Version:

MarketplaceSupport

Views and WebServices

All of the data of the Identity Ledger is accessible from the Web interfaces, two interface families exist:

  • The Web portal in order to publish results and analyses to the security and clearance stakeholders
  • The Web services in order to facilitate the dissemination of information to the third-party technical services

The web services in particular allow us to "close the loop" of the PDCA approach initiated with Identity Analytics, it is effectively a question here, for example, of offering the list of deviations to be corrected to a third-party service.

An example of implementation and use of the web services is the following:

A weekly loading is accomplished with the help of Identity Analytics, all of the repositories are loaded, as well as the HR database. On the basis of all of this data, Identity Analytics identifies the people having left the company as well as the access accounts that have remained open. A WebService is published listing all of the accounts that are in this state. A third-party service contacts the Identity Analytics WebService at regular intervals (every week in our case), and starts the remediation workflows in the company's ticket management system (ex: Jira, Remedy,...)

Another example of implementation is the following:

A log analysis system has been set up, correlating various information about the accounts and detecting abnormal situations on accesses to the infrastructure and to the file systems. Summary reports are consolidated by the solution. The SIEM solution can then contacts the Identity Analytics WebServices in order to enrich the information present, notably by adding all the information relative to the user context (who is the account owner, what are the account's rights,...)
All of the data being available, it is even possible to develop one's own browsing or consultation interfaces, for example, in order to enrich one's own interfaces with information from Identity Analytics.

This note presents the use of the WebServices in Identity Analytics.


Basic principles

The WebServices follow the REST norm (cf wikipedia), the URL indicates both the operation and the basic element on which the operation is performed. The results are returned in the JSON format (cf wikipedia) and are therefore directly interpretable from standard Javascript, or any programming language with a JSON parser.

The WebServices allow access to views, whose parameters are set in the project, so it is a simple matter to create your own WebServices, you have only to set parameters for a view in the project. You can refer to the corresponding section of the documentation for more information about Views.

WebServices are accessible from the web portal and are activated by default when you deploy a portal. The URL to access the WebServices is protected so that you must identify yourself to the Web portal in order to access the Web Services. The base URL for the webservices resembles http(s)://server:port/projet/ws/ where:

  • server:port represents the host on which the portal is deployed
  • project represents the name of the deployed project

Presentation of the available WebServices

Retrieve the list of results of a view

The corresponding Web service is "result", the REST syntax is:
/ws/results/[view identifier]

For example to request the results of the view br_identity (element /views/identity/identity.view of your project) you would type the following url
http://localhost:8080/demonstration/ws/results/br_identity

The results are as follows:

{ "total":862,
"limit":1000,
"success" : true,
"start":0,
"data" : [ { "employeetypecode" : "Contractor",
"employeetypedisplayname" : "Contractor",
"employeetyperecorduid" : 9,
"employeetypeuid" : "CONTRACTOR_1349174669639_1897",
"fullname" : "Abdel BOUCHEZ",
"givenname" : "Abdel",
"internal" : false,
"mail" : "[email protected]",
"recorduid" : 955,
"repositorycode" : "Contractors",
"repositorydisplayname" : "Contractors",
"repositoryextractdate" : "Tue Sep 04 10:51:30 CEST 2012",
"repositorymedia" : "R:/git/demonstration/demonstration/importfiles/two/contractors.csv",
"repositoryrecorduid" : 10,
"repositorytype" : "I",
"repositoryuid" : "CONTRACTORS_1349174669670_1898",
"surname" : "BOUCHEZ",
"titlecode" : "Mr",
"titledisplayname" : "Mr",
"titlerecorduid" : 3,
"titleuid" : "MR_1349174640974_137",
"uid" : "BOUCHEZ_ABDEL_1349174669895_1905"
},
...

The attributes in the header of the response provide information on the execution of the webservice:

  • success: True if the request has results, otherwise false
  • total: Total number of results
  • limit: Maximum number of results returned
  • start: Index of the first result returned. this is useful when windowing displayed results
  • data: The elements of the response

It is possible to perform some windowing in order to retrieve a subset of results, with the help of the view parameters:

  • _start: starting index (0 by default)
  • _limit: number of results returned (1000 by default)
  • _timeslot: restrict the results to the chosen timeslot (_timeslot=<value>)

For example:
http://localhost:8080/demonstration/ws/results/br_identity?_start=10&_limit=2

The results are as follows:

{
  "limit": 2,
  "start": 10,
  "success": true,
  "total": 862,
  "data": [
    {
      "employeetypecode": "Contractor",
      "employeetypedisplayname": "Contractor",
      "employeetyperecorduid": 9,
      "employeetypeuid": "CONTRACTOR_1349174669639_1897",
      "fullname": "Danièle DULAC",
      "givenname": "Danièle",
      "internal": false,
      "mail": "[email protected]",
      "recorduid": 962,
      "repositorycode": "Contractors",
      "repositorydisplayname": "Contractors",
      "repositoryextractdate": "Tue Sep 04 10:51:30 CEST 2012",
      "repositorymedia": "R:/git/demonstration/demonstration/importfiles/two/contractors.csv",
      "repositoryrecorduid": 10,
      "repositorytype": "I",
      "repositoryuid": "CONTRACTORS_1349174669670_1898",
      "surname": "DULAC",
      "titlecode": "Ms",
      "titledisplayname": "Ms",
      "titlerecorduid": 4,
      "titleuid": "MS_1349174641389_141",
      "uid": "DULAC_DANIELE_1349174670409_1963"
    },
    {
      "employeetypecode": "Contractor",
      "employeetypedisplayname": "Contractor",
      "employeetyperecorduid": 9,
      "employeetypeuid": "CONTRACTOR_1349174669639_1897",
      "fullname": "Fatia PHILIBERT",
      "givenname": "Fatia",
      "internal": false,
      "mail": "[email protected]",
      "recorduid": 1799,
      "repositorycode": "Contractors",
      "repositorydisplayname": "Contractors",
      "repositoryextractdate": "Tue Sep 04 10:51:30 CEST 2012",
      "repositorymedia": "R:/git/demonstration/demonstration/importfiles/two/contractors.csv",
      "repositoryrecorduid": 10,
      "repositorytype": "I",
      "repositoryuid": "CONTRACTORS_1349174669670_1898",
      "surname": "PHILIBERT",
      "titlecode": "Ms",
      "titledisplayname": "Ms",
      "titlerecorduid": 4,
      "titleuid": "MS_1349174641389_141",
      "uid": "PHILIBERT_FATIA_1349174669911_1907"
    }
  ]
}

Choose which attributes must be displayed

The corresponding Web service is “views”, the REST syntax is:
http://localhost:8080/demonstration/ws/results/[view]?_columns=uid,givenname,surname

Retrieve the list of views available

The corresponding Web service is "views", the REST syntax is:
/ws/views

For example:
http://localhost:8080/demonstration/ws/views

The results are as follows:

{ "success" : true,
  "total" : 273,
  "views" : [ { "description" : "Rule details",
        "displayname" : "Rule details",
        "entity" : "SearchLog",
        "name" : "br_controlrule"
      },
      { "description" : "Permission rule evolution on the last 3 months",
        "displayname" : "Permission rule evolution on the last 3 months",
        "entity" : "Permission",
        "name" : "br_sharedfolderruleevol"
      },
      { "description" : "delta review people who changed organisation and who where in a given organisation in the prvious timeslot",
        "displayname" : "delta review people who changed organisation and who where in a given organisation in the prvious timeslot",
        "entity" : "Identity",
        "name" : "deltareview_hrteam_movementsoldorganisation_1"
      },
      { "description" : "Organisation search filtered by a root OU",
        "displayname" : "Organisation search filtered by a root OU",
        "entity" : "Organisation",
        "name" : "organisationsearchou"
      },
...

Retrieve the list of columns returned by a view

The Web service to return specific columns of a view is "columns", the REST syntax is:
/ws/columns/[view identifier]

For example:
http://localhost:8080/demonstration/ws/columns/br_identity

The results are as follows:

{  "success" : true,
   "columns" : [ { "label" : "Identifiant unique interne de l'identité",
        "name" : "recorduid",
        "type" : "Integer"
      },
      { "label" : "Identifiant intemporel de l'identité",
        "name" : "uid",
        "type" : "String"
      },
      { "label" : "Identifiant unique interne du référentiel d'identités",
        "name" : "repositoryrecorduid",
        "type" : "Integer"
      },
      { "label" : "Identifiant intemporel du référentiel d'identités",
        "name" : "repositoryuid",
        "type" : "String"
      },
      { "label" : "Code du référentiel d'identités",
        "name" : "repositorycode",
        "type" : "String"
      },
      { "label" : "Nom d'affichage du référentiel d'identités",
        "name" : "repositorydisplayname",
        "type" : "String"
      },
      { "label" : "Média du référentiel d'identités",
        "name" : "repositorymedia",
        "type" : "String"
      },
      { "label" : "Date d'extraction du référentiel d'identités",
        "name" : "repositoryextractdate",
        "type" : "Date"
      },
      { "label" : "Type de référentiel d'identités",
        "name" : "repositorytype",
        "type" : "String"
      },
      { "label" : "Matricule de l'identité",
        "name" : "hrcode",
        "type" : "String"
      },
      { "label" : "Alias de l'identité",
        "name" : "nickname",
        "type" : "String"
      },
      { "label" : "Prénom de l'identité",
        "name" : "givenname",
        "type" : "String"
      },
      { "label" : "Second prénom de l'identité",
        "name" : "middlename",
        "type" : "String"
      },
      { "label" : "Nom de famille de l'identité",
        "name" : "surname",
        "type" : "String"
      },
      ...
    ]
}

Retrieve the list of parameters accepted by a view

The Web service that allows you to list the available parameters of a view is "parameters". The REST syntax is:
/ws/parameters/[view identifier]

For example:
http://localhost:8080/demonstration/ws/parameters/br_identity

The results are as follows:

{
  "success": true,
  "parameters": [
    { "label": "Mail", "name": "mail", "type": "String" },
    { "label": "Record UID", "name": "recorduid", "type": "Integer" },
    { "label": "Given Name", "name": "givenname", "type": "String" },
    { "label": "Surname", "name": "surname", "type": "String" },
    { "label": "Internal", "name": "internal", "type": "Boolean" },
    { "label": "HR Code", "name": "hrcode", "type": "String" }
  ]
}

Specify the displayed data format

To choose in which format the data will be displayed (example here is xml):
http://localhost:8080/demonstration/ws/results/[view]?_format=xml

Retrieve the list of available timeslots

The Web service that allows you to list the available timeslots is "timeslots", the REST syntax is:
/ws/timeslots

For example:
http://localhost:8080/demonstration/ws/timeslots

The results are as follows:

{
  "total": 2,
  "limit": 2147483647,
  "start": 0,
  "success": true,
  "timeslots": [
    {
      "commitdate": "20121002131318",
      "displayname": "Import started Oct 2, 2012 1:08:05 PM",
      "importdate": "20121002130805",
      "status": "A",
      "uid": "20121002130805_2"
    },
    {
      "commitdate": "20121002125001",
      "displayname": "Import started Oct 2, 2012 12:43:23 PM",
      "importdate": "20121002124323",
      "status": "C",
      "uid": "20121002124323_1"
    }
  ]
}

Managing errors

When an error appears, the engine sends back a response with the attribute success = false in the header of the results, for example:

{
  "success": false,
  "message": "java.lang.NumberFormatException: For input string: \"99999999999\""
}

The type of error is also displayed allowing you to debug you webservice.

Security Settings for Service Access

Manage access authentication

The WebService service relies on the access security of the Tomcat container and thus on the access security as defined in the configuration file of the Web application under /WEB-INF/web.xml.
By default the section is as follows, note that the URL ws/* is protected the same way as the others:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Portal</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>user</role-name>
    </auth-constraint>
</security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Portal Login</web-resource-name>
        <url-pattern>/</url-pattern>
        <url-pattern>/login/*</url-pattern>
    </web-resource-collection>
</security-constraint>

<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>UserDatabase</realm-name>
    <form-login-config>
        <form-login-page>/login/login.html</form-login-page>
        <form-error-page>/login/login.html</form-error-page>
    </form-login-config>
</login-config>

<security-role>
    <description>Utilisateur</description>
    <role-name>user</role-name>
</security-role>

In order to activate the web service call, you have to ensure that the authentication is performed prior to the URL access. Most of the time, as webservices systems have a hard time handling FORM authentication, you should deploy a Single Sign On system (SSO). If you don't have one, you can request the Identity Analytics "SSO Valve" for Tomcat to your RadiantLogic contact.

To activate Identity Analytics's Tomcat SSO Valve, you need to perform the following steps:

  • Copy the bw-tomcat-XXX-addons.XXX.jar file into the /lib directory of your Tomcat folder
  • Edit your /conf/server.xml file and add the following section between the <Host> tags :
<Valve className="com.brainwave.tomcat.valve.PassthroughAuthenticationValve"
  config="sso.xml"
  refreshRate="5"
  urlPattern="^/[a-z,A-Z,0-9,_,-]+/ws/.*$" />

By doing so, the SSO valve will be actived by default whatever the web application. You can restrict its activation to a subset of URLs by using the urlPattern parameter (standard regex).
The SSO valve points to a XML configuration file which is located in /conf/sso.xml. It can be edited on the fly (the valve configuration is updated every "5" seconds if needed in the upper example)

  • Create a /conf/sso.xml file

The /conf/sso.xml file will contain a series of SSO tokens and their users configurations. Here is an example:

<tokens>
    <token id="HsCnykb8RtMdGpKlu7W7SlJs" login="ABOURGET18" IPpattern="^.*$">
        <role>user</role>
    </token>
</tokens>

This means that every time the "HsCnykb8RtMdGpKlu7W7SlJs" token will be presented along with a HTTP request, an authentication will be performed on the fly with the following login "ABOURGET18" and the following roles (you can add more than one <role> tag). This will be valid only if the request is made from the IPpattern source IP address (standard regex). You are strongly encouraged to enforce security by properly configuring the IPpattern parameter.

In order to use your token you can either add an "ssokey" custom HTTP request header with the token value or add an _ssokey URL parameter with the token value. Authentication will be done on the fly. Note that custom HTTP header is the preferred method as URL parameters are most of the time stored in HTTP access logs, this can lead to security issues.

Here is an example of an URL:
http://localhost:9090/PortalReports/ws/results/br_identity?_ssokey=HsCnykb8RtMdGpKlu7W7SlJs

Here is also an Example of a HTTP header which is the prefered method:

GET /PortalReports/ws/views HTTP/1.1
Host: localhost:9090
ssokey: HsCnykb8RtMdGpKlu7W7SlJs
...

Manage access rights

The management of access rights to the different services is handled externally, by setting access strategies according to the URLs accessed. The REST notion allows fine-tuning of accesses, so it is possible to define the access rules view by view.
Practically speaking, it is common to make a first layer filter of access by source IP (communication with WebServices being most often machine to machine type), then to define dedicated roles if necessary to filter the accessible services according to user roles.

The Remote Address Filter for Tomcat allows access controls by source IP.

Setting access rights by role according to the URL is done with the Security Constraint sections, for example:

<security-constraint>
    <display-name>Web Services Access</display-name>
    <web-resource-collection>
        <web-resource-name>Web Services</web-resource-name>
        <url-pattern>/ws/results/getaccountstodisable</url-pattern>
        <url-pattern>/ws/results/getaccountstodelete</url-pattern>
        <url-pattern>/ws/results/getidentityinformation</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>iam_engine</role-name>
    </auth-constraint>
</security-constraint>

IN THIS PAGE