src/main/asciidoc/reference-guide/concepts/usersgroupsandanyobjects.adoc - syncope - Git at Google

 //
 // Licensed to the Apache Software Foundation (ASF) under one
 // or more contributor license agreements.  See the NOTICE file
 // distributed with this work for additional information
 // regarding copyright ownership.  The ASF licenses this file
 // to you under the Apache License, Version 2.0 (the
 // "License"); you may not use this file except in compliance
 // with the License.  You may obtain a copy of the License at
 //
 //   http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing,
 // software distributed under the License is distributed on an
 // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 // KIND, either express or implied.  See the License for the
 // specific language governing permissions and limitations
 // under the License.
 //
 === Users, Groups and Any Objects

 Users, Groups and Any Objects are definitely the key entities to manage: as explained <<introduction,above>>
 in fact, the whole identity management concept is literally about managing identity data.

 Starting with Apache Syncope 2.0, the following identities are supported:

 * *Users* represent the virtual identities build up of account information fragmented across the associated external
 resources
 * *Groups* have the dual purpose of representing entities on external resources supporting this concept (say LDAP or
 Active Directory) and putting together Users or Any Objects for implementing group-based provisioning, e.g. to
 dynamically associate Users or Any Objects to external resources
 * *Any Objects* actually cover very different entities that can be modeled: printers, services, sensors, ...

 For each of the identities above, Apache Syncope is capable of maintaining:

 . `name` (`username`, for Users) - string value uniquely identifying a specific user, group or any object instance;
 . `password` (Users only) - hashed or encrypted value, depending on the selected `password.cipher.algorithm` - see
 <<configuration-parameters, below>> for details - which can be used for authentication;
 . set of attributes, with each attribute being a `(key,values)` pair where

  ** `key` is a string label (e.g. `surname`);
  ** `values` is a (possibly singleton) collection of data (e.g. `[Doe]` but also
 `[\john.doe@syncope.apache.org, \jdoe@gmail.com]`)
  ; the type of values that can be assigned to each attribute is defined via the <<schema,schema>> matching the `key`
 value (e.g. _plain_, _derived_ and _virtual_);
 . associations with <<external-resources,external resources>>, for <<provisioning,provisioning>>.

 [IMPORTANT]
 .Which schemas can be populated for a given user / group / any object?
 ====
 Each user / group / any object will be able to hold values for all schemas:

 . defined in the <<AnyTypeClass,Any Type classes>> associated to their <<AnyType, Any Type>>;
 . defined in the <<AnyTypeClass,Any Type classes>> configured as *_auxiliary_* for the specific instance.
 ====

 Moreover, Users and Any Objects can be part of Groups, or associated to other any objects.

 [[memberships-relationships]]
 [NOTE]
 .Memberships and Relationships
 ====
 When an user or an any object is assigned to a group, a *_membership_* is defined; the (static) members of a group
 benefit from <<type-extensions,type extensions>>.

 When an user or an any object is associated to another any object, a *_relationship_* is defined, of one of available
 <<relationshiptype,relationship types>>.
 ====

 [TIP]
 .Static and Dynamic Memberships
 ====
 Users and Any Objects are _statically_ assigned to Groups when memberships are explicitly set.

 With group definition, however, a condition can be expressed so that all matching Users and Any Objects are
 _dynamic_ members of the group. +
 Dynamic memberships have some limitations: for example, <<type-extensions,type extensions>> do not apply;
 group-based provisioning is still effective.
 ====

 ==== Password Reset

 When users lost their password, a feature is available to help gaining back access to Apache Syncope: password reset.

 The process can be outlined as follows:

 . user asks for password reset, typically via <<enduser-component,end-user>>
 . user is asked to provide an answer to the security question that was selected during self-registration or self-update
 . if the expected answer is provided, a unique token with time-constrained validity is internally generated and an
 e-mail is sent to the configured address for the user with a link - again, typically to the
 <<enduser-component,end-user>> - containing such token value
 . user clicks on the received link and provides new password value, typically via <<enduser-component,end-user>>
 . user receives confirmation via e-mail

 [WARNING]
 ====
 The outlined procedure requires a working <<e-mail-configuration,e-mail configuration>>.

 In particular:

 * the first e-mail is generated from the `requestPasswordReset` <<notification-templates, notification template>>:
 hence, the token-based access link to the <<enduser-component,end-user>> is managed there;
 * the second e-mail is generated from the `confirmPasswordReset` <<notification-templates, notification template>>.
 ====

 [TIP]
 ====
 The process above requires the availability of <<console-configuration-security-questions,security questions>> that
 users can pick up and provide answers for.

 The usage of security questions can be however disabled by setting the `passwordReset.securityQuestion` value - see
 <<configuration-parameters, below>> for details.
 ====

 [[password-reset-no-security-answer]]
 [WARNING]
 ====
 Once provided via Enduser Application, the answers to security questions are *never* reported, neither via REST or Admin UI to
 administrators, nor to end-users via Enduser Application.

 This to avoid any information disclosure which can potentially lead attackers to reset other users' passwords.
 ====

 [NOTE]
 In addition to the password reset feature, administrators can set a flag on a given user so that he / she is forced to
 update their password value at next login.
	//
	// Licensed to the Apache Software Foundation (ASF) under one
	// or more contributor license agreements. See the NOTICE file
	// distributed with this work for additional information
	// regarding copyright ownership. The ASF licenses this file
	// to you under the Apache License, Version 2.0 (the
	// "License"); you may not use this file except in compliance
	// with the License. You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing,
	// software distributed under the License is distributed on an
	// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	// KIND, either express or implied. See the License for the
	// specific language governing permissions and limitations
	// under the License.
	//
	=== Users, Groups and Any Objects

	Users, Groups and Any Objects are definitely the key entities to manage: as explained <<introduction,above>>
	in fact, the whole identity management concept is literally about managing identity data.

	Starting with Apache Syncope 2.0, the following identities are supported:

	* Users represent the virtual identities build up of account information fragmented across the associated external
	resources
	* Groups have the dual purpose of representing entities on external resources supporting this concept (say LDAP or
	Active Directory) and putting together Users or Any Objects for implementing group-based provisioning, e.g. to
	dynamically associate Users or Any Objects to external resources
	* Any Objects actually cover very different entities that can be modeled: printers, services, sensors, ...

	For each of the identities above, Apache Syncope is capable of maintaining:

	. `name` (`username`, for Users) - string value uniquely identifying a specific user, group or any object instance;
	. `password` (Users only) - hashed or encrypted value, depending on the selected `password.cipher.algorithm` - see
	<<configuration-parameters, below>> for details - which can be used for authentication;
	. set of attributes, with each attribute being a `(key,values)` pair where

	** `key` is a string label (e.g. `surname`);
	** `values` is a (possibly singleton) collection of data (e.g. `[Doe]` but also
	`[\john.doe@syncope.apache.org, \jdoe@gmail.com]`)
	; the type of values that can be assigned to each attribute is defined via the <<schema,schema>> matching the `key`
	value (e.g. _plain_, _derived_ and _virtual_);
	. associations with <<external-resources,external resources>>, for <<provisioning,provisioning>>.

	[IMPORTANT]
	.Which schemas can be populated for a given user / group / any object?
	====
	Each user / group / any object will be able to hold values for all schemas:

	. defined in the <<AnyTypeClass,Any Type classes>> associated to their <<AnyType, Any Type>>;
	. defined in the <<AnyTypeClass,Any Type classes>> configured as _auxiliary_ for the specific instance.
	====

	Moreover, Users and Any Objects can be part of Groups, or associated to other any objects.

	[[memberships-relationships]]
	[NOTE]
	.Memberships and Relationships
	====
	When an user or an any object is assigned to a group, a _membership_ is defined; the (static) members of a group
	benefit from <<type-extensions,type extensions>>.

	When an user or an any object is associated to another any object, a _relationship_ is defined, of one of available
	<<relationshiptype,relationship types>>.
	====

	[TIP]
	.Static and Dynamic Memberships
	====
	Users and Any Objects are _statically_ assigned to Groups when memberships are explicitly set.

	With group definition, however, a condition can be expressed so that all matching Users and Any Objects are
	_dynamic_ members of the group. +
	Dynamic memberships have some limitations: for example, <<type-extensions,type extensions>> do not apply;
	group-based provisioning is still effective.
	====

	==== Password Reset

	When users lost their password, a feature is available to help gaining back access to Apache Syncope: password reset.

	The process can be outlined as follows:

	. user asks for password reset, typically via <<enduser-component,end-user>>
	. user is asked to provide an answer to the security question that was selected during self-registration or self-update
	. if the expected answer is provided, a unique token with time-constrained validity is internally generated and an
	e-mail is sent to the configured address for the user with a link - again, typically to the
	<<enduser-component,end-user>> - containing such token value
	. user clicks on the received link and provides new password value, typically via <<enduser-component,end-user>>
	. user receives confirmation via e-mail

	[WARNING]
	====
	The outlined procedure requires a working <<e-mail-configuration,e-mail configuration>>.

	In particular:

	* the first e-mail is generated from the `requestPasswordReset` <<notification-templates, notification template>>:
	hence, the token-based access link to the <<enduser-component,end-user>> is managed there;
	* the second e-mail is generated from the `confirmPasswordReset` <<notification-templates, notification template>>.
	====

	[TIP]
	====
	The process above requires the availability of <<console-configuration-security-questions,security questions>> that
	users can pick up and provide answers for.

	The usage of security questions can be however disabled by setting the `passwordReset.securityQuestion` value - see
	<<configuration-parameters, below>> for details.
	====

	[[password-reset-no-security-answer]]
	[WARNING]
	====
	Once provided via Enduser Application, the answers to security questions are never reported, neither via REST or Admin UI to
	administrators, nor to end-users via Enduser Application.

	This to avoid any information disclosure which can potentially lead attackers to reset other users' passwords.
	====

	[NOTE]
	In addition to the password reset feature, administrators can set a flag on a given user so that he / she is forced to
	update their password value at next login.