This API allows you to implement a REST endpoint for a non-managed application. A non-managed application is an application that is not connected to an Identity Vault, but nonetheless includes data that you want to be able to report on. By defining a REST endpoint for an application, you make it possible for the reporting module to collect data from this application.
After you have defined the REST endpoint for a non-managed application, you need to provide details about this application, including its location and context, on the Non-Managed Application Data Sources page in the reporting module.
Managed System Prefix:
The REST API described in this section is also used by the reporting module to perform data queries for managed systems, so some of the URIs use the prefix ms
, which refers to managed systems.
Logical system identifier: Some of the URIs include a parameter for logical system identifier. This is an identifier for the instance of a managed system.
NOTE:In Identity Manager 4.0.2 and later, you must define at least one logical system for the reporting module to be able to collect data from the application. The reporting module no longer collects data from the primary system.
These APIs use an asynchronous Query architecture. The Identity Manager Reporting Service will call the various Query APIs and expect to receive a unique REQID field value in response. This REQID field value will be passed in a subsequent call to determine if the requested data Results are available, obtain the Results set, and ultimately to purge the REQID and associated Results data. It is the responsibility of the application service to create and cache the unique REQID fields and associated data until a request is made to purge the data.
A JSON (Java Script Object Notation) interface is used for all APIs. Ensure that the Content-Type in the headers for all HTTP messages is application/json
when testing application service implementations.
NOTE:All PUT operations require a content payload. For some APIs, this may simply be an empty payload "{ }".
These APIs are used by the Identity Manager Reporting Service during the processing of the various data collection query activities.
Verifies the result status after data collection. The identifier is a request identifier obtained when the query API is invoked.
The REQID value returned from a preceding data collection query API call is used in the URI to identify the request whose status is being obtained.
context/results/requestID/status
This operation supports the GET method.
None.
STATUS: A Boolean flag that indicates if the result set is ready to be consumed. If the value returned is false, subsequent calls can be expected.
{"STATUS":"true"}
200: Success
489: Service Processing failure (see Section A.2, Fault Status Payload Schema)
This API is used to inform the application service that the results set associated with the REQID will no longer be accessed and can be released.
context/purge
This operation supports the PUT method.
REQID: String (mandatory)
{"REQID":"5ac00e5660ec435aae966ca2975b98f3"}
SUBMITTED: A Boolean flag that indicates if the purge request was received.
{"SUBMITTED":"true"}
200: Success
489: Service Processing failure (see Section A.2, Fault Status Payload Schema)
500: Internal Application Service failure
These APIs are used to request and obtain the Managed System information of the non-managed application. The supported fields for the Results objects can be found under Section A.3, Managed System Information Schema.
Returns a list of the applications and managed systems that are available for data collection. This operation also provides the attributes for each application.
context/ms
This operation supports the PUT method.
Locale: String (optional). This field is a 2-character Language ISO code that may be passed by the Identity Manager Reporting Service. The application service is requested to return results in the specified language if possible.
{"Locale":"EN"}
REQID
{"REQID":"5ac00e5660ec435aae966ca2975b98f3"}
200: Success
489: Service Processing failure (see Section A.2, Fault Status Payload Schema)
Retrieves the results of system query execution.
If the application service provides connectivity to more than 1 application instance, each instance is considered a Logical System to the Identity Manager Reporting Service. For each Logical System, the application service must return a Results instance.
The GUID value returned will be used as the application identifier in the URI of subsequent data collection API calls from the Identity Manager Reporting Service. If there are no Logical Systems identified by the application service, the same value will be used as the ls-identifier in those calls. Otherwise, the LogicalInstance:ID values will be used as the ls-identifier in those calls.
context/ms/results
This operation supports the PUT method.
REQID: String (mandatory). Request ID
SIDX: Integer (optional). Optional starting index. First result is at index 0.
SIZE: Integer (optional). Optional number of results in Results set.
{"REQID":"5ac00e5660ec435aae966ca2975b98f3"}
Results Payload (see Section A.1, Results Payload Schema and Section A.3, Managed System Information Schema)
{
"SIDX":0,"EIDX":1,"MORE":0,
"Results":
[
{
"GUID":"SAPUM-151.155.161.8-300",
"Name":"SAP DEV Central",
"Description":"SAP CUA Central Development Server",
"Type":"Enterprise",
"Classification":"Development",
"Vendor":"SAP",
"Version":"Basis 700",
"BusinessOwner":"Mark Jeffrey",
"ApplicationOwner":"HCM-ADMIN",
"Location":"Provo QA Lab, PRV-H-622",
"Environment":"Development",
"AuthenticationIPAddress":"151.155.161.8",
"AuthenticationPort":"sapgw00",
"AuthenticationID":"admin",
"Hierarchical":"false"
}
]
}
{
"SIDX":0,"EIDX":2,"MORE":0,
"Results":
[
{
"GUID":"SAPUM-151.155.161.8",
"Name":"SAP DEV",
"Description":"SAP CUA Development Server",
"Type":"Enterprise",
"Classification":"Development",
"Vendor":"SAP",
"Version":"Basis 700",
"BusinessOwner":"Mark Jeffrey",
"ApplicationOwner":"ADMIN",
"Location":"Provo QA Lab, PRV-H-622",
"Environment":"Development",
"AuthenticationIPAddress":"192.168.1.10",
"AuthenticationPort":"sapgw00",
"AuthenticationID":"ADMIN",
"Hierarchical":"false",
"LogicalInstance:ID":"ADMCLNT300",
"LogicalInstance:Name":"Client 300",
"LogicalInstance:Description":"CUA Central Client",
"LogicalInstance:Type":"Enterprise",
"LogicalInstance:Classification":"Development",
"LogicalInstance:Vendor":"SAP",
"LogicalInstance:Version":"Basis 700",
"LogicalInstance:BusinessOwner":"Mark Jeffrey",
"LogicalInstance:ApplicationOwner":"CUAADMIN",
"LogicalInstance:Location":"Provo QA Lab, PRV-H-622",
"LogicalInstance:Environment":"Development",
"LogicalInstance:AuthenticationIPAddress":"192.168.1.10",
"LogicalInstance:AuthenticationPort":"sapgw00",
"LogicalInstance:AuthenticationID":"CUAADMIN",
"LogicalInstance:Hierarchical":"false"
},
{
"GUID":"SAPUM-151.155.161.8",
"Name":"SAP DEV",
"Description":"SAP CUA Development Server",
"Type":"Enterprise",
"Classification":"Development",
"Vendor":"SAP",
"Version":"Basis 700",
"BusinessOwner":"Mark Jeffrey",
"ApplicationOwner":"ADMIN",
"Location":"Provo QA Lab, PRV-H-622",
"Environment":"Development",
"AuthenticationIPAddress":"192.168.1.10",
"AuthenticationPort":"sapgw00",
"AuthenticationID":"ADMIN",
"Hierarchical":"false",
"LogicalInstance:ID":"ADMCLNT400",
"LogicalInstance:Name":"Client 400",
"LogicalInstance:Description":"CUA Child Client",
"LogicalInstance:Type":"Enterprise",
"LogicalInstance:Classification":"Development",
"LogicalInstance:Vendor":"SAP",
"LogicalInstance:Version":"Basis 700",
"LogicalInstance:BusinessOwner":"Jon Doe",
"LogicalInstance:ApplicationOwner":"CHLDADM",
"LogicalInstance:Location":"Provo QA Lab, PRV-H-622",
"LogicalInstance:Environment":"Development",
"LogicalInstance:AuthenticationIPAddress":"192.168.1.10",
"LogicalInstance:AuthenticationPort":"sapgw00",
"LogicalInstance:AuthenticationID":"CHLDADM",
"LogicalInstance:Hierarchical":"false"
}
]
}
200: Success
204: Result set is empty
489: Service Processing failure (see Section A.2, Fault Status Payload Schema)
These APIs are used to request and obtain the a set of matching rules that can be used by the IDM Reporting Service information of the non-managed application. The supported fields for the Results objects can be found in Section A.7, Accounts Rule Schema.
NOTE:In Identity Manager 4.0, these APIs are in a proposal stage in the Identity Manager Reporting Service. Data is collected but is not yet used.
Requests managed and application account rules data.
context/accounts/rule/ms/identifier
identifier: Managed System GUID value (see PUT – /ms/results)
This operation supports the PUT method.
Locale: String (optional). This field is a 2-character Language ISO code that may be passed by the Identity Manager Reporting Service. The application service is requested to return results in the specified language if possible.
{"Locale":"DE"}
REQID
{"REQID":"e6bf4fd18817449885caa34bd8e84781"}
200: Success
489: Service Processing failure (see Section A.2, Fault Status Payload Schema)
Requests system account rules data.
context/accounts/rule/ms/identifier/results
identifier: Managed System GUID value (see PUT – /ms/results)
This operation supports the PUT method.
REQID: String (mandatory). Request ID
SIDX: Integer (optional). Optional starting index. First result is at index 0.
SIZE: Integer (optional). Optional number of results in Results set.
{
"REQID":"e6bf4fd18817449885caa34bd8e84781",
"SIDX":0,
"SIZE":100
}
Results Payload (see Section A.1, Results Payload Schema and Section A.7, Accounts Rule Schema)
{
"SIDX":0,"EIDX":1,"MORE":0,
"Results":
[
{"Order":1, "MatchAttrName":"USERNAME:BAPIBNAME"},
{"Order":2, "MatchAttrname":"ADDRESS:FIRSTNAME,ADDRESS:LASTNAME"}
]
}
200: Success
204: Result set is empty
489: Service Processing failure (see Section A.2, Fault Status Payload Schema)
These APIs are used to request and obtain the various types of application Entitlements that can be assigned to application identities. Examples of entitlements may be a User account, Roles, User Profiles, Group Memberships, Email access, home directories, and so forth.
The supported fields for the Results objects can be found under Section A.4, Entitlements Types Schema.
Requests entitlement type data for each system.
context/entitlements/types/ms/identifier
identifier: Managed System Information GUID value (see PUT – /ms/results)
This operation supports the PUT method.
Locale: String (optional). This field is a 2-character Language ISO code that may be passed by the Identity Manager Reporting Service. The application service is requested to return results in the specified language if possible.
{"Locale":"DE"}
REQID
{"REQID":"faae9d07cf7f47d5bb7c5179819da9ea"}
200: Success
489: Service Processing failure (see Section A.2, Fault Status Payload Schema)
Retrieves the results of query execution for entitlement types.
context/entitlements/types/ms/identifier/results
identifier: Managed System Information GUID value (see PUT – /ms/results)
This operation supports the PUT method.
REQID: String (mandatory). Request ID
SIDX: Integer (optional). Optional starting index. First result is at index 0.
SIZE: Integer (optional). Optional number of results in Results set.
{
"REQID":"faae9d07cf7f47d5bb7c5179819da9ea",
"SIDX":0,
"SIZE":20
}
Results Payload (see Section A.1, Results Payload Schema and Section A.7, Accounts Rule Schema)
{
"SIDX":0,"EIDX":3,"MORE":0,
"Results":
[
{
"ENT_TYPE":"ActivityGroup",
"ENT_TYPE_DISPLAY_NAME":"Rolle",
"ENT_ID":"AG",
"ENT_CATEGORY":"Sicherheit Gruppe",
"ENT_DESCRIPTION":"SAP Rolle",
"ENT_DISPLAY_NAME":"Rolle"
},
...
]
}
200: Success
204: Result set is empty
489: Service Processing failure (see Section A.2, Fault Status Payload Schema)
These APIs are used to request and obtain detailed information about all Entitlements of the non-managed application. The supported fields for the Results objects can be found under Section A.5, Entitlements Information Schema.
Requests application entitlement data.
context/entitlements/ms/identifier/ls/ls-identifier
identifier: Managed System Information GUID value (see PUT – /ms/results)
ls-identitifer: Managed System Information LogicalInstance:ID value (if present) otherwise Managed System Information GUID value (see PUT – /ms/results).
This operation supports the PUT method.
ENT_ID: String (mandatory). Identifies the type of Entitlement information being obtained from the target application or logical systems. The value will be the ENT_ID from one of the entitlement types previously collected from the application service.
Locale: String (optional). This field is a 2-character Language ISO code that may be passed by the Identity Manager Reporting Service. The application service is requested to return results in the specified language if possible.
{
"ENT_ID":"AG",
"Locale":"EN"
}
REQID
{"REQID":"f8977b3bdce34b3f8e2e44ff10567746"}
200: Success
489: Service Processing failure (see Section A.2, Fault Status Payload Schema)
Some entitlements, such as a User account entitlement, may not be represented by an actual application object or value. Such entitlements are considered granted based on the presence of an account for a User. It is therefore appropriate for an application to return an empty results set for non-valued entitlements.
context/entitlements/ms/identifier/ls/ls-identifier/results
identifier: Managed System Information GUID value (see PUT – /ms/results)
ls-identitifer: Managed System Information LogicalInstance:ID value (if present) otherwise Managed System Information GUID value (see PUT – /ms/results).
This operation supports the PUT method.
REQID: String (mandatory). Request ID
SIDX: Integer (optional). Optional starting index. First result is at index 0.
SIZE: Integer (optional). Optional number of results in Results set.
{"REQID":"f8977b3bdce34b3f8e2e44ff10567746", "SIZE":200}
Results Payload (see Section A.1, Results Payload Schema and Section A.5, Entitlements Information Schema)
{
"SIDX":0,"EIDX":200,"MORE":1,
"Results":
[
{
"MS_ENT_DESC":"Employee Self-Service Germany",
"MS_ENT_VAL":"SAP_HR_EMPLOYEE_DE",
"MS_ENT_VAL_DISP_NAME":"SAP_HR_EMPLOYEE_DE"
},
{
"MS_ENT_DESC":"Auth. for RFC Service User in Client System (RFC)",
"MS_ENT_VAL":"SAP_BC_USR_CUA_CLIENT_RFC",
"MS_ENT_VAL_DISP_NAME":"SAP_BC_USR_CUA_CLIENT_RFC"
},
....
]
}
200: Success
204: Result set is empty
489: Service Processing failure (see Section A.2, Fault Status Payload Schema)
These APIs are used to request and obtain the information about the assignment of a specified Entitlement type to Identities within the non-managed application. The supported fields for the Results objects can be found under Section A.6, Entitlements Assignments Schema.
Requests entitlement assignment data.
context/entitlements/assignments/ms/identifier/ls/ls-identifier
identifier: Managed System Information GUID value (see PUT – /ms/results)
ls-identitifer: Managed System Information LogicalInstance:ID value (if present) otherwise Managed System Information GUID value (see PUT – /ms/results).
This operation supports the PUT method.
ENT_ID: String (mandatory). Identifies the type of Entitlement assignment information being obtained from the target application or logical systems. The value will be the ENT_ID from one of the entitlement types previously collected from the application service.
Locale: String (optional). This field is a 2-character Language ISO code that may be passed by the Identity Manager Reporting Service. The application service is requested to return results in the specified language if possible.
{
"ENT_ID":"PROFILE"
}
REQID
{"REQID":"87d95b44c7bf4db1aafeb54ad840008d"}
200: Success
489: Service Processing failure (see Section A.2, Fault Status Payload Schema)
Some entitlements, such as a User account entitlement, may not be represented by an actual application object or value. Such entitlements are considered granted based on the presence of an account for a User. It is therefore appropriate for an application to return an empty results set for non-valued entitlements.
context/entitlements/assignments/ms/identifier/ls/ls-identifier/results
identifier: Managed System Information GUID value (see PUT – /ms/results)
ls-identitifer: Managed System Information LogicalInstance:ID value (if present) otherwise Managed System Information GUID value (see PUT – /ms/results).
This operation supports the PUT method.
REQID: String (mandatory). Request ID
SIDX: Integer (optional). Optional starting index. First result is at index 0.
SIZE: Integer (optional). Optional number of results in Results set.
"REQID":"87d95b44c7bf4db1aafeb54ad840008d", "SIZE":100}
Results Payload (see Section A.1, Results Payload Schema and Section A.6, Entitlements Assignments Schema)
{
"SIDX":0,"EIDX":20,"MORE":0,
"Results":
[
{
"MS_ENT_VAL":"SAP_ALL",
"MS_MEMBER":"DDIC"
},
{
"MS_ENT_VAL":"S_A.SYSTEM",
"MS_MEMBER":"DDIC"
},
{
"MS_ENT_VAL":"SAP_ALL",
"MS_MEMBER":"SENTINEL"
},
...
]
}
200: Success
204: Result set is empty
489: Service Processing failure (see Section A.2, Fault Status Payload Schema)
These APIs are used to request and obtain the Accounts information of the non-managed application. The supported fields for the Results objects can be found under Section A.8, Account Information Schema.
NOTE:If the application service does not support the concept of Logical Systems (see Section 13.2.3, Managed System Information APIs), the Identity Manager Reporting Service will use the Managed System GUID field value for both identifier and ls-identifier in the URI.
Requests accounts information for an application.
context/accounts/ms/identifier/ls/ls-identifier
identifier: Managed System Information GUID value (see PUT – /ms/results)
ls-identitifer: Managed System Information LogicalInstance:ID value (if present) otherwise Managed System Information GUID value (see PUT – /ms/results).
This operation supports the PUT method.
Locale: String (optional). This field is a 2-character Language ISO code that may be passed by the Identity Manager Reporting Service. The application service is requested to return results in the specified language if possible.
{"Locale":"EN"}
REQID
{"REQID":"e6cfbe0747604fa7ad8d20da6abeb203"}
200: Success
489: Service Processing failure (see Section A.2, Fault Status Payload Schema)
Retrieves the results of a query execution for application accounts data.
context/accounts/ms/identifier/ls/ls-identifier/results
identifier: Managed System Information GUID value (see PUT – /ms/results)
ls-identitifer: Managed System Information LogicalInstance:ID value (if present) otherwise Managed System Information GUID value (see PUT – /ms/results).
This operation supports the PUT method.
REQID: String (mandatory). Request ID
SIDX: Integer (optional). Optional starting index. First result is at index 0.
SIZE: Integer (optional). Optional number of results in Results set.
{"REQID":"e6cfbe0747604fa7ad8d20da6abeb203"}
Results Payload (see Section A.1, Results Payload Schema and Section A.8, Account Information Schema)
{
"SIDX":0,"EIDX":81,"MORE":0
"Results":
[
{
"ACCT_ID_VALUE":"NSLUSER",
"ACCT_ID_TYPE":"USER",
"Managed":"false",
"APP_NAME":"SAPUM-151.155.161.8-300",
"Synchronized":"false",
"ACCT_STATUS":"A"
},
....
]
}
200: Success
204: Results set is empty
489: Service Processing failure (see Section A.2, Fault Status Payload Schema)
These APIs are used to request and obtain the detailed Identity profile information for all accounts in the non-managed application. The supported fields for the Results objects can be found under Section A.9, Profile Information Schema.
Requests profiles information for an application.
context/profiles/ms/identifier/ls/ls-identifier
identifier: Managed System Information GUID value (see PUT – /ms/results)
ls-identitifer: Managed System Information LogicalInstance:ID value (if present) otherwise Managed System Information GUID value (see PUT – /ms/results).
This operation supports the PUT method.
Locale: String (optional). This field is a 2-character Language ISO code that may be passed by the Identity Manager Reporting Service. The application service is requested to return results in the specified language if possible.
{"Locale":"EN"}
REQID
{"REQID":"23549fc57b924ec1924d978792a2b684"}
200: Success
489: Service Processing failure (see Section A.2, Fault Status Payload Schema)
Retrieves the results of a query execution for application profiles data.
context/profiles/ms/identifier/ls/ls-identifier/results
identifier: Managed System Information GUID value (see PUT – /ms/results)
ls-identitifer: Managed System Information LogicalInstance:ID value (if present) otherwise Managed System Information GUID value (see PUT – /ms/results).
This operation supports the PUT method.
REQID: String (mandatory). Request ID
SIDX: Integer (optional). Optional starting index. First result is at index 0.
SIZE: Integer (optional). Optional number of results in Results set.
{"REQID":"23549fc57b924ec1924d978792a2b684", "SIZE":200}
Results Payload (see Section A.1, Results Payload Schema and Section A.9, Profile Information Schema)
{
"SIDX":0,"EIDX":81,"MORE":0,
"Results":
[
{
"ACCT_ID_VALUE":"CNANO",
"FIRST_NAME":"Chip",
"LAST_NAME":"Nano",
"FULL_NAME":"Chip Nano",
"JOB_TITLE":"Chief Information Officer",
"CITY":"Provo",
"EMAIL_ADDRESS":"cnano@novell.com",
"OFFICE_PHONE":"(555) 555-1223",
"PREFERRED_LANG":"EN",
"COST_CENTER":"US1122",
"COMPANY":"NOVELL",
"STREET_ADDRESS":"1800 Novell Place",
"POSTAL_CODE":"84606","
COUNTRY":"US",
"SUITE_NUMBER":"Suite 200",
"STATE":"UT"
},
....
]
}
200: Success
204: Results set is empty
489: Service Processing failure (see Section A.2, Fault Status Payload Schema)