>
</criteria>
<collectionName>authentication_agg</collectionName>
</customCollection>
</ctdrep:ReportingObjectConfiguration>
</kit:DataSet>REST API
The Configuration is managed on the following endpoint :
URL | Method | Description |
|---|---|---|
{tenant}/api/rep/conf/reporting-objects | GET, POST | Retrieve the lists of defined ReportingObjectConfiguration for the tenant |
{tenant}/api/rep/conf/reporting-objects/{reportingObjectConfigurationId} | GET, PUT, DELETE | Manage the specific ReportingObjectConfiguration |
Access rights
The access rights mirrors those already existing on other resources:
Rights |
|---|
sys.rep-conf-read: Can read the configuration(s) |
sys.rep-conf-crud: Can read/write the configuration(s) |
sys.rep-conf-import: Can import new configuration(s) |
sys.rep-conf-export: Can export configuration(s) |
sys.rep-conf-admin: Can do anything with the configuration(s) |
Criteria Type System
Declared criteria affect both Document search and persistence:
One may search only on declared criteria that are not of type
ANYorANY_ARRAYThe type of declared criteria is enforced when persisting a document. If type conversion is not possible, an error will be returned
The ANY type
This type allows any value. Data will be inserted as is, without conversion.
This is the typing applied to undeclared criteria.
The OBJECT type
This type should be used for criteria that are objects and that are searched on with an exact match (eg. _id = '{"id": "foo", "date": "1970-01-01T00:00:00Z"}').
When persisting a Document:
The map type will be enforced
ANY/ANY_ARRAYkeys (declared or not) are not allowedKeys will be reordered to match the criteria declaration order (because exact match is sensitive to key order)
As a consequence, all sub-criteria must be declared (_id.id and _id.date in the example above), and the declaration order should match the key order of existing data (if any), and should never be changed.
Implicit objects
When a criteria is of type ANY (respectively ANY_ARRAY) and at list one sub-criteria is declared, this criteria is an Implicit Object. (respectively an array of Implicit Objects).
While searching on an Implicit Object Criteria directly is not allowed, one may search on its declared sub-criteria.
When persisting a Document:
The map type will be enforced
Undeclared keys are allowed
No key reordering will be performed.
Array types
To each simple type (ANY, OBJECT, STRING, INTEGER,…) corresponds an array type (ANY_ARRAY, OBJECT_ARRAY, STRING_ARRAY, OBJECT_ARRAY,…)
The semantics of ANY_ARRAY and OBJECT_ARRAY matches those of the corresponding simple types:
All sub-criteria of
OBJECT_ARRAYcriteria must be declared, keys will be reorderedAn
ANY_ARRAYcriteria with at least one declared sub-criteria is an array of Implicit Objects