Access control model

The following model describes the schema objects related to the user RBAC access control system in OpenIAM.

Note: You should not develop processes that write directly to the schema. The schema will evolve with each release and you should use the OpenIAM API to shield your processes from these schema changes.

Table: `GRP`

Column Name	Data Type	Description
`GRP_ID`	`VARCHAR(32)`	Unique identifier for the group.
`GRP_NAME`	`VARCHAR(255)`	Name of the group.
`CREATE_DATE`	`DATETIME`	Timestamp when the group was created.
`CREATED_BY`	`VARCHAR(32)`	User ID of the person who created the group.
`GROUP_DESC`	`VARCHAR(512)`	Description of the group.
`STATUS`	`VARCHAR(20)`	Current status of the group (e.g., Active, Inactive).
`LAST_UPDATE`	`DATETIME`	Timestamp of the last update.
`LAST_UPDATED_BY`	`VARCHAR(32)`	User ID of the last person who updated the group.
`MANAGED_SYS_ID`	`VARCHAR(32)`	Foreign key referencing `MANAGED_SYS.MANAGED_SYS_ID`, indicating the managed system.
`TYPE_ID`	`VARCHAR(32)`	Foreign key referencing `METADATA_TYPE.TYPE_ID`, defining the group type.
`GRP_CLASSIFICATION`	`VARCHAR(32)`	Foreign key referencing `METADATA_TYPE.TYPE_ID`, classifying the group.
`AD_GRP_TYPE`	`VARCHAR(32)`	Foreign key referencing `METADATA_TYPE.TYPE_ID`, defining the Active Directory group type.
`AD_GRP_SCOPE`	`VARCHAR(32)`	Foreign key referencing `METADATA_TYPE.TYPE_ID`, defining the Active Directory group scope.
`GRP_RISK`	`VARCHAR(32)`	Foreign key referencing `METADATA_TYPE.TYPE_ID`, indicating the risk level of the group.
`MAX_USER_NUMBER`	`INT(11)`	Maximum number of users allowed in the group.
`MEMBERSHIP_DURATION_SECONDS`	`BIGINT(20)`	Duration of membership in the group (in seconds).
`POLICY_ID`	`VARCHAR(32)`	Foreign key referencing `POLICY.POLICY_ID`, defining the policy linked to the group.
`ASSIGN_TO_ALL`	`CHAR(1)`	Indicates if the group is assigned to all users (`Y` or `N`).
`IS_VISIBLE`	`CHAR(1)`	Indicates if the group is visible (`Y` or `N`).
`PARTICIPANT_CERTIFICATION`	`CHAR(1)`	Indicates if the group requires participant certification (`Y` or `N`).
`GRAPH_ID`	`VARCHAR(100)`	Identifier used for graphical representation of relationships.

Table: `GRP_ATTRIBUTES`

Column Name	Data Type	Description
`ID`	`VARCHAR(32)`	Unique identifier for the group attribute.
`GRP_ID`	`VARCHAR(32)`	Foreign key referencing `GRP.GRP_ID`, identifying the associated group.
`METADATA_ID`	`VARCHAR(32)`	Foreign key referencing `METADATA_ELEMENT.METADATA_ID`, defining the attribute type.
`NAME`	`VARCHAR(100)`	Name of the attribute (e.g., Department, Cost Center).

Table: `GRP_GRP_MEMBERSHIP_RIGHTS`

Column Name	Data Type	Description
`MEMBERSHIP_ID`	`VARCHAR(32)`	Foreign key referencing `grp_to_grp_membership.MEMBERSHIP_ID`, identifying the group membership.
`ACCESS_RIGHT_ID`	`VARCHAR(32)`	Foreign key referencing `ACCESS_RIGHTS.ACCESS_RIGHT_ID`, defining specific access rights granted.
`EDGE_ID`	`VARCHAR(40)`	Identifier used for graphical representation of relationships.

Table: `GRP_ROLE`

Column Name	Data Type	Description
`GRP_ID`	`VARCHAR(32)`	Foreign key referencing `GRP.GRP_ID`, identifying the group.
`ROLE_ID`	`VARCHAR(32)`	Foreign key referencing `ROLE.ROLE_ID`, identifying the assigned role.
`MEMBERSHIP_ID`	`VARCHAR(32)`	Unique identifier for the group's role membership.
`START_DATE`	`DATETIME`	Start date of the group's role assignment.
`END_DATE`	`DATETIME`	End date of the group's role assignment.
`DESCRIPTION`	`VARCHAR(255)`	Additional details about the role assignment.
`EDGE_ID`	`VARCHAR(40)`	Identifier used for graphical representation of relationships.

Table: `GRP_ROLE_MEMBERSHIP_RIGHTS`

Column Name	Data Type	Description
`MEMBERSHIP_ID`	`VARCHAR(32)`	Foreign key referencing `GRP_ROLE.MEMBERSHIP_ID`, linking the rights to a group role membership.
`ACCESS_RIGHT_ID`	`VARCHAR(32)`	Foreign key referencing `ACCESS_RIGHTS.ACCESS_RIGHT_ID`, defining specific access rights granted.
`EDGE_ID`	`VARCHAR(40)`	Identifier used for graphical representation of relationships.

Table: `METADATA_TYPE`

Column Name	Data Type	Description
`TYPE_ID`	`VARCHAR(32)`	Unique identifier for the metadata type.
`NAME`	`VARCHAR(100)`	Name of the metadata type.
`ACTIVE`	`CHAR(1)`	Indicates if the metadata type is active (`Y` or `N`).
`SYNC_MANAGED_SYS`	`CHAR(1)`	Indicates if the metadata should be synchronized with managed systems (`Y` or `N`).
`GROUPING`	`VARCHAR(100)`	Grouping classification for the metadata type.
`IS_BINARY`	`CHAR(1)`	Indicates if the metadata type is binary (`Y` or `N`).
`IS_SENSITIVE`	`CHAR(1)`	Indicates if the metadata type contains sensitive information (`Y` or `N`).
`USED_FOR_SMS_OTP`	`CHAR(1)`	Indicates if the metadata is used for SMS OTP authentication (`Y` or `N`).
`CREATEABLE`	`CHAR(1)`	Indicates if this metadata type can be created dynamically (`Y` or `N`).

Table: `METADATA_ELEMENT`

Column Name	Data Type	Description
`METADATA_ID`	`VARCHAR(32)`	Unique identifier for the metadata element.
`TYPE_ID`	`VARCHAR(32)`	Foreign key referencing `METADATA_TYPE.TYPE_ID`, linking the element to a metadata type.
`ATTRIBUTE_NAME`	`VARCHAR(100)`	Name of the attribute represented by this metadata element.
`NAME`	`VARCHAR(100)`	Display name for the metadata element.
`DATA_TYPE`	`VARCHAR(20)`	Data type of the metadata element (e.g., String, Integer).
`AUDITABLE`	`CHAR(1)`	Indicates if changes to this metadata element should be audited (`Y` or `N`).
`REQUIRED`	`CHAR(1)`	Indicates if the metadata element is required (`Y` or `N`).
`SELF_EDITABLE`	`CHAR(1)`	Indicates if users can edit this metadata element themselves (`Y` or `N`).
`TEMPLATE_ID`	`VARCHAR(32)`	Foreign key referencing `METADATA_ELEMENT_PAGE_TEMPLATE.ID`, linking to a page template.
`RESOURCE_ID`	`VARCHAR(32)`	Foreign key referencing `RES.RESOURCE_ID`, associating the element with a resource.
`VALIDATOR`	`VARCHAR(150)`	Validation rule applied to the metadata element.
`STATIC_DEFAULT_VALUE`	`VARCHAR(4000)`	Default value assigned to this metadata element.
`IS_PUBLIC`	`CHAR(1)`	Indicates if this metadata element is publicly visible (`Y` or `N`).
`DATA_MODEL_URL`	`VARCHAR(255)`	URL for additional data modeling information.
`METADATA_TYPE`	`VARCHAR(4000)`	Extended metadata type information.
`PLACEHOLDER`	`VARCHAR(255)`	Placeholder text for input fields related to this metadata element.

Table: `ROLE`

Column Name	Data Type	Description
`ROLE_NAME`	`VARCHAR(80)`	Unique name of the role.
`CREATE_DATE`	`DATETIME`	Timestamp when the role was created.
`CREATED_BY`	`VARCHAR(32)`	User ID of the person who created the role.
`DESCRIPTION`	`VARCHAR(3072)`	Description of the role.
`STATUS`	`VARCHAR(20)`	Status of the role (e.g., Active, Inactive).
`ROLE_ID`	`VARCHAR(32)`	Unique identifier for the role.
`MANAGED_SYS_ID`	`VARCHAR(32)`	Foreign key referencing `MANAGED_SYS.MANAGED_SYS_ID`, linking the role to a managed system.
`TYPE_ID`	`VARCHAR(32)`	Foreign key referencing `METADATA_TYPE.TYPE_ID`, defining the role type.
`POLICY_ID`	`VARCHAR(32)`	Foreign key referencing `POLICY.POLICY_ID`, linking the role to a policy.
`RISK`	`VARCHAR(32)`	Foreign key referencing `METADATA_TYPE.TYPE_ID`, defining the risk level of the role.
`MEMBERSHIP_DURATION_SECONDS`	`BIGINT(20)`	Duration of role membership in seconds.
`MAX_USER_NUMBER`	`INT(11)`	Maximum number of users that can be assigned to this role.
`ASSIGN_TO_ALL`	`CHAR(1)`	Indicates if this role is assigned to all users (`Y` or `N`).
`IS_VISIBLE`	`CHAR(1)`	Indicates if this role is visible in UI (`Y` or `N`).
`PARTICIPANT_CERTIFICATION`	`CHAR(1)`	Indicates if role membership requires certification (`Y` or `N`).
`GRAPH_ID`	`VARCHAR(100)`	Identifier used for graphical representation of role relationships.
`EXCLUDE_FROM_AUTH`	`CHAR(1)`	Indicates if this role is excluded from authentication (`Y` or `N`).

Table: `ROLE_ATTRIBUTE`

Column Name	Data Type	Description
`ROLE_ATTR_ID`	`VARCHAR(32)`	Unique identifier for the role attribute.
`NAME`	`VARCHAR(100)`	Name of the role attribute.
`METADATA_ID`	`VARCHAR(32)`	Foreign key referencing `METADATA_ELEMENT.METADATA_ID`, defining metadata properties.
`ROLE_ID`	`VARCHAR(32)`	Foreign key referencing `ROLE.ROLE_ID`, linking the attribute to a role.

Table: `ROLE_ATTRIBUTE_VALUES`

Column Name	Data Type	Description
`ROLE_ATTRIBUTE_ID`	`VARCHAR(32)`	Foreign key referencing `ROLE_ATTRIBUTE.ROLE_ATTR_ID`, linking the value to an attribute.
`ATTR_VALUE`	`TEXT`	Value assigned to the role attribute.

Table: `ROLE_ORG_MEMBERSHIP`

Column Name	Data Type	Description
`MEMBERSHIP_ID`	`VARCHAR(32)`	Unique identifier for the role-organization membership.
`ROLE_ID`	`VARCHAR(32)`	Foreign key referencing `ROLE.ROLE_ID`, identifying the associated role.
`COMPANY_ID`	`VARCHAR(32)`	Foreign key referencing `COMPANY.COMPANY_ID`, identifying the associated company.
`START_DATE`	`DATETIME`	Start date of the role assignment within the organization.
`END_DATE`	`DATETIME`	End date of the role assignment within the organization.
`DESCRIPTION`	`VARCHAR(255)`	Additional details about the role assignment.
`EDGE_ID`	`VARCHAR(40)`	Identifier used for graphical representation of role relationships.

Table: `ROLE_ORG_MEMBERSHIP_RIGHTS`

Column Name	Data Type	Description
`MEMBERSHIP_ID`	`VARCHAR(32)`	Foreign key referencing `ROLE_ORG_MEMBERSHIP.MEMBERSHIP_ID`, linking the rights to a role-organization membership.
`ACCESS_RIGHT_ID`	`VARCHAR(32)`	Foreign key referencing `ACCESS_RIGHTS.ACCESS_RIGHT_ID`, defining specific access rights granted.
`EDGE_ID`	`VARCHAR(40)`	Identifier used for graphical representation of relationships.

Table: `ROLE_ROLE_MEMBERSHIP_RIGHTS`

Column Name	Data Type	Description
`MEMBERSHIP_ID`	`VARCHAR(32)`	Foreign key referencing `ROLE_TO_ROLE_MEMBERSHIP.MEMBERSHIP_ID`, linking the rights to a role-role membership.
`ACCESS_RIGHT_ID`	`VARCHAR(32)`	Foreign key referencing `ACCESS_RIGHTS.ACCESS_RIGHT_ID`, defining specific access rights granted.
`EDGE_ID`	`VARCHAR(40)`	Identifier used for graphical representation of relationships.

Table: `RES` (Resource)

Column Name	Data Type	Description
`RESOURCE_ID`	`VARCHAR(32)`	Unique identifier for the resource.
`RESOURCE_TYPE_ID`	`VARCHAR(32)`	Foreign key referencing `RESOURCE_TYPE.RESOURCE_TYPE_ID`, defining the type of resource.
`DESCRIPTION`	`VARCHAR(512)`	Description of the resource.
`NAME`	`VARCHAR(255)`	Name of the resource.
`DISPLAY_ORDER`	`INT(11)`	Order in which the resource appears in lists.
`URL`	`VARCHAR(255)`	URL associated with the resource.
`MIN_AUTH_LEVEL`	`VARCHAR(32)`	Minimum authentication level required for access.
`IS_PUBLIC`	`CHAR(1)`	Indicates if the resource is public (`Y` or `N`).
`RISK`	`VARCHAR(10)`	Risk level associated with the resource.
`TYPE_ID`	`VARCHAR(32)`	Foreign key referencing `METADATA_TYPE.TYPE_ID`, defining additional classification.
`COORELATED_NAME`	`VARCHAR(250)`	Alternate name for correlation.
`REFERENCE_ID`	`VARCHAR(32)`	Reference identifier.
`GROOVY_SCRIPT`	`VARCHAR(255)`	Groovy script reference for resource behavior.
`STATUS`	`VARCHAR(20)`	Status of the resource (`ACTIVE`, `INACTIVE`).
`IS_VISIBLE`	`CHAR(1)`	Indicates if the resource is visible (`Y` or `N`).
`PARTICIPANT_CERTIFICATION`	`CHAR(1)`	Indicates if certification is required (`Y` or `N`).
`DAYS_TO_COMPLETE_REQUEST`	`INT(11)`	Number of days allowed to complete the resource request.
`GRAPH_ID`	`VARCHAR(100)`	Identifier for graphical representation of relationships.

Table: `RESOURCE_GROUP`

Column Name	Data Type	Description
`RESOURCE_ID`	`VARCHAR(32)`	Foreign key referencing `RES.RESOURCE_ID`, identifying the associated resource.
`GRP_ID`	`VARCHAR(32)`	Foreign key referencing `GRP.GRP_ID`, identifying the associated group.
`START_DATE`	`DATETIME`	Start date of the resource-group association.
`MEMBERSHIP_ID`	`VARCHAR(32)`	Unique identifier for the resource-group membership.
`END_DATE`	`DATETIME`	End date of the resource-group association.
`DESCRIPTION`	`VARCHAR(255)`	Additional details about the resource-group relationship.
`EDGE_ID`	`VARCHAR(40)`	Identifier used for graphical representation.

Table: `RESOURCE_PROP` (Resource Properties)

Column Name	Data Type	Description
`RESOURCE_PROP_ID`	`VARCHAR(32)`	Unique identifier for the resource property.
`RESOURCE_ID`	`VARCHAR(32)`	Foreign key referencing `RES.RESOURCE_ID`, linking the property to a resource.
`METADATA_ID`	`VARCHAR(32)`	Foreign key referencing `METADATA_ELEMENT.METADATA_ID`, defining metadata properties.
`NAME`	`VARCHAR(100)`	Name of the resource property.
`PROP_GROUP`	`VARCHAR(20)`	Property group classification.

Table: `RESOURCE_ROLE`

Column Name	Data Type	Description
`RESOURCE_ID`	`VARCHAR(32)`	Foreign key referencing `RES.RESOURCE_ID`, identifying the associated resource.
`START_DATE`	`DATETIME`	Start date of the resource-role association.
`ROLE_ID`	`VARCHAR(32)`	Foreign key referencing `ROLE.ROLE_ID`, identifying the assigned role.
`MEMBERSHIP_ID`	`VARCHAR(32)`	Unique identifier for the resource-role membership.
`END_DATE`	`DATETIME`	End date of the resource-role association.
`DESCRIPTION`	`VARCHAR(255)`	Additional details about the resource-role assignment.
`EDGE_ID`	`VARCHAR(40)`	Identifier used for graphical representation.

Table: `RESOURCE_TYPE`

Column Name	Data Type	Description
`RESOURCE_TYPE_ID`	`VARCHAR(32)`	Unique identifier for the resource type.
`DESCRIPTION`	`VARCHAR(100)`	Description of the resource type.
`PROCESS_NAME`	`VARCHAR(80)`	Name of the process linked to this resource type.
`SUPPORTS_HIERARCHY`	`CHAR(1)`	Indicates if hierarchy is supported (`Y` or `N`).
`SEARCHABLE`	`CHAR(1)`	Indicates if the resource type is searchable (`Y` or `N`).
`URL`	`MEDIUMTEXT`	URL associated with the resource type.
`IMAGE_TYPE`	`VARCHAR(16)`	Image type linked to the resource type.
`PROVISION_RESOURCE`	`CHAR(1)`	Indicates if the resource type supports provisioning (`Y` or `N`).

Table: `RES_ATTRIBUTE_VALUES`

Column Name	Data Type	Description
`RESOURCE_PROP_ID`	`VARCHAR(32)`	Foreign key referencing `RESOURCE_PROP.RESOURCE_PROP_ID`, linking the value to a property.
`ATTR_VALUE`	`TEXT`	Value assigned to the resource property.

Table: `RES_GRP_MEMBERSHIP_RIGHTS`

Column Name	Data Type	Description
`MEMBERSHIP_ID`	`VARCHAR(32)`	Foreign key referencing `RESOURCE_GROUP.MEMBERSHIP_ID`, linking the rights to a resource-group membership.
`ACCESS_RIGHT_ID`	`VARCHAR(32)`	Foreign key referencing `ACCESS_RIGHTS.ACCESS_RIGHT_ID`, defining specific access rights granted.
`EDGE_ID`	`VARCHAR(40)`	Identifier used for graphical representation of relationships.

Table: `RES_ORG_MEMBERSHIP`

Column Name	Data Type	Description
`MEMBERSHIP_ID`	`VARCHAR(32)`	Unique identifier for the resource-organization membership.
`RESOURCE_ID`	`VARCHAR(32)`	Foreign key referencing `RES.RESOURCE_ID`, identifying the associated resource.
`COMPANY_ID`	`VARCHAR(32)`	Foreign key referencing `COMPANY.COMPANY_ID`, identifying the associated company.
`START_DATE`	`DATETIME`	Start date of the resource-organization membership.
`END_DATE`	`DATETIME`	End date of the resource-organization membership.
`DESCRIPTION`	`VARCHAR(255)`	Additional details about the resource-organization relationship.
`EDGE_ID`	`VARCHAR(40)`	Identifier used for graphical representation of relationships.

Table: `RES_ORG_MEMBERSHIP_RIGHTS`

Column Name	Data Type	Description
`MEMBERSHIP_ID`	`VARCHAR(32)`	Foreign key referencing `RES_ORG_MEMBERSHIP.MEMBERSHIP_ID`, linking the rights to a resource-organization membership.
`ACCESS_RIGHT_ID`	`VARCHAR(32)`	Foreign key referencing `ACCESS_RIGHTS.ACCESS_RIGHT_ID`, defining specific access rights granted.
`EDGE_ID`	`VARCHAR(40)`	Identifier used for graphical representation of relationships.

Table: `RES_RES_MEMBERSHIP_RIGHTS`

Column Name	Data Type	Description
`MEMBERSHIP_ID`	`VARCHAR(32)`	Foreign key referencing `RES_TO_RES_MEMBERSHIP.MEMBERSHIP_ID`, linking the rights to a resource-to-resource membership.
`ACCESS_RIGHT_ID`	`VARCHAR(32)`	Foreign key referencing `ACCESS_RIGHTS.ACCESS_RIGHT_ID`, defining specific access rights granted.
`EDGE_ID`	`VARCHAR(40)`	Identifier used for graphical representation of relationships.

Table: `RES_ROLE_MEMBERSHIP_RIGHTS`

Column Name	Data Type	Description
`MEMBERSHIP_ID`	`VARCHAR(32)`	Foreign key referencing `RESOURCE_ROLE.MEMBERSHIP_ID`, linking the rights to a resource-role membership.
`ACCESS_RIGHT_ID`	`VARCHAR(32)`	Foreign key referencing `ACCESS_RIGHTS.ACCESS_RIGHT_ID`, defining specific access rights granted.
`EDGE_ID`	`VARCHAR(40)`	Identifier used for graphical representation of relationships.

User data model

/webconsole - access-certification

Access control model

Table: GRP

Table: GRP_ATTRIBUTES

Table: GRP_GRP_MEMBERSHIP_RIGHTS

Table: GRP_ROLE

Table: GRP_ROLE_MEMBERSHIP_RIGHTS

Table: METADATA_TYPE

Table: METADATA_ELEMENT

Table: ROLE

Table: ROLE_ATTRIBUTE

Table: ROLE_ATTRIBUTE_VALUES

Table: ROLE_ORG_MEMBERSHIP

Table: ROLE_ORG_MEMBERSHIP_RIGHTS

Table: ROLE_ROLE_MEMBERSHIP_RIGHTS

Table: RES (Resource)

Table: RESOURCE_GROUP

Table: RESOURCE_PROP (Resource Properties)

Table: RESOURCE_ROLE

Table: RESOURCE_TYPE

Table: RES_ATTRIBUTE_VALUES

Table: RES_GRP_MEMBERSHIP_RIGHTS

Table: RES_ORG_MEMBERSHIP

Table: RES_ORG_MEMBERSHIP_RIGHTS

Table: RES_RES_MEMBERSHIP_RIGHTS

Table: RES_ROLE_MEMBERSHIP_RIGHTS