Definition
Reporting Objects define how one may interact with an underlying (built-in or custom) Document Collection:
Configuration
🎯
You can access the Report configuration :
Mandatory properties
The properties of this object are as follow:
Property | Type | Mandatory | Description |
|---|
id | String
| YES | The Reporting Object Configuration unique identifier |
name | String
| YES | The name of the Reporting Object Configuration |
description | String
| NO | A description of the Reporting Object Configuration purpose |
collectionWriteConfiguration | CollectionWriteConfiguration
| YES | A configuration object allowing to specify options for writing in the targeted Collection. |
built-inCollection | built-inReportingCollection (enum)
| YES - mutually exclusive with customCollection | A collection name from an enumeration of built-in collections. A built-in Collection comes with pre-declared Criteria and can be used instead of defining a custom collection manually. |
built-inCollectionAdditionalCriteria | List<CriteriaDefinition>
| NO - only meaningful if built-inCollection is set | Additional, custom criteria when using a built-in Collection. See Criteria. |
customCollection | CustomReportingCollection
| YES - mutually exclusive with built-inCollection | Allow to configure a custom collection or to override the presets of a built-in collection by targeting the same collection name. |
purgeConfiguration | PurgeConfiguration | NO | Allow to configure a retention period and/or a maximum number of documents in a collection. If not set, a default value would be used. |
effectiveCollectionName | String | YES | Ensure that two ReportObjectConfiguration are not configured on the same built-inCollection or customCollection. |
collectionWriteConfiguration
Property | Type | Values (default in bold) | Description |
|---|
writable | Boolean
| true, false | Allow to write in the collection |
appendOnly | Boolean
| true, false | If true, documents with an _id property will be ignored, i.e only new documents can be inserted (no update of existing documents). |
purgeConfiguration
Property | Type | Values | Description |
|---|
retention | Period
| 1 year | All documents updated (or created if never updated) before that retention period would be purged. |
maxDocuments | Integer
| null | The maximum number to keep in a collection. If exceeded, documents will be purged chronologically. |
Built-in Collection available
Targets the "account" collection (paginated search). Used to display the properties and attributes of provisioned accounts.
Document Example
JSON
{
"_id" : {
"applicationId" : "report-identity-application",
"accountId" : "BUS-DH08567",
"accountClass" : "identity"
},
"_createdAt" : ISODate("2023-06-08T15:23:52.575+0000"),
"_updatedAt" : ISODate("2024-04-18T13:07:35.026+0000"),
"account" : {
"lastName" : "POEYRE",
"roles" : [
"Active Directory - User",
"Office 365 - User",
"SelfService Common",
"WebPos - User"
],
"enabledFrom" : "2023-06-07T22:00:00Z",
"login" : "jpoeyre",
"type" : "internal",
"orgId" : "ZH7440",
"rights" : [
"adm.billingB2E-reporting",
"adm.selfservice-features",
"app.access.BZ65598096",
"app.prov.identity-activeDirectory",
"app.prov.identity-report",
"app.prov.identity-o365",
"app.prov.webpos",
"auth.password",
"auth.webauthn"
],
"_updatedAt" : "2024-04-18T13:07:34.516Z",
"email" : "john.poeyre-mybusiness@demo-office365.memority.fr",
"apps" : [
"Fitnet",
"Active Directory",
"Memority User Portal",
"WebPos",
"Office 365"
],
"org" : "BU R&D",
"roleDimensions" : "RDYR44872:[fonction:Vendeur Générique]",
"rolesId" : [
"RJNC12141",
"RSKO97974",
"RDYR44872"
],
"managerId" : "SM36942",
"bpeManager" : "Alex BLAISE",
"firstName" : "John",
"secondary_password_activation" : "DISABLED",
"_id" : "BUS-DH08567",
"status" : "true"
},
"accountId" : "BUS-DH08567",
"accountName" : "BUS-DH08567",
"accountPatch" : null,
"accountStatus" : "SYNCED",
"accountStatusRefreshedAt" : ISODate("2024-04-18T13:07:35.022+0000"),
"citadelApplicationId" : null,
"createdAt" : ISODate("2024-04-18T13:07:35.020+0000"),
"dominoApplicationId" : "report-identity-application",
"error" : null,
"idmObjectId" : "BUS-DH08567",
"idmObjectKind" : "IDENTITY",
"idmObjectType" : "internal",
"lastSyncedAt" : ISODate("2024-04-18T13:07:35.018+0000"),
"provisioningRateCurrentlyLimited" : false,
"shadowId" : "6f194483-f941-42f4-9ebd-fde6a3feff97",
"statusAuthoritative" : true,
"accountClass" : "identity",
"ignored" : false,
"ignoredAt" : null,
"lastChangeRequestedAt" : null,
"syncSituation" : "LINKED"
}
AUTHENTICATION_COUNT
Targets the "authentication_hour" collection (aggregation). Used for displaying authentication data typically with a XY chart.
Document Example
JSON
{
"_id" : "511a395bc1d450757485d4c38905944b",
"co" : "FR",
"ct" : "EU",
"date" : ISODate("2024-01-09T10:00:00.000+0000"),
"dt" : NumberInt(20240109),
"hr" : NumberInt(2024010910),
"md" : "MemorityLDAP",
"me" : "AUTHENTICATION-241",
"nb" : NumberInt(2),
"org" : "AA0000",
"orgc" : [
],
"st" : "Ko",
"tp" : "internal",
"ua" : "Chrome"
}
AUTHENTICATION_DETAIL
Targets the "authentication_agg" collection (paginated search). Used for displaying the details of authentication typically with a reporting list widget.
Document Example
JSON
{
"_id" : ObjectId("65bb5f7d61442109e7d4a83a"),
"filename" : "amAuthentication",
"LoginID" : "uid=abagail.douglas,ou=people,ou=mytest,dc=memority,dc=fr",
"ContextID" : "c4f9824ec6c783d801",
"IPAddr" : "89.144.233.233",
"MessageID" : "AUTHENTICATION-303",
"ModuleName" : "MemorityLDAP",
"NameID" : "Not Available",
"user-agent" : {
"ua_string" : "Not Available",
"os" : {
"family" : "Other",
"version_string" : ""
},
"browser" : {
"family" : "Other",
"version_string" : ""
},
"device" : {
"family" : "Other",
"brand" : null,
"model" : null
},
"type" : "unknown",
"is_touch_capable" : false
},
"realm" : "mytest",
"date" : ISODate("2024-02-01T09:08:12.000+0000"),
"date_fr" : "01/02/2024",
"date_en" : "2024/02/01",
"date_int" : NumberInt(20240201),
"user" : "abagail.douglas",
"location_data" : {
"continent" : "EU",
"country" : "FR",
"stateprov" : "Île-de-France",
"district" : "Paris",
"city" : "Paris",
"zipcode" : NumberInt(75000),
"latitude" : 48.8566,
"longitude" : 2.35222,
"geoname_id" : NumberInt(2988507),
"timezone_offset" : NumberInt(1),
"timezone_name" : "Europe/Paris",
"isp_name" : "France Telecom",
"organization_name" : ""
},
"identity" : {
"_id" : "abagail.douglas",
"lastName" : "DOUGLAS",
"org" : "AA0000",
"login" : "abagail.douglas@mail.com",
"type" : "internal",
"firstName" : "Abagail",
"orgLabel" : "MyQualifefe",
"email" : "abagail.douglas@mail.com",
"status" : "true",
"id" : "abagail.douglas",
"orgChain" : [
]
},
"status" : "Unspecified"
}
ACCESS_COUNT
Targets the "access_hour" collection (aggregation). Used for displaying access data typically with a XY chart.
Document Example
JSON
{
"_id" : "f0fd79e8b240b2efc6a9930f5d736dad",
"ap" : "urn:citadel:usr:mytest|/mytest/idp-citadel-usr-int-demo",
"co" : "FR",
"ct" : "EU",
"date" : ISODate("2024-01-26T14:00:00.000+0000"),
"dt" : NumberInt(20240126),
"hr" : NumberInt(2024012614),
"md" : "MemorityLDAP",
"me" : "SAML2-37",
"nb" : NumberInt(6),
"org" : "AA0000",
"orgc" : [
],
"st" : "Ok",
"tp" : "internal",
"ua" : "Chrome"
}
ACCESS_DETAIL
Targets the "access_agg" collection (paginated search). Used for displaying the details of access typically with a reporting list widget.
Document Example
JSON
{
"_id" : ObjectId("659d4cd26d3e926de37053c6"),
"filename" : "SAML2",
"LoginID" : "uid=russel.doyle,ou=people,ou=mytest,dc=memority,dc=fr",
"ContextID" : "aaaee8cd9467373c01",
"IPAddr" : "86.105.3.52",
"MessageID" : "SAML2-37",
"ModuleName" : "MemorityLDAP",
"NameID" : "russel.doyle",
"user-agent" : {
"ua_string" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
"os" : {
"family" : "Windows",
"version_string" : NumberInt(10)
},
"browser" : {
"family" : "Chrome",
"version_string" : "120.0.0"
},
"device" : {
"family" : "Other",
"brand" : null,
"model" : null
},
"type" : "pc",
"is_touch_capable" : false
},
"realm" : "mytest",
"status" : "Ok",
"RawApplication" : "urn:citadel:usr:mytest|/mytest/idp-citadel-usr-int-demo",
"FederationMode" : "idp-citadel-usr-int-demo",
"date" : ISODate("2024-01-09T13:40:27.000+0000"),
"date_fr" : "09/01/2024",
"date_en" : "2024/01/09",
"date_int" : NumberInt(20240109),
"user" : "russel.doyle",
"identity" : {
"_id" : "russel.doyle",
"lastName" : "DOYLE",
"firstName" : "Russel",
"org" : "AA0000",
"orgLabel" : "MyQualifefe",
"login" : "russel.doyle@mail.com",
"type" : "internal",
"email" : "russel.doyle@mail.com",
"status" : "true",
"id" : "russel.doyle",
"orgChain" : [
]
},
"location_data" : {
"continent" : "EU",
"country" : "FR",
"stateprov" : "Île-de-France",
"district" : "Paris",
"city" : "Paris",
"zipcode" : NumberInt(75000),
"latitude" : 48.8566,
"longitude" : 2.35222,
"geoname_id" : NumberInt(2988507),
"timezone_offset" : NumberInt(1),
"timezone_name" : "Europe/Paris",
"isp_name" : "France Telecom",
"organization_name" : ""
},
"Application" : {
"_id" : "urn:citadel:usr:mytest|/mytest/idp-citadel-usr-int-demo",
"id" : "urn:citadel:usr:mytest|/mytest/idp-citadel-usr-int-demo"
}
}
FEDERATION
Targets the "federation" collection (paginated search). Used for displaying the details of a federation typically with a reporting list widget.
Document Example
JSON
{
"_id": "61888080-b97d-47a4-b9af-00600b6f1897",
"_createdAt": "2024-02-02T15:28:32.943Z",
"_updatedAt": "2024-02-02T15:29:14.456Z",
"application": null,
"createdAt": "2024-02-02T15:28:24.607Z",
"nextVersion": {
"description": null,
"authenticationLevel": "10",
"_usedAmAttributes": [],
"deployedAt": null,
"mappingKey": {
"@type": "identity-attr",
"attributeId": "id"
},
"attributes": [],
"configuration": {
"@type": "wsfed",
"entityId": "https://app.wsfed.test/fedtest/",
"nameIdFormat": "EMAIL",
"assertionConsumerUrls": [
"https://app.wsfed.test/fedtest/acs"
],
"assertionSignatureCertificateId": "testcert",
"displayName": null
}
},
"status": "DEPLOYED",
"version": 42,
"currentVersion": {
"description": "test",
"authenticationLevel": "10",
"_usedAmAttributes": [],
"deployedAt": "2024-02-02T15:29:12.709Z",
"mappingKey": {
"@type": "identity-attr",
"attributeId": "id"
},
"attributes": [],
"configuration": {
"@type": "wsfed",
"entityId": "https://app.wsfed.test/fedtest/",
"nameIdFormat": "EMAIL",
"assertionConsumerUrls": [
"https://app.wsfed.test/fedtest/"
],
"assertionSignatureCertificateId": "testcert",
"displayName": null
}
},
"updatedAt": "2024-02-02T15:29:12.703Z"
}
SYNC_TASK_OPERATION
Targets the "domino_sync_task_operation" collection (paginated search). Used to display the sync operations with the sync operation widget.
Document Example
JSON
{
"_id" : ObjectId("6130f26a3893663133022a4d"),
"type" : "domino_sync_task_operation",
"tenant" : "mytest",
"taskDefinition" : "import-internal-syncTask",
"taskInstance" : "469398c0-e8b6-4e90-830a-ca4922962e2d",
"startDate" : ISODate("2021-08-23T07:28:17.115+0000"),
"objectKind" : "IDENTITY",
"objectId" : "ZD8821",
"objectType" : "internal",
"operation" : "PATCH",
"outcome" : "SUCCESS",
"attributeChanges" : [
{
"attrId" : "enabledUntil",
"oldValues" : [
"2021-07-07T09:30:00Z"
]
},
{
"attrId" : "reservedFlags"
},
{
"attrId" : "_updatedAt",
"oldValues" : [
"2021-08-22T22:10:02.836Z"
],
"newValues" : [
"2021-08-23T07:28:25.755Z"
]
}
],
"shadowId" : "4e6b4acf-451d-4e44-ae0c-c06b5a4e8fd4",
"shadowObjectId" : "interne-role-auth-quatre.recette",
"applicationId" : "import-internal-application",
"error" : null
}
SYNC_TASK_REPORT
Targets the "domino_sync_task_report" collection (paginated search). Used to display the sync report, typically with a list widget.
Document Example
JSON
{
"_id" : ObjectId("65bba77b8db2f11e6f924bff"),
"type" : "domino_sync_task_report",
"tenant" : "mytest",
"taskDefinition" : "importTask-partner",
"taskInstance" : "8ccd63d6-351d-4177-8c47-06f83309814f",
"objectKind" : "IDENTITY",
"startDate" : ISODate("2024-02-01T14:15:18.248+0000"),
"durationMs" : NumberInt(5278),
"status" : "SUCCESS",
"triggerType" : "MANUAL",
"visibility" : "PRIVATE",
"actor" : "AA0000",
"simulate" : false,
"importedFileName" : "importPartner.csv",
"numberOfEntriesToProcess" : NumberInt(1),
"numberOfProcessedEntries" : NumberInt(1),
"numberOfIgnoredEntries" : NumberInt(0),
"numberOfCreatedIdmObjects" : NumberInt(1),
"numberOfUpdatedIdmObjects" : NumberInt(0),
"numberOfDeletedIdmObjects" : NumberInt(0),
"numberOfSoftDeletedIdmObjects" : NumberInt(0),
"numberOfDeactivatedIdmObjects" : NumberInt(0),
"numberOfErrors" : NumberInt(0),
"fatalError" : null,
"errors" : [
],
"_createdAt" : ISODate("2024-02-01T14:15:23.532+0000"),
"_updatedAt" : ISODate("2024-02-01T14:15:23.532+0000")
}
PROV_TASK_OPERATION
Targets the "domino_prov_task_operation" collection. Used to display provisioning operations.
Document Example
JSON
{
"_id" : ObjectId("659bd048c5207f00ffb251aa"),
"type" : "domino_prov_task_operation",
"tenant" : "mytest",
"taskDefinition" : null,
"taskInstance" : null,
"eventDate" : ISODate("2024-01-08T10:36:56.276+0000"),
"objectKind" : "IDENTITY",
"objectId" : "emilie.andrews",
"objectType" : "internal",
"changeType" : null,
"outcome" : "FAILURE",
"attributeChanges" : [
],
"shadowId" : null,
"accountId" : null,
"applicationId" : "prov-memorityAuthentication-common-application",
"error" : {
"@type" : "validation",
"properties" : {
"attribute_ids" : "[mail]"
},
"errorId" : "DMN-E2000009",
"label" : "MANDATORY_ATTRIBUTE_MISSING",
"description" : "Mandatory attribute(s) missing: [mail].",
"appId" : "demo-domino-sync-v1",
"timestamp" : "2024-01-08T10:36:56.271Z",
"logTrackingId" : "59c10833-0d4d-4f69-9987-8522669beec8"
},
"_createdAt" : ISODate("2024-01-08T10:36:56.287+0000"),
"_updatedAt" : ISODate("2024-01-08T10:36:56.287+0000")
}
PROV_TASK_REPORT
Targets the "domino_prov_task_report"" collection. Used to display the provisioning reports.
Document Example
JSON
{
"_id" : ObjectId("65bba89086ac2504d8bd069a"),
"type" : "domino_prov_task_report",
"tenant" : "mytest",
"taskDefinition" : "prov-partners",
"taskInstance" : "710959d2-b425-43fa-8ecf-49ff5a67e0d8",
"objectKind" : null,
"startDate" : ISODate("2024-02-01T14:20:00.098+0000"),
"durationMs" : NumberInt(184),
"status" : "SUCCESS",
"triggerType" : null,
"visibility" : null,
"actor" : "system@@sync",
"numberOfEntriesToProcess" : NumberInt(1),
"numberOfProcessedEntries" : NumberInt(1),
"numberOfIgnoredEntries" : NumberInt(1),
"numberOfCreatedAccounts" : NumberInt(0),
"numberOfUpdatedAccounts" : NumberInt(0),
"numberOfDeletedAccounts" : NumberInt(0),
"numberOfErrors" : NumberInt(0),
"fatalError" : null,
"errors" : [
],
"_createdAt" : ISODate("2024-02-01T14:20:00.291+0000"),
"_updatedAt" : ISODate("2024-02-01T14:20:00.291+0000")
}
ACCOUNT_DISCOVERY_TASK_OPERATION
Targets the "domino_account_discovery_task_operation" collection. Used to display account discovery operations.
To activate the publication of event in this collection, fill to True the SYNC settings accountDiscovery.task.execution.event.publish and fill reportingObjectDefinition Id into accountDiscovery.task.taskReport.reporting.id
Document Example
JSON
{
"_id" : ObjectId("659bd048c5207f00ffb251aa"),
"taskDefinition":"test_ldapAccountDiscovery",
"taskInstance":"d11c9c1d-65a2-460f-b7de-5f44da1126f4",
"date":"2024-04-24T12:57:30.056Z",
"idmObjectId":"john.doe",
"idmObjectKind":"IDENTITY",
"idmObjectType":"employee",
"citadelApplicationId":null,
"dominoApplicationId":"test_application",
"accountStatus":"ORPHANED",
"statusAuthoritative":false,
"accountStatusRefreshedAt":"2024-04-24T12:57:30.055Z",
"syncSituation":"UNMATCHED",
"createdAt":ISODate("2024-01-08T10:36:56.287+0000"),
"lastSyncedAt":ISODate("2024-01-08T10:36:56.287+0000"),
"lastChangeRequestedAt":null,
"ignoredAt":null,
"ignored":false,
"accountId":"john-doe",
"accountClass":"inetOrgPerson",
"accountName":"uid=john.doe,ou=users,dc=acme,dc=com",
"shadowId":"d11c9c1d-65a2-460f-b7de-5f44da1126f4",
"account":{
"attribute1":"value1",
"attribute2": ["value2", "value3"]
},
"accountPatch":null,
"error":null,
"provisioningRateCurrentlyLimited":false,
"_createdAt" : ISODate("2024-01-08T10:36:56.287+0000"),
"_updatedAt" : ISODate("2024-01-08T10:36:56.287+0000")
}
ACCOUNT_DISCOVERY_TASK_REPORT
Targets the "domino_account_discovery_task_report" collection. Used to display the reports of account discovery task executions.
Document Example
JSON
{
"_id" : ObjectId("6605acc0324b2a3fc1714cf4"),
"type" : "domino_discovery_task_report",
"tenant" : "mybusiness",
"taskDefinition" : "O365-discovery",
"taskInstance" : "db79fa9f-014b-497c-81d1-6f935da49c7f",
"shadowKind" : "ACCOUNT",
"startDate" : ISODate("2024-03-28T17:45:35.886+0000"),
"durationMs" : NumberInt(504),
"status" : "SUCCESS",
"triggerType" : "MANUAL",
"visibility" : null,
"actor" : "system@@sync",
"simulate" : false,
"numberOfEntriesToProcess" : NumberInt(100),
"numberOfProcessedEntries" : NumberInt(100),
"numberOfIgnoredEntries" : NumberInt(15),
"numberOfLinkedAccounts" : NumberInt(26),
"numberOfUnlinkedAccounts" : NumberInt(12),
"numberOfOrphanedAccounts" : NumberInt(47),
"fatalError" : null,
"_createdAt" : ISODate("2024-03-28T17:45:36.395+0000"),
"_updatedAt" : ISODate("2024-03-28T17:45:36.395+0000")
}
ROLE_ASSIGNMENT
Targets the "role_assignment" collection. Used to display information about role assignments.
This collection is provisioned using a Synchronization Reporting Application Connector. In the Application that reference this connector, in order to sync automatically the Role Assignment(s) to the collection, one need to use a built-in rule in the "postActions".
XML
<!-- Example of Application configuration -->
<postActions>
<action class="identityRoleAssignmentsMongoSynchronization">
<config xsi:type="dmn:IdentityRoleAssignmentsMongoSynchronizationConfigurationType">
<collectionName>role_assignment</collectionName>
</config>
</action>
</postActions>
The collection name can be changed if needed, if not provided the default role_assignment value will apply. Note that if you change the collection name you must define a custom configuration and not use the ROLE_ASSIGNMENT built-in configuration.
Hard/Soft delete of identities
The post action should also be executed when there is a delete in order to remove the Role Assignment(s) of the identity. In order to execute post actions on activation event, one need to toggle the "executePostActions" flag in the options
XML
<applicationObjectActivationDefinition>
<executePostActions>true</executePostActions>
<onApplicationUnassignedEvent>NO_OP</onApplicationUnassignedEvent>
<onIdmObjectDeleteEvent>NO_OP</onIdmObjectDeleteEvent>
<onIdmObjectDisableEvent>NO_OP</onIdmObjectDisableEvent>
</applicationObjectActivationDefinition>
Since all post actions will be executed sequentially, one must take care to verify that this is the wanted behaviour.
Document Example
JSON
{
"_id" : "fff79968-141b-44dd-bc2e-6811f24344e1",
"role" : {
"kind" : "ROLE",
"id" : "SC5493",
"type" : "administration",
"roleApplication" : {
"kind" : "RESOURCE",
"id" : "APP_AAA00001",
"type" : "application",
"rsrcApplicationCode" : "memority-test",
"rsrcUrl" : "https://my.demorul.memority.cloud/portal/mytest/",
"entityId" : "fe362ede-0c3c-4252-a5cf-e3291d35fe9a",
"rsrcEnvironment" : "test",
"enabled" : true,
"rsrcName" : "Memority",
"activationFrom" : "2022-01-01T00:00:00Z",
"category" : "APPLICATION",
"status" : "NORMAL"
},
"roleName" : "Self Service Internal",
"activationFrom" : "2023-12-17T23:00:00Z",
"entityId" : "91f6235e-ac7c-48f7-8aec-ba05bf4152ce",
"enabled" : true,
"status" : "NORMAL"
},
"roleVersion" : NumberLong(3),
"status" : "ASSIGNED",
"manualProvisioningStatus" : "NOT_APPLICABLE",
"certificationStatus" : "NOT_APPLICABLE",
"source" : "POLICY",
"parentAssignment" : null,
"roleBinding" : null,
"policy" : "a8d6aa30-7162-a61a-fd4a-ba544cdae110",
"policyMode" : "STRICT",
"policySynchronized" : true,
"policyVersion" : NumberLong(1),
"enabledFrom" : null,
"enabledUntil" : null,
"dimensions" : {
},
"comment" : null,
"metadata" : {
"requester" : null,
"copiedFrom" : null,
"approvers" : [
],
"recertifications" : [
]
},
"createdAt" : ISODate("2024-01-26T13:51:23.458+0000"),
"assignedAt" : ISODate("2024-01-26T13:51:23.458+0000"),
"deletedAt" : null,
"recertifiedAt" : null,
"frozenUntil" : null,
"identity" : {
"kind" : "IDENTITY",
"id" : "roderick.schulist",
"type" : "internal",
"commonName" : "Roderick SCHULIST",
"lastName" : "SCHULIST",
"entityId" : "897e4efa-c98f-4bfa-85c4-fa472b6fc598",
"login" : "roderick.schulist@mail.com",
"enabled" : true,
"authMethodOathStatus" : "DISABLED",
"authMethodWebauthnStatus" : "DISABLED",
"firstName" : "Roderick",
"authMethodOtpStatus" : "DISABLED",
"securityOrganization" : {
"kind" : "ORGANIZATION",
"id" : "AA0000",
"type" : "root",
"organizationName" : "Marketing",
"organizationCode" : "market",
"activationFrom" : "2022-01-01T00:00:00Z",
"entityId" : "05e952c2-7f88-4df0-a47c-ddf4a2602abf",
"enabled" : true,
"status" : "NORMAL"
},
"authMethodMyMfaStatus" : "DISABLED",
"authMethodPasswordStatus" : "ACTIVE",
"email" : "roderick.schulist@mail.com",
"status" : "NORMAL",
"authMethodInweboStatus" : "DISABLED"
},
"_resource" : {
"kind" : "RESOURCE",
"id" : "APP_AAA00001",
"type" : "application",
"rsrcApplicationCode" : "memority-test",
"rsrcUrl" : "https://my.demorul.memority.cloud/portal/mytest/",
"entityId" : "fe362ede-0c3c-4252-a5cf-e3291d35fe9a",
"rsrcEnvironment" : "test",
"enabled" : true,
"rsrcName" : "Memority",
"activationFrom" : "2022-01-01T00:00:00Z",
"category" : "APPLICATION",
"status" : "NORMAL"
}
}
SMS_NOTIFICATION
Targets the “sms_notification“ collection. Used to store the SMS notification reports
The report contains the following information:
Info | Details |
|---|
date | Date of the SMS Notification |
notificationDefinitionId | The SMS Notification Definition Id |
sender | The sender used for sending the SMS |
recipients | SmsMessageRecipient[] |
| uid | |
| name | |
| language | |
| email | |
| phone | |
transmitted | true if the SMS has been sent |
status | One of ‘SUCCESS', ‘PARTIAL’, 'ERROR’ |
cost | |
MY_MFA_ACCOUNT_ERROR
Target the “my_mfa_account_error“ collection.
This collection is provisionned when errors occured during the MyMFA cleanup job:
Document Example
JSON
{
"_id" : "demo-mytest-3f26a4d4-1b37-4eb0-9e1e-ee00dd155a61",
"_createdAt" : ISODate("2023-05-31T01:00:00.975+0000"),
"_updatedAt" : ISODate("2023-05-31T01:00:00.975+0000"),
"errorType" : "ORPHAN_ACCOUNT",
"identities" : [
]
}
IDENTITY_RECERTIFICATION_CAMPAIGN
Store the campaigns information launched for policies targetting IDENTITY object kind.
Document Example
JSON
{
"_id" : "c6060e61-8028-4ee5-81f9-3c3fb02457de",
"_createdAt" : ISODate("2023-02-17T09:48:50.584Z"),
"_updatedAt" : ISODate("2023-02-17T09:48:50.584Z"),
"createdAt" : ISODate("2023-02-17T09:48:50.536Z"),
"description" : "",
"mode" : "CAMPAIGN",
"name" : "object recert policy",
"recertificationPolicy" : "test_object-recertification-policy",
"requester" : "system@@bum"
}
ORGANIZATION_RECERTIFICATION_CAMPAIGN
Store the campaigns information launched for policies targetting ORGANIZATION object kind
Exemple of document: similar to the example for IDENTITY_RECERTIFICATION_CAMPAIGN
RESOURCE_RECERTIFICATION_CAMPAIGN
Store the campaigns information launched for policies targetting RESOURCE object kind
Exemple of document: similar to the example for IDENTITY_RECERTIFICATION_CAMPAIGN
ROLE_RECERTIFICATION_CAMPAIGN
Store the campaigns information launched for policies targetting ROLE object kind
Exemple of document: similar to the example for IDENTITY_RECERTIFICATION_CAMPAIGN
ROLE_PUBLICATION_RECERTIFICATION_CAMPAIGN
Store the campaigns information launched for policies targetting ROLE_PUBLICATION object kind
Exemple of document: similar to the example for IDENTITY_RECERTIFICATION_CAMPAIGN
Store the recertifcation metadata for IDENTITY object kind.
Document Example
JSON
{
"_id" : "6056634a-3e0f-4246-b2fa-553722df9e0d",
"policyId" : "test_object-recertification-policy",
"status" : "PENDING",
"recertifiedAt" : ISODate("2023-02-27T14:53:07.421Z"),
"recertifications" : [
{
"requester" : "system@@bum",
"mode" : "ON_THE_FLY",
"recertificationPolicyId" : "test_object-recertification-policy",
"campaignExecutionId" : null,
"outcome" : "CERTIFIED",
"comments" : [
{
"approver" : "john.doe",
"date" : ISODate("2023-02-24T13:56:55.584Z"),
"approved" : true,
"comment" : "Ok"
}
],
"startedAt" : ISODate("2023-02-23T17:17:25.933Z"),
"finishedAt" : ISODate("2023-02-24T13:56:55.684Z")
},
{
"requester" : "system@@bum",
"mode" : "ON_THE_FLY",
"recertificationPolicyId" : "test_object-recertification-policy",
"campaignExecutionId" : null,
"outcome" : "CERTIFIED",
"comments" : [
{
"approver" : "john.doe",
"date" : ISODate("2023-02-24T14:10:22.543Z"),
"approved" : true,
"comment" : "Ok it's good"
}
],
"startedAt" : ISODate("2023-02-24T14:10:00.096Z"),
"finishedAt" : ISODate("2023-02-24T14:10:22.581Z")
}
],
"object" : {
"kind" : "IDENTITY",
"id" : "egbert.faro.14",
"type" : "test_identityType_employee",
"commonName" : "toto",
"lastName" : "FARO",
"entityId" : "88f8beb5-311b-4851-b474-35ca75c9370b",
"login" : "efaro14",
"title" : "MR",
"enabled" : true,
"authMethodOathStatus" : "DISABLED",
"authMethodWebauthnStatus" : "DISABLED",
"firstName" : "Egbert",
"authMethodOtpStatus" : "DISABLED",
"authMethodPasswordStatus" : "ACTIVATING",
"email" : "egbert.faro@example.com",
"status" : "NORMAL",
"authMethodInweboStatus" : "DISABLED"
}
}
Store the recertifcation metadata for ORGANIZATION object kind
Exemple of document: similar to the example for IDENTITY_RECERTIFICATION_METADATA
Store the recertifcation metadata for RESOURCE object kind
Exemple of document: similar to the example for IDENTITY_RECERTIFICATION_METADATA
Store the recertifcation metadata for ROLE object kind
Exemple of document: similar to the example for IDENTITY_RECERTIFICATION_METADATA
Store the recertifcation metadata for ROLE_PUBLICATION object kind
Exemple of document: similar to the example for IDENTITY_RECERTIFICATION_METADATA
Example
XML
<?xml version="1.0" encoding="UTF-8"?>
<kit:DataSet xmlns:ctd="http://www.memority.com/citadel/1_0"
xmlns:ctdcore="http://www.memority.com/citadel/core/1_0"
xmlns:ctdidm="http://www.memority.com/citadel/idm/1_0"
xmlns:ctdrep="http://www.memority.com/citadel/rep/1_0"
xmlns:ctdtnt="http://www.memority.com/citadel/tnt/1_0"
xmlns:kit="http://www.memority.com/toolkit/1_0"
xmlns:rule="http://www.memority.com/toolkit/rule/1_0"
xmlns:search="http://www.memority.com/toolkit/search-expression/1_0"
xmlns:settings="http://www.memority.com/toolkit/addons/settings/1_0"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ctdrep:ReportingObjectConfiguration id="test_conf_1">
<name>Test conf 1</name>
<description>Configuration for authentication hours</description>
<collectionWriteConfiguration>
<writable>false</writable>
<appendOnly>false</appendOnly>
</collectionWriteConfiguration>
<purgeConfiguration>
<maxDocuments>1000000</maxDocuments>
<retention>P1Y</retention>
</purgeConfiguration>
<effectiveCollectionName>AUTHENTICATION_COUNT</effectiveCollectionName>
<built-inCollection>AUTHENTICATION_COUNT</built-inCollection>
<built-inCollectionAdditionalCriteria>
<criterion>
<name>identity.enabledFrom</name>
<valueType>DATETIME</valueType>
</criterion>
<criterion>
<name>identity.enabledUntil</name>
<valueType>DATETIME</valueType>
</criterion>
</built-inCollectionAdditionalCriteria>
</ctdrep:ReportingObjectConfiguration>
</kit:DataSet>
Synchronizing recertifications with the Reporting connector
When syncing Applications using the Reporting connector it is also possible to synchronize the recertification metadata using the builtin rule objectRecertificationMetadataMongoSynchronization in a post action.
Rule configuration
The rule will use a preset configuration for the collection name as follow:
Object kind | Target collection name |
|---|
IDENTITY | identity_recertification_metadata
|
ORGANIZATION | organization_recertification_metadata
|
RESOURCE | resource_recertification_metadata
|
ROLE | role_recertification_metadata
|
ROLE_PUBLICATION | role_publication_recertification_metadata
|
If one needs to change the collection name, it can be overriden in the rule configuration:
XML
<postActions>
<action class="objectRecertificationMetadataMongoSynchronization">
<config xsi:type="dmn:ObjectRecertificationMetadataMongoSynchronizationConfigurationType>
<collectionName>my_custom_collection_name</collectionName>
</config>
</action>
</postActions>
Example
Click here to expand...
XML
<?xml version="1.0" encoding="UTF-8"?>
<kit:DataSet xmlns:ctd="http://www.memority.com/citadel/1_0" xmlns:ctdcore="http://www.memority.com/citadel/core/1_0" xmlns:ctdidm="http://www.memority.com/citadel/idm/1_0" xmlns:ctdrep="http://www.memority.com/citadel/rep/1_0" xmlns:ctdrule="http://www.memority.com/citadel/rule/1_0" xmlns:ctdtnt="http://www.memority.com/citadel/tnt/1_0" xmlns:dmn="http://www.memority.com/domino_sync/1_0" xmlns:kit="http://www.memority.com/toolkit/1_0" xmlns:notify="http://www.memority.com/toolkit/addons/notify/1_0" xmlns:rule="http://www.memority.com/toolkit/rule/1_0" xmlns:ruleaddon="http://www.memority.com/toolkit/addons/rule/1_0" xmlns:search="http://www.memority.com/toolkit/search-expression/1_0" xmlns:settings="http://www.memority.com/toolkit/addons/settings/1_0" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" tenant="default" env="memority" stack="memority">
<dmn:Application id="report-application-demo">
<updatedAt>2023-02-23T10:32:24.094Z</updatedAt>
<name>report-application-demo</name>
<description></description>
<citadelApplicationId>12345</citadelApplicationId>
<connectorId>report-connector-demo</connectorId>
<schemaMappingDefinition>
<objectSchemaMappingDefinitions>
<objectSchemaMappingDefinition>
<associationDefinitions/>
<applicationObjectActivationDefinition>
<executePostActions>true</executePostActions>
<onApplicationUnassignedEvent>NO_OP</onApplicationUnassignedEvent>
<onIdmObjectDeleteEvent>NO_OP</onIdmObjectDeleteEvent>
<onIdmObjectDisableEvent>NO_OP</onIdmObjectDisableEvent>
</applicationObjectActivationDefinition>
<applicationObjectLookupDefinition>
<simpleLookupStrategyDefinition>
<attributeLookupDefinitions>
<attributeLookupDefinition>
<inputAttributeId>id</inputAttributeId>
<targetAttributeId>_id</targetAttributeId>
</attributeLookupDefinition>
</attributeLookupDefinitions>
</simpleLookupStrategyDefinition>
</applicationObjectLookupDefinition>
<enabled>true</enabled>
<objectClassId>
<value>identity</value>
</objectClassId>
<outboundAttributesMappingDefinitions>
<attributeMappingDefinitions>
<attributeMappingDefinition>
<targetAttributeId>_id</targetAttributeId>
<targetAttributeType>STRING</targetAttributeType>
<mandatory>true</mandatory>
<secret>false</secret>
<simpleAttributeMappingStrategyDefinition>
<inputAttributeId>id</inputAttributeId>
</simpleAttributeMappingStrategyDefinition>
<multiValued>false</multiValued>
</attributeMappingDefinition>
<attributeMappingDefinition>
<targetAttributeId>recertificationMetadata</targetAttributeId>
<targetAttributeType>STRING</targetAttributeType>
<mandatory>false</mandatory>
<secret>false</secret>
<customAttributeMappingStrategyDefinition>
<computeRule>
<script><![CDATA[
//@ruleFlavor: toolkit, citadel
return IDM_OBJECT.recertificationMetadata.collect { it.recertifiedAt } as List<String>
]]></script>
</computeRule>
<computeRuleAttributeDependencies>
<dependency>recertificationMetadata</dependency>
</computeRuleAttributeDependencies>
</customAttributeMappingStrategyDefinition>
<multiValued>true</multiValued>
</attributeMappingDefinition>
</attributeMappingDefinitions>
</outboundAttributesMappingDefinitions>
<postActions>
<action class="objectRecertificationMetadataMongoSynchronization"/>
</postActions>
<shadowKind>ACCOUNT</shadowKind>
</objectSchemaMappingDefinition>
</objectSchemaMappingDefinitions>
</schemaMappingDefinition>
</dmn:Application>
</kit:DataSet>
Custom Collection properties
Property | Type | Mandatory | Description |
|---|
collectionName | String
| YES | The name of the targeted collection |
criteria | List<CriteriaDefinition>
| YES | A list of allowed search criteria for this collection. This also serves as a light schema for defining the fields value type. For instance a date field will have to be indicated with a value type DATETIME in order for comparison and sorting to be accurate when targeting this field. If a request contains other criteria than the one mentioned, the request will be rejected. (Note that built-in collections declare all the criteria of their target collection, if one need to restrict a criteria they will need to create a custom collection and re-declare the allowed criteria). A CriteriaDefinition is an object that serves to indicate the allowed criteria name and the value type of the criteria. |
Criteria
Properties
Property | Type | Mandatory | Values (default in bold) | Description |
|---|
name | String
| YES | | The name of the criteria in the Reporting collection. This can be a nested path to a final criteria or a root criteria (Example identity.securityOrg.name). |
valueType | Enum
| YES | ANY, STRING, INTEGER, FLOAT, BOOLEAN, DATETIME, OBJECT, ANY_ARRAY, STRING_ARRAY ,INTEGER_ARRAY, FLOAT_ARRAY, BOOLEAN_ARRAY, DATETIME_ARRAY, OBJECT_ARRAY | The value type of the criteria. See Criteria Type System. |
searchable | Boolean | NO | false | If true, an index will be created on the corresponding field in the collection and it will be possible to use this criteria in search expressions. _id field is always searchable and cannot be unindexed. |
Example
XML
<!-- All criteria under "identity" are interpreted as STRING except for "identity.enabledUntil" -->
<criteria>
<criterion>
<name>identity.enabledFrom</name>
<valueType>DATETIME</valueType>
<searchable>true</searchable>
</criterion>
<criterion>
<name>identity.enabledUntil</name>
<valueType>DATETIME</valueType>
<searchable>false</searchable>
</criterion>
</criteria>
Custom Report Example
XML
<?xml version="1.0" encoding="UTF-8"?>
<kit:DataSet xmlns:ctd="http://www.memority.com/citadel/1_0" xmlns:ctdcore="http://www.memority.com/citadel/core/1_0" xmlns:ctdidm="http://www.memority.com/citadel/idm/1_0" xmlns:ctdrep="http://www.memority.com/citadel/rep/1_0" xmlns:ctdtnt="http://www.memority.com/citadel/tnt/1_0" xmlns:kit="http://www.memority.com/toolkit/1_0" xmlns:rule="http://www.memority.com/toolkit/rule/1_0" xmlns:search="http://www.memority.com/toolkit/search-expression/1_0" xmlns:settings="http://www.memority.com/toolkit/addons/settings/1_0" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ctdrep:ReportingObjectConfiguration id="test_conf_2">
<name>Test Conf 2</name>
<description>Test get filters with custom collection</description>
<collectionWriteConfiguration>
<writable>false</writable>
<appendOnly>false</appendOnly>
</collectionWriteConfiguration>
<purgeConfiguration>
<maxDocuments>1000000</maxDocuments>
<retention>P1Y</retention>
</purgeConfiguration>
<effectiveCollectionName>authentication_agg</effectiveCollectionName>
<customCollection>
<criteria>
<criterion>
<name>countries</name>
<valueType>STRING</valueType>
</criterion>
<criterion>
<name>continents</name>
<valueType>STRING</valueType>
</criterion>
</criteria>
<collectionName>authentication_agg</collectionName>
</customCollection>
</ctdrep:ReportingObjectConfiguration>
</kit:DataSet>
REST API
The Configuration is managed on the following endpoint :
URL | Method | Description |
|---|
{tenant}/api/rep/conf/reporting-objects | GET, POST | Retrieve the lists of defined ReportingObjectConfiguration for the tenant |
{tenant}/api/rep/conf/reporting-objects/{reportingObjectConfigurationId} | GET, PUT, DELETE | Manage the specific ReportingObjectConfiguration |
Access rights
The access rights mirrors those already existing on other resources:
Rights |
|---|
sys.rep-conf-read: Can read the configuration(s) |
sys.rep-conf-crud: Can read/write the configuration(s) |
sys.rep-conf-import: Can import new configuration(s) |
sys.rep-conf-export: Can export configuration(s) |
sys.rep-conf-admin: Can do anything with the configuration(s) |
Criteria Type System
Declared criteria affect both Document search and persistence:
One may search only on declared criteria that are not of type ANY or ANY_ARRAY
The type of declared criteria is enforced when persisting a document. If type conversion is not possible, an error will be returned
The ANY type
This type allows any value. Data will be inserted as is, without conversion.
This is the typing applied to undeclared criteria.
The OBJECT type
This type should be used for criteria that are objects and that are searched on with an exact match (eg. _id = '{"id": "foo", "date": "1970-01-01T00:00:00Z"}').
When persisting a Document:
The map type will be enforced
ANY / ANY_ARRAY keys (declared or not) are not allowed
Keys will be reordered to match the criteria declaration order (because exact match is sensitive to key order)
As a consequence, all sub-criteria must be declared (_id.id and _id.date in the example above), and the declaration order should match the key order of existing data (if any), and should never be changed.
Implicit objects
When a criteria is of type ANY (respectively ANY_ARRAY) and at list one sub-criteria is declared, this criteria is an Implicit Object. (respectively an array of Implicit Objects).
While searching on an Implicit Object Criteria directly is not allowed, one may search on its declared sub-criteria.
When persisting a Document:
The map type will be enforced
Undeclared keys are allowed
No key reordering will be performed.
Array types
To each simple type (ANY, OBJECT, STRING, INTEGER,…) corresponds an array type (ANY_ARRAY, OBJECT_ARRAY, STRING_ARRAY, OBJECT_ARRAY,…)
The semantics of ANY_ARRAY and OBJECT_ARRAY matches those of the corresponding simple types:
All sub-criteria of OBJECT_ARRAY criteria must be declared, keys will be reordered
An ANY_ARRAY criteria with at least one declared sub-criteria is an array of Implicit Objects
Read Next
.png)
