Identities/Profiles

The profile is used to authenticate a user. Each account can have one or multiple profiles and identified by a unique ID in form of UUID.

When the profile has been imported from the external DB (Active Directory) the additional fields gets values like:

  • account external ID (usually UPN)

  • external identity public ID (such as "S-1-5-21-1346520962-2386629273-538639937-1113")


Untitled Diagram-1719830058551.drawio.png


Each profile is part of one or more user groups and each group has a list of associated roles. The internal roles are used to gain access for certain internal Veridium resources.


Other fields:

  • The registration time

  • The status - it can be NONE, ACTIVATION_PENDING, ACTIVE, BLOCKED, BLOCKED_BY_ADMIN

  • The profile’s language

  • Display name, email, upn, domain, commonName ("CN=John Doe,OU=Users,OU=Dev,DC=dev,DC=local")


Storage format in Elasticsearch


In Elastic, identity related data is stored in two index aliases:

  • profiles - holds the current state of each account (serialized as JSON) together with a compact array of history logs.

  • profile_history - holds each history log of an identity in a separate document. It contains information about the action, the entire state of the identity in that moment and the set of field changes brought by that specific action.

Profiles Index

Identities are distributed in multiple indices, using an elasticsearch rollover policy that automatically creates and writes into a new index when the size of the current index goes beyond 50GB. The first index will be called profiles-000001, the second profiles-000002 and so on. The first index is manually created by the ElasticSearchSettingsUpdate migration task.

A document in an identity index contains two main fields: profile (holding the current state of the identity) and actionLogs (compact array of history logs, NOT indexed). It can be used for searching data related to the current state of identities.

The profile field contains the following searchable fields:

Field path

Functional Meaning

Mapping types

Notes

Example value

id


keyword

searchable as keyword only (exact value)

7ebe1a52-77ae-431c-80b4-766757ace80a

accountId


keyword

searchable as keyword only (exact value)

b0a96555-0743-4d70-a56b-e1b32773b9ba

integrationId


keyword

searchable as keyword only (exact value)

d2535f4f-f510-4875-8991-55974a566a69

integrationExternalId


keyword

searchable as keyword only (exact value)

ADv2MultiStepEnrollment

accountExternalId


keyword

searchable as keyword only (exact value)

johndoe@veridiumid.com

commonName


keyword, text

searchable as keyword and full text search (individual terms, partial terms, lower/upper case)

CN=John Doe,OU=Users,OU=Dev,DC=dev,DC=local

registrationTime


date


2024-06-10T14:33:03.422+00:00

externalIdentityId


keyword

searchable as keyword only (exact value)

S-1-5-21-410015106-2063711249-828150371-1191

displayName


keyword, text

searchable as keyword and full text search (individual terms, partial terms, lower/upper case)

John Doe

emailAddress


keyword, text

searchable as keyword and full text search (individual terms, partial terms, lower/upper case)

johndoe@veridiumid.com

upn


keyword, text

searchable as keyword and full text search (individual terms, partial terms, lower/upper case)

johndoe@dev.local

implicitUpn


keyword, text

searchable as keyword and full text search (individual terms, partial terms, lower/upper case)

johndoe@dev.local

domain


keyword, text

searchable as keyword and full text search (individual terms, partial terms, lower/upper case)

dev.local

phoneNumber


keyword, text

searchable as keyword and full text search (individual terms, partial terms, lower/upper case)

+40700000001

language


keyword, text

searchable as keyword and full text search (individual terms, partial terms, lower/upper case)

en

applicationId


keyword

searchable as keyword only (exact value)

AD

identityStatus


keyword

searchable as keyword only (exact value)

NONE

passwordExpirationTime


date


+30828-09-14T02:48:05.477Z

groups


keyword

array of keywords

["Veridiumid_Users"]

An example of document:

{
    "id": "7ebe1a52-77ae-431c-80b4-766757ace80a",
    "profile": {
      "id": "7ebe1a52-77ae-431c-80b4-766757ace80a",
      "accountId": "b0a96555-0743-4d70-a56b-e1b32773b9ba",
      "integrationId": "d2535f4f-f510-4875-8991-55974a566a69",
      "integrationExternalId": "ADv2MultiStepEnrollment",
      "accountExternalId": "johndoe@veridiumid.com",
      "commonName": "CN=John Doe,OU=Users,OU=Dev,DC=dev,DC=local",
      "registrationTime": "2024-06-10T14:33:03.422+00:00",
      "externalIdentityId": "S-1-5-21-410015106-2063711249-828150371-1191",
      "displayName": "John Doe",
      "emailAddress": "johndoe@veridiumid.com",
      "upn": "johndoe@dev.local",
      "implicitUpn": "johndoe@dev.local",
      "domain": "dev.local",
      "phoneNumber": "+40700000001",
      "language": "en",
      "applicationId": "AD",
      "identityStatus": "NONE",
      "groups": [
        "Veridiumid_Users"
      ],
      "passwordExpirationTime": "+30828-09-14T02:48:05.477Z"
    },
    "actionLogs": [...] // NOT INDEXED
  }

Profile History Index

Identity history documents are distributed in indices using time window pattern. An index for each month following the pattern veridium.profile_history-YYYY-MM (veridium.profile_history-2024-02).

The index is automatically created when the first identity history index request is received for the current month.

Documents are never individually deleted, only the entire index gets deleted according to the lifecycle policy.

A document in the profile history index contains searchable fields related to the action itself (actionId, type, time, location, authorAccountId, authorDeviceId). Also, it contains the entire state of the identity in that moment (the profile field, which has the same searchable fields as above) and a set of searchable fieldChanges, storing all the fields that have changed compared to the previous version, with their previous and current value. It can be used for searching data related to specific mutations on an identity.

An example of document:

{
    "id": "e96782f2-8720-4277-89b1-c34bd491ac3f",
    "actionTime": "2024-02-27T22:13:30.925+00:00",
    "actionType": "UPDATED",
    "location": {
      "ip": "79.115.63.208",
      "countryCode": "RO",
      "countryName": "Romania",
      "regionCode": "IF",
      "regionName": "Ilfov",
      "city": "Otopeni",
      "postalCode": "123456",
      "coordinates": {
        "lat": 41.23,
        "lon": 21.0123
      },
    },
    "authorAccountId": "b974def7-bdc7-4fac-b51d-33da86848387",
    "authorDeviceId": "ssp_dc1",
    "profile": {...} //the profile state in the moment of the history event, has the same structure as in table above
    "fieldChanges": {
      "emailAddress": {
        "previousValue": "email1@veridiumid.com",
        "currentValue": "email2@veridiumid.com"
      },
      //... other field changes if exist
    }
  }