Oracle IDCS schema of integration data
The integration data schema defines what data is imported within the Oracle IDCS integration. In this section:
- Account
- Mandatory and available on Creation \ Update
- Other account properties
- Resource Types
- Root
- App
- Permission Types
- Group
- Dynamic Group
- Grantable Application Role
- Non Grantable Application Role
- Grantable Admin Role
- Non Grantable Admin Role
Account
The user objects are imported from Oracle IDCS and displayed as the Account objects in ObserveID. The attributes of the user are displayed as Additional Properties objects of the Account. There are two types of Additional Properties of Oracle IDCS Accounts: built-in Additional Properties, existed in Oracle IDCS by default, and custom Additional Properties, created by the user in Oracle IDCS. The account schema below describes only the built-in properties.
Some Additional Properties can be required on the creation of an account and that is often accounted for the requirements of the Target system. Other Additional Properties can be allowed, and if needed, established for an account when it is created. This information is displayed in the On Creation column. There are also Additional Properties that are allowed to be updated with the Identities Update workflow. If an Additional Property can be updated is displayed in the On Update column.
Mandatory and available on Creation \ Update
|
Account Property |
Type |
Description |
Provisioning Rules |
On Creation |
On Update |
|
Family Name |
String |
Required. Last Name. Target requirements:
|
Set |
Required |
Required |
|
Given Name |
String |
First Name. Target requirements:
|
Set |
Required |
Allowed |
|
Name |
Strings |
Required. A complex attribute that contains attributes representing the name. Target requirements:
|
Set |
Required |
Required |
Other account properties
Other account properties represent information that comes from the target ‘as is’.
|
Account Property |
Type |
Description |
Provisioning Rules |
On Creation |
On Update |
|
Created At |
DateTime |
Date and time when the resource was created. |
n/a |
n/a |
n/a |
|
Formatted Name |
String |
Full Name. |
n/a |
n/a |
n/a |
|
Is Federated User |
Boolean |
If false, all users created using SAML JIT Provisioning to be created as non-federated users (created with an Identity Cloud Service sign-in password). By default, users created using SAML JIT Provisioning are "federated" users. Federated users don't have credentials to sign in directly to Oracle Identity Cloud Service, but instead must be authenticated by the external identity provider. A user's federated status can be changed using the Admin console, as well as by updating the |
n/a |
n/a |
n/a |
|
Nick Name |
String |
Nick name. |
n/a |
n/a |
n/a |
|
Oracle Cloud Id |
String |
Unique OCI identifier for the SCIM Resource. |
n/a |
n/a |
n/a |
|
Updated At |
DateTime |
Date and time when the resource was updated. |
n/a |
n/a |
n/a |
Resource Types
The resource objects are imported from Oracle IDCS and displayed as the resources in ObserveID. The attributes of each resource type that a specific resource belongs to are displayed as Additional Properties objects of the Resource.
|
Resource Property |
Type |
Description |
|
Root | ||
|
Resource Name |
String |
Name of the resource. |
|
App | ||
|
All Url Schemes Allowed |
Boolean |
If true, indicates that the system should allow all URL-schemes within each value of the 'redirectUris' attribute. Also indicates that the system should not attempt to confirm that each value of the 'redirectUris' attribute is a valid URI. In particular, the system should not confirm that the domain component of the URI is a top-level domain and the system should not confirm that the hostname portion is a valid system that is reachable over the network. |
|
Allow Access Control |
Boolean |
If true, any managed App that is based on this template is checked for access control that is, access to this app is subject to successful authorization at SSO service, viz. app grants to start with. |
|
Allow Offline |
Boolean |
If true, indicates that the Refresh Token is allowed when this App acts as an OAuth Resource. |
|
Bypass Consent |
Boolean |
If true, indicates that consent should be skipped for all scopes. |
|
Client IP Checking |
String |
Network Perimeters checking mode. Allowed Values: |
|
Client Type |
String |
Specifies the type of access that this App has when it acts as an OAuthClient. Allowed Values: |
|
Created At |
DateTime |
Date and time when the resource was created. |
|
Created By |
String |
The User or App who created the Resource. |
|
Description |
String |
Description of the application. |
|
Granted App Roles |
Strings |
A list of AppRoles that are granted to this App (and that are defined by other Apps). Within the Oracle Public Cloud infrastructure, this allows AppID-based association. Such an association allows this App to act as a consumer and thus to access resources of another App that acts as a producer. |
|
Infrastructure |
Boolean |
If true, this App is an internal infrastructure App. |
|
Is Active |
Boolean |
If true, this App is able to participate in runtime services, such as automatic-login, OAuth, and SAML. If false, all runtime services are disabled for this App, and only administrative operations can be performed. |
|
Is Alias App |
Boolean |
If true, this App is an AliasApp and it cannot be granted to an end-user directly. |
|
Is Enterprise App |
Boolean |
If true, this app acts as Enterprise app with Authentication and URL Authz policy. |
|
Is Kerberos Realm |
Boolean |
If true, indicates that this App supports Kerberos Authentication |
|
Is Login to Target |
String |
If true, this App allows runtime services to log end users into this App automatically. |
|
Is Managed App |
Boolean |
If true, indicates that access to this App requires an account. That is, in order to log in to the App, a User must use an application-specific identity that is maintained in the remote identity-repository of that App. |
|
Is Mobile Target |
Boolean |
If true, indicates that the App should be visible in each end-user's mobile application. |
|
Is OAuth Client |
Boolean |
If true, this application acts as an OAuth Client |
|
Is OAuth Resource |
Boolean |
If true, indicates that this application acts as an OAuth Resource. |
|
Is OPC Service |
Boolean |
If true, this application is an Oracle Public Cloud service-instance. |
|
Is SAML Service Provider |
Boolean |
If true, then this App acts as a SAML Service Provider. |
|
Is Unmanaged App |
Boolean |
If true, indicates that this application accepts an Oracle Cloud Identity Service User as a login-identity (does not require an account) and relies for authorization on the User's memberships in AppRoles. |
|
Is Web Tier Policy |
Boolean |
If true, the webtier policy is active. |
|
Login Mechanism |
String |
The protocol that runtime services will use to log end users in to this App automatically. If 'OIDC', then runtime services use the OpenID Connect protocol. If 'SAML', then runtime services use Security Assertion Markup Language protocol. Allowed Values: |
|
Migrated |
Boolean |
If true, this App was migrated from an earlier version of Oracle Public Cloud infrastructure (and may therefore require special handling from runtime services such as OAuth or SAML). If false, this App requires no special handling from. |
|
Modified By |
String |
The User or App who modified the Resource. |
|
Oracle Cloud Id |
String |
Unique OCI identifier for the SCIM Resource. |
|
Resource Name |
String |
Name of the application. Also serves as username if the application authenticates to Oracle Public Cloud infrastructure. This name may not be user-friendly and cannot be changed once an App is created. |
|
Template Name |
String |
Name of the application template. |
|
Trust Scope |
String |
Indicates the scope of trust for this App when acting as an OAuthClient. A value of 'Explicit' indicates that the App is allowed to access only the scopes of OAuthResources that are explicitly specified as 'allowedScopes'. A value of 'Account' indicates that the App is allowed implicitly to access any scope of any OAuthResource within the same Oracle Cloud Account. A value of 'Tags' indicates that the App is allowed to access any scope of any OAuthResource with a matching tag within the same Oracle Cloud Account. A value of 'Default' indicates that the Tenant default trust scope configured in the Tenant Settings is used. Allowed Values: |
|
Updated At |
DateTime |
Date and time when the resource was updated. |
|
Version |
String |
Version of the application template. |
Permission Types
The permission objects are imported from Oracle IDCS and displayed as the permissions in ObserveID. The attributes of each permission type that a specific permission belongs to are displayed as Additional Properties objects of the Permission.
|
Permission Type |
Type |
Description |
|
Group | ||
|
Created At |
DateTime |
Date and time when the group was created. |
|
Created By |
String |
Required. The User or App who created the group. |
|
Description |
String |
Text that explains the purpose of this group. |
|
Last Modified By |
String |
The User or App who modified the group. |
|
Oracle Cloud Id |
String |
Unique OCI identifier for the SCIM Resource. |
|
Updated At |
DateTime |
Date and time when the group was updated. |
|
Dynamic Group | ||
|
Created At |
DateTime |
Date and time when the group was created. |
|
Created By |
String |
The User or App who created the group. |
|
Description |
String |
Text that explains the purpose of this Dynamic Resource Group |
|
Last Modified |
String |
The User or App who modified the group. |
|
Oracle Cloud Id |
String |
Unique OCI identifier for the SCIM Resource. |
|
Updated At |
DateTime |
Date and time when the group was updated. |
|
Grantable Application Role | ||
|
Admin Role |
Boolean |
If true, the role provides administrative access privileges. |
|
Available To Clients |
Boolean |
If true, the role can be granted to Apps. |
|
Available To Groups |
Boolean |
If true, the role can be granted to Groups. |
|
Available To Users |
Boolean |
If true, the role can be granted to Users. |
|
Created At |
DateTime |
Date and time when the role was created. |
|
Created By |
String |
The User or App who created the role. |
|
Last Modified By |
String |
The User or App who modified the role. |
|
Limited To One Or More Groups |
Boolean |
If true, indicates that the role can be granted to a delegated administrator whose scope is limited to users that are members of one or more groups. |
|
Oracle Cloud Id |
String |
Unique OCI identifier for the SCIM Resource. |
|
Public |
Boolean |
If true, the role is available automatically to every Oracle Identity Cloud Service User in this tenancy. There is no need to grant it to individual Users or Groups. |
|
Unique Name |
String |
Role unique name |
|
Updated At |
DateTime |
Date and time when the role was updated. |
|
Non Grantable Application Role | ||
|
Admin Role |
Boolean |
If true, the role provides administrative access privileges. |
|
Available To Clients |
Boolean |
If true, the role can be granted to Apps. |
|
Available To Groups |
Boolean |
If true, the role can be granted to Groups. |
|
Available To Users |
Boolean |
If true, the role can be granted to Users. |
|
Created At |
DateTime |
Date and time when the role was created. |
|
Created By |
String |
The User or App who created the role. |
|
Last Modified By |
String |
The User or App who modified the role. |
|
Limited To One Or More Groups |
Boolean |
If true, indicates that the role can be granted to a delegated administrator whose scope is limited to users that are members of one or more groups. |
|
Oracle Cloud Id |
String |
Unique OCI identifier for the SCIM Resource. |
|
Public |
Boolean |
If true, the role is available automatically to every Oracle Identity Cloud Service User in this tenancy. There is no need to grant it to individual Users or Groups. |
|
Unique Name |
String |
Role unique name |
|
Updated At |
DateTime |
Date and time when the role was updated. |
|
Grantable Admin Role | ||
|
Admin Role |
Boolean |
If true, the role provides administrative access privileges. |
|
Available To Clients |
Boolean |
If true, the role can be granted to Apps. |
|
Available To Groups |
Boolean |
If true, the role can be granted to Groups. |
|
Available To Users |
Boolean |
If true, the role can be granted to Users. |
|
Created At |
DateTime |
Date and time when the role was created. |
|
Created By |
String |
The User or App who created the role. |
|
Last Modified By |
String |
The User or App who modified the role. |
|
Limited To One Or More Groups |
Boolean |
If true, indicates that the role can be granted to a delegated administrator whose scope is limited to users that are members of one or more groups. |
|
Oracle Cloud Id |
String |
Unique OCI identifier for the SCIM Resource. |
|
Public |
Boolean |
If true, the role is available automatically to every Oracle Identity Cloud Service User in this tenancy. There is no need to grant it to individual Users or Groups. |
|
Unique Name |
String |
Role unique name |
|
Updated At |
DateTime |
Date and time when the role was updated. |
|
Non Grantable Admin Role | ||
|
Admin Role |
Boolean |
If true, the role provides administrative access privileges. |
|
Available To Clients |
Boolean |
If true, the role can be granted to Apps. |
|
Available To Groups |
Boolean |
If true, the role can be granted to Groups. |
|
Available To Users |
Boolean |
If true, the role can be granted to Users. |
|
Created At |
DateTime |
Date and time when the role was created. |
|
Created By |
String |
The User or App who created the role. |
|
Last Modified By |
String |
The User or App who modified the role. |
|
Limited To One Or More Groups |
Boolean |
If true, indicates that the role can be granted to a delegated administrator whose scope is limited to users that are members of one or more groups. |
|
Oracle Cloud Id |
String |
Unique OCI identifier for the SCIM Resource. |
|
Public |
Boolean |
If true, the role is available automatically to every Oracle Identity Cloud Service User in this tenancy. There is no need to grant it to individual Users or Groups. |
|
Unique Name |
String |
Role unique name |
|
Updated At |
DateTime |
Date and time when the role was updated. |