-
Notifications
You must be signed in to change notification settings - Fork 23
Deprovisioning
As of version 5.8 Engineblock ships with a deprovision API. This API can be used to remove personally identifiable information from the application. This page describes the API and explain how to configure it.
The deprovision API is configured in the application.ini
file. The feature can be toggled on and off using the engineApi.features.deprovision
feature toggle.
To enable the API, set the toggle to the value 1
. engineApi.features.deprovision = 1
To disable the feature, leave the feature commented: ;engineApi.features.deprovision = 1
The next step is to provide credentials for accessing the API. Basic auth is used to secure the deprovision endpoint. Credentials are configured using the following ini parameters:
engineApi.users.deprovision.username = "some user"
engineApi.users.deprovision.password = "some password"
deprovision.username
and password
might still be mandatory settings. Failing to set them might result in 500 errors.
The endpoint is exposed on the API subdomain (engine-api.example.org
). It was designed to be compatible with the OpenConext User Lifecycle command line tool.
One endpoint is exposed on the API, which is called deprovision
. Deprovision allows GET and DELETE requests, providing the possibility to read user data before deprovisioning. The following table describes all possible ways to use the deprovision API
Verb | Argument | Option | Usage | Explanation |
---|---|---|---|---|
GET | urn:collab:person:id |
- | GET /deprovision/urn:collab:person:example.com:admin | Retrieves user information |
DELETE | urn:collab:person:id |
- | DELETE /deprovision/urn:collab:person:example.com:admin | Removes the user from Engineblock. And returns the user data that has been removed. |
DELETE | urn:collab:person:id |
dry-run | DELETE /deprovision/urn:collab:person:example.com:admin/dry-run | Does not actually remove the user, but returns the user information that would have been removed. |
Data is returned in JSON format. An example response might look like this:
[
{
"name": "user",
"value": {
"collab_person_id": "urn:collab:person:example.com:admin",
"uuid": "b26c5243-6118-4943-af93-d49d2d0d315c"
}
},
{
"name": "saml_persistent_id",
"value": []
},
{
"name": "consent",
"value": [
{
"user_id": "urn:collab:person:example.com:admin",
"service_provider_entity_id": "https://manage.vm.openconext.org/shibboleth",
"consent_given_on": "2018-06-13T00:10:15+02:00",
"consent_type": "explicit",
"attribute_hash": "7d65d35ebd3f137694d67230002f83b9ef630120"
},
{
"user_id": "urn:collab:person:example.com:admin",
"service_provider_entity_id": "https://teams.vm.openconext.org/shibboleth",
"consent_given_on": "2018-06-13T00:09:18+02:00",
"consent_type": "explicit",
"attribute_hash": "7d65d35ebd3f137694d67230002f83b9ef630120"
}
]
}
]