Overview

The User Management is the central repository for user information for the entire ODJ. It is responsible for managing user accounts and providing identifiers for use within the ODJ, Azure IDP applications, and SIAM connected applications. Additionally, it provides general user information such as email addresses and lifecycle information. The identity itself is provided by an external Identity Provider. In our case that is Microsoft Entry ID (formerly "Azure Active Directory") for person identities. The connection to an internal identity source for service accounts provided by MYAPI is also in talks but not yet planned or realized.

Components

The User Management is divided into two parts. The first part is the Users Service, which provides all the user information and APIs to search, query, and manage users’ lifecycles. The Users Service also consists of two cron jobs. One job is called Profile Sync Job which makes sure that the Users Service as all required information of a user like names, email address and identifiers for SIAM connected applications. If the information are not available it tries to fetch them from SIAM asynchronously. It is executed on a regular interval running every 5 minutes. The other job is called Deletion Sync Job. In the event of a user leaving the company or getting his/her rights revoked it is reponsible to remove all access rights inside the ODJ and the update the user's lifecycle accordingly. It is executed once per night allowing the users a grace period until the end of the day if they got their rights revoked accidentally.

The second part is a synchronization component called SCIM Service, which offers a SCIM compliant interface to provision person identities from an external IDP such as Microsoft Entry ID to the ODJ.

Users

Each users consists of information about its lifecycle, identifiers and basic user information. The field email contains an email address which can be used to message the user (it can be empty for service accounts). The value of display_name should be used to identifiy the user in the UI. For more information about the lifecycle and status see the User Lifecycle page.

{
	"id": "0000XSNJG077NMECSAZVGATQWZ",
	"created_at": "2023-09-19T14:39:24.444956Z",
	"updated_at": "2023-10-26T07:26:29.358657Z",
	"lifecycle": "ACTIVE",
	"status": [
		{
			"name": "PROFILE_SYNC",
			"status": "OK"
		}
	],
	"idp_reference_id": "a999bd75-637a-4f21-8981-099518c7ccc1",
	"idp_username": "mtro2010",
	"idp_workforce_id": "1000181821",
	"idp_cloud_username": "markus.trossbach@mail.schwarz",
	"idp_source": "AAD",
	"display_name": "Markus Troßbach",
	"first_name": "Markus",
	"last_name": "Troßbach",
	"email": "markus.trossbach@mail.schwarz",
	"user_type": "PERSON",
	"tags": ["scim"]
}

The user object provides the following identifiers:

• id: ODJ user identifier - this should always be used to reference a user inside of the ODJ

The following identifiers can be used to provision third-party systems connected to various IDPs:

• idp_reference_id: User identifier in the IDP source system. For Persons it is Microsoft Entra ID
• idp_username: LDAP user identifier provided by SIAM (can be empty)
• idp_workforce_id: Unique identifier inside SIAM (can be empty)
• idp_cloud_username: User identifier for cloud applications connected to SIAM (can be empty)