The ProvisioningService provides operations that enable provisioning of users. These operations take incoming requests and perform the necessary updates to the OpenIAM repository and the call the appropriate connnectors.
ProvisioningService Operations
|
Endpoint Address: |
AccountLockEnum :
Value |
Description |
|---|---|
unlock |
Unlocks an account regardless the LOCK flag shown below. |
locked |
Account is locked. |
locked_admin |
Indicates that the account was locked by the administrator and its not unlocked by the batch process. |
Service Operations
Operation Name: addUser(ProvisionUser provUser)
Parameters:
- ProvisionUser provUser
Return:
- ProvisionUserResponse - the returned object will contain the system generated userId.
addUser allows you to create a new user. Based on either the users role or the list of principals provided, the addUser operation will invoke the add operation on the relevant connectors so that the user can be provisioned into these systems.
Key Fields:
- The userId is system generated and should not be assigned.
- MetadataTypeId : If this is assigned, then a value should exist in the METADATA_TYPE type. There is a Foreign key constraint here.
Sample Request:
Operation Name: lockUser(String userId, AccountLockEnum operation)
Parameters:
- String userId: Id of the user that you want to lock
- AccountLockEnum operation: supported operations include LOCK, LOCK_ADMIN, UNLOCK. These codes are described above.
Return:
- Response- the returned object indicating success or failure
lockUser Lock user allows you to lock or unlock a user and the propagate the change the change in status to the connected systems.
Sample Request:
Operation Name: modifyUser(ProvisionUser provUser)
Parameters:
- ProvisionUser provUser
Return:
- ProvisionUserResponse - the returned object will contain the system generated userId.
modifyUser allows you to update an exisitng new user across managed systems. For example, if a person changes their name. This request may be submited through the modifyUser operation. The modifyUser operation will then update the OpenIAM repository and managed systems throguh the appropriate connectors.
The sample request below shows how we can update a user. Note that dependant objects, such as UserAttributes have a field called "operation". Operation is the operation that is to be peformed on this attribute - ADD, REPLACE, DELETE. Only when you are deleting an attribute is it necessary to specifiy an operation. For add and replace, the system will determine the operation based on the contents of the OpenIAM repository.
Sample Request:
Examples:
Changing a Users Identity:
The example below shows a sample request to change a users identity. The primary focus here are the items in the principal list.
Using this request, you can change an existing identity of a user. If you are changing the identity, you can also set the password at the same time. However, you cannot use this request to change a password if the identity is not changing.
Add User To A Role
Remove User From a Role
Operation Name: resetPassword(PasswordSync passwordSync)
Parameters:
- PasswordSync passwordSync
Return:
- PasswordResponse- the returned object will contain success or failure. If its successful, it will also return the newly created password..
resetPassword allows you to reset the password associated with an identity. The operation allows you specify a new password or you can leave it blank. If its blank, then the system will auto-generate a new password based on the password policy that is in effect.
*Key Fields: PasswordSync *
Field Name |
Description |
|---|---|
securityDomain |
Required |
principal |
Required |
validateRequest |
Required. Set to True |
password |
Optional - Auto-generated if its ommited |
srcSystemId |
Optional - Id of the Application that is making the request. Will be used in the audit log |
requestorId |
Optional - Id of the person making the request. |
Sample Request:
Operation Name: setPassword(PasswordSync passwordSync)
Parameters:
- PasswordSync passwordSync
Return:
- Response - the returned object return success or failure
Valid Failure Codes |
|---|
PRINCIPAL_NOT_FOUND |
USER_NOT_FOUND |
USER_STATUS" |
FAIL_PASSWORD_POLICY |
setPassword allows you to change a users password. The most conform the password policy that is in place.
Key Fields: PasswordSync
Field Name |
Description |
|---|---|
securityDomain |
Required |
principal |
Required |
password |
Optional - Auto-generated if its ommited |
srcSystemId |
Optional - Id of the Application that is making the request. Will be used in the audit log |
requestorId |
Optional - Id of the person making the request. |
Sample Request:
Operation Name: getTargetSystemUser(String principalName, String managedSysId)
Parameters:
- String principalName
- String managedSysId
Return:
- LookupUserResponse - the returned object return success or failure. If successful, then it will also contain a list of attributes for the identity from the target system specified by the managedSysId
getTargetSystemUser allows you to lookup an identity at the target system and retrieve the attributes associated with the identity at the target system.
Sample Request:
Operation Name: getTargetSystemUserWithUserId(String userId, String managedSysId)
Parameters:
- String userId
- String managedSysId
Return:
- LookupUserResponse - the returned object return success or failure. If successful, then it will also contain a list of attributes for the identity from the target system specified by the managedSysId
getTargetSystemUserWithUserId allows you to lookup an identity at the target system and retrieve the attributes associated with the User at the target system.