Skip to content
Thijs Kinkhorst edited this page Jun 19, 2018 · 3 revisions

Deprovisioning

As of version 5.8 Engineblock ships with a deprovision API. This API can be used to remove personally identifiable information from the application. This page describes the API and explain how to configure it.

Configuration

The deprovision API is configured in the application.ini file. The feature can be toggled on and off using the engineApi.features.deprovision feature toggle.

To enable the API, set the toggle to the value 1. engineApi.features.deprovision = 1

To disable the feature, leave the feature commented: ;engineApi.features.deprovision = 1

The next step is to provide credentials for accessing the API. Basic auth is used to secure the deprovision endpoint. Credentials are configured using the following ini parameters:

engineApi.users.deprovision.username = "some user"
engineApi.users.deprovision.password = "some password"

⚠️ In early EB 5.8 releases the deprovision.username and password might still be mandatory settings. Failing to set them might result in 500 errors.

Usage

The endpoint is exposed on the API subdomain (engine-api.example.org). It was designed to be compatible with the OpenConext User Lifecycle command line tool.

One endpoint is exposed on the API, which is called deprovision. Deprovision allows GET and DELETE requests, providing the possibility to read user data before deprovisioning. The following table describes all possible ways to use the deprovision API

Verb Argument Option Usage Explanation
GET urn:collab:person:id - GET /deprovision/urn:collab:person:example.com:admin Retrieves user information
DELETE urn:collab:person:id - DELETE /deprovision/urn:collab:person:example.com:admin Removes the user from Engineblock. And returns the user data that has been removed.
DELETE urn:collab:person:id dry-run DELETE /deprovision/urn:collab:person:example.com:admin/dry-run Does not actually remove the user, but returns the user information that would have been removed.

Data is returned in JSON format. An example response might look like this:

[
   {
      "name": "user",
      "value": {
         "collab_person_id": "urn:collab:person:example.com:admin",
         "uuid": "b26c5243-6118-4943-af93-d49d2d0d315c"
      }
   },
   {
      "name": "saml_persistent_id",
      "value": []
   },
   {
      "name": "consent",
      "value": [
         {
            "user_id": "urn:collab:person:example.com:admin",
            "service_provider_entity_id": "https://manage.vm.openconext.org/shibboleth",
            "consent_given_on": "2018-06-13T00:10:15+02:00",
            "consent_type": "explicit",
            "attribute_hash": "7d65d35ebd3f137694d67230002f83b9ef630120"
         },
         {
            "user_id": "urn:collab:person:example.com:admin",
            "service_provider_entity_id": "https://teams.vm.openconext.org/shibboleth",
            "consent_given_on": "2018-06-13T00:09:18+02:00",
            "consent_type": "explicit",
            "attribute_hash": "7d65d35ebd3f137694d67230002f83b9ef630120"
         }
      ]
   }
]