Data model - CustomerID

Last reviewed: 2017-10-13

Figure 1. Simplified Conceptual Model

Roles and Organizations

Roles and organizations are configurable. For example, the role requests through the self-service interface can be configured as follows:

  • You can define that roles can only be requested from within the home organization, that is, the organization where the user object resides in.
  • You can create role lists. There are two types of role lists:
    • Black list.
      End-users cannot request roles in the black list. They can only request roles not in the black list.
    • White list.
      End-users can only request roles in the white list. They cannot request any other roles.

Roles

In Ubisecure CustomerID, all roles are described as EntityNames. Supported characters are basic letters ("a-zA-Z"), Scandinavian characters ("äöåÄÖÅ"), numbers ("0-9"), space (" ") and some special characters (",._-"). All other characters are replaced with a space.The following is an example of an EntityName of a role: 

Societies/Lapland/OrganizationMainUser

In this example:

  • The role is located in the Ubisecure CustomerID Users branch (eIDM Users) of the Ubisecure Directory or Active Directory
  • The organization is Societies
  • The suborganization is Lapland
  • The role is OrganizationMainUser

In Ubisecure Directory, the Distinguished Name (DN) for the example role above would be as follows:

cn=OrganizationMainUser,ou=Lapland,ou=Societies,ou=eIDM Users,<ROOT DN>

The user object has a membership for the role:

# Ubisecure DirectoryubiloginMemberOf= cn=OrganizationMainUser,ou=Lapland,ou=Societies,ou=eIDM Users,<ROOT DN> 
# Microsoft Active DirectorymemberOf= cn=OrganizationMainUser,ou=Lapland,ou=Societies,ou=eIDM Users, <ROOT DN>

Organizations

Organizations have a technical name and a display name. The technical name is the actual path (relative name) of the organization in the main repository, and the display name is the name that is shown in user interfaces.

There are two types of organizations, physical and virtual. Physical organizations are used to mimic the hierarchical structure of an organization where each user belongs to only one organization. Virtual organizations mirror a project structure where users can belong to many projects. In virtual organizations, the users are not physically located in any of the projects but they are part of them through roles.

Organizations have an organization type, which can be used to classify organizations into groups. In configuration, it is possible to define roles that will be created into these organization types by default. The needed information is the name of the organization type and the roles.

Roles can be added to and removed from an organization in the Ubisecure CustomerID Administrative user interface, although roles that are not removable from organizations can also be created via configuration. Similarly it is possible to protect role names via configuration, so that roles with specific names cannot be created in the Administrative user interface.

The configurations for roles and configurations described above are done in the permissions.properties file. For more information, see Internal access control (permissions) - CustomerID.